Jul 1 23:14:50 partygirl sshd: Accepted password for upload from 18.104.22.168 port 39152 ssh2 Jul 3 07:57:14 partygirl sshd: Accepted password for upload from 22.214.171.124 port 1859 ssh2 Jul 3 11:30:30 partygirl sshd: Accepted password for upload from 126.96.36.199 port 4646 ssh2 --
And with that, a skript kiddie in Romania, working from the rdsnet.ro subdomain, broke into johnbyrd.org . He installed a subdomain scanner and ssh brute force tool into a hidden directory called “/tmp/ /.of” and he began dictionary attacks on other machines.
The style of compromise is highly specific.
The attacker at 188.8.131.52 is running Windows Terminal Server 2003. The box is probably being controlled remotely by the attacker.
I’ve nuked the offending account and taken countermeasures, but he’s still knocking at the open ports, trying to get in. If you’re the attacker, give up on this box and move on, or I’m going to hit back.