Saturday, December 16, 2006

Compromised Within My Own Data Center

Today was interesting as I noticed a couple of servers within my own data center taking aim at my servers. One IP address was attempting a bazillion user names and passwords on SSH and the other IP address was scanning pages on the web server. Now scanning pages on the web server isn't such a big deal, but when I went to look at the server and see who they were, it attempted to inject a virus into my computer using a browser vulnerability.

Just finished reporting both incidents to the support staff at the hosting company and we'll wait and see how they respond. If they leave the virus injecting server online I will probably have to take my business elsewhere as that's just not cool, and of course everyone will find out who they are and what they said at that point.

Now we wait...

2 comments:

Anonymous said...

IncediBILL,

I've had things like that happen to my servers in the datacenter.

I'm sure you know, but you could set SSH to only accept your IP.
An other option is to install PortKnocking (more info @ portknocking.org)

For the portscanning problem you could also use Psad (more info @ cipherdyne.com)

Good luck!

Anonymous said...

Now the RIAA has a crawler:

http://www.againstmonopoly.org/index.php?perm=886089000000000690

Think you can detect and block these jokers? It says something about "stealth mode", which may mean a challenge. :)