before i get started, since i know you ppl can't wait to hear, i've got version 1.1.0 in production, w/ those pesky (known) bugs worked out...
anyway, let's talk fundementals...
so my fun for today has been as follows... fortune 500 company server which processes credit card transactions has been owned. they, understandably, want to know the scope of the compromise... while digging through trying to figure out exactly what went down and how bad it is, i determine the probable vector...
brute force and/or dictionary ssh compromise...
"lol" i hear you say. "geeze, they must've had a weak ass password..." (ignoring that they allowed ssh root login, sigh) no, actually, it seems their password wasn't terribly weak. i say that because the server had been under sustained attack for at least 4 weeks... ><
the attacker script would try a random number (say n=2-5) of attempts and then wait (w=60-300) seconds for some time before trying again... presumably to throw off ids's and such....
companies spend all of these dollars on 5 figure boxes and all of this stuff for security... so why are they so averse to paying a sec guy to monitor logs on their production and critical servers? last time i checked, logcheck didn't cost too much, and man they woulda seen this one coming a mile away... ;)
Subscribe to:
Post Comments (Atom)
1 comment:
They won't spend the money because they'd have to listen to whoever they hired bitch and moan about the lack of security all the time :P
Post a Comment