I’m all decoded now, I think you better go

Jul  1 23:14:50 partygirl sshd[19154]: Accepted password for upload from port 39152 ssh2
Jul  3 07:57:14 partygirl sshd[4373]: Accepted password for upload from port 1859 ssh2
Jul  3 11:30:30 partygirl sshd[5391]: Accepted password for upload from port 4646 ssh2

And with that, a skript kiddie in Romania, working from the rdsnet.ro subdomain, broke into johnbyrd.org . He installed a subdomain scanner and ssh brute force tool into a hidden directory called “/tmp/ /.of” and he began dictionary attacks on other machines.

The style of compromise is highly specific.

The attacker at is running Windows Terminal Server 2003. The box is probably being controlled remotely by the attacker.

I’ve nuked the offending account and taken countermeasures, but he’s still knocking at the open ports, trying to get in. If you’re the attacker, give up on this box and move on, or I’m going to hit back.

Leave a Reply