[TriLUG] illegal logon question

Jon Carnes jonc at nc.rr.com
Sat Mar 11 18:08:39 EST 2006


On Thu, 2006-03-09 at 15:42, Rick DeNatale wrote:
> On 09 Mar 2006 10:42:49 -0500, jonc <jonc at nc.rr.com> wrote:
> 
> > BTW: I've reported many, many folks (from the US) that have their Linux
> > boxen taken over by script kiddies. Most times the folks are *very*
> > responsive and apologetic. In every case, the folks put up a standard
> > install without any hardening or firewalling.
> 
> Actually those zombies are much more likely to be Windows boxen, and
> corporate ones at that.
> 
> >From http://blog.washingtonpost.com/securityfix/2006/03/post.html

Yes, zombies are much more likely to be Windows boxen - since they are
the tool of choice for the already clueless.

The particular attack we were discussing however is a beast that lives
mainly in the world of Linux. The attacks are mainly from Linux boxen
that folks have installed to play around with. 

I get two or three IP addresses every day from bots probing for SSH
vulnerabilities in my ever-expanding network. Some days I get twenty or
more. The folks who actually own the zombied boxen are fairly easy to
track down (at least the ones that are not from Korea or China). Most of
the folks respond right away... and "Yes" the folks admit, "it is a
linux box... I just installed it last week and haven't gotten around to
playing with it." Well someone else beat you to it.

The clueless are finding their way to Linux.  And while this is a very
good sign for Open Source, it is also a great portent of things to come.

Jon Carnes




More information about the TriLUG mailing list