SSH hacked?

[Mark Haney]

Lorenzo Luengo wrote:
> Knapp escribió:
>> Today I was sitting next to my computer and I could hear the HD going 
>> on and on, like I was doing a torrent or something. I was not doing 
>> anything, so I looked to see what was running in the background. 
>> Nothing like that was. Then I looked at my firewall and saw one 
>> connection that was uploading to my computer with ssh. At this point 
>> firestarted crashed so I could not copy down the senders address but 
>> it was odd and ended in www.?????????????.NL
>>
>> I have about 4 people that can use SSH with my computer and the whole 
>> system is set for using only gpg type passwords. So my questions are; 
>> How can I find out what was uploaded? How could I have been hacked? 
>> And, how can I stop it from happing again? For now the ssh port is 
>> closed. This is not a problem because it is only used about one time a 
>> quarter.
>> Thanks!
> I'd think of changing my password and installing fail2ban package, it' really useful to stop people that tries to break into your system by just hammering ports.
> 

I second this.  I use fail2ban on 20+ servers and I know that any
unauthorized attempts will get stopped by iptables.  I've yet to have it
fail on me.


-- 
Frustra laborant quotquot se calculationibus fatigant pro inventione
quadraturae circuli

Mark Haney
Sr. Systems Administrator
ERC Broadband
(828) 350-2415

Call (866) ERC-7110 for after hours support