[Chugalug] Website scanners (was d at mn scammers/hackers)

David White dwrudy at gmail.com
Thu Oct 18 13:32:56 UTC 2012


Someone else responded to me directly (not sure if it was intentional or
not to leave the group out), but I responded to that email through my
iPhone thinking I was emailing the group with this (may not add much value
to the conversation, but FWIW.

The email to me basically said that the guy wrote some bash scripts to run
a checksum on system files every 15 minutes, and sent out alerts if things
changed. My 1 bit of "useful" information in this response basically just
says CSF does the same thing, although I think writing bash scripts to
augment CSF isn't a bad idea:

*Thanks, {name removed}, and all the others who responded. This must be a
hot
topic. Though i graduated a few years ago without any CS classes, I'm
actually taking an IT security class at my alma mater, Covenant, and
am absolutely loving it.

<ot>
Used Wireshark for a lab a couple weeks ago, and then just two days
ago, found I needed it + tcpdump at my job, and was able to resolve my
issue quickly after that!

May be going for my CISSP at some point in the near-ish future...
</ot>

Anyway, as I mentioned in my last reply, CSF basically does the same
thing for me in terms of system files, but writing my own scripts to
augment CSF wouldn't be a bad idea.*

On Thu, Oct 18, 2012 at 12:23 AM, Lynn Dixon <boodaddy at gmail.com> wrote:

> Somehow I didn't get the original thread but I got this fork.
> I have noticed an huge increase in brute force attempts on my co-located
> server.  They have been hitting SSH and Exim.  I am running CSF / LFD on
> recommendation from Randy and love it, but the attackers appear to be
> hitting from a huge range of IP's and only a few hits at a time, and then
> they move to a different IP and attack again.
>
> I have not been hacked, but I don't like all this "negative" brute force
> traffic.
>
>
> On Wed, Oct 17, 2012 at 11:45 PM, Dave Brockman <dave at brockmans.com>wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 10/17/2012 11:15 PM, David White wrote:
>> > To fork the thread, anyone know of any services you can use, and/or
>> > or scripts you can run to check the public facing code of sites
>> > and ensure there's nothing malicious?
>> >
>> > On the internal side of things, I wonder if it would just make
>> > sense to periodically run an MD5 checksum via cron on each web
>> > directory in the server(s) and compare that with the good hash
>> > (stored externally, off the server, of course).
>>
>>
>> tripwire?
>>
>> ossec?
>>
>> Regards,
>>
>> dtb
>>
>>
>> - --
>> "Some things in life can never be fully appreciated nor
>> understood unless experienced firsthand. Some things in
>> networking can never be fully understood by someone who neither
>> builds commercial networking equipment nor runs an operational
>> network."  RFC 1925
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2.0.17 (MingW32)
>> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>>
>> iEYEARECAAYFAlB/e08ACgkQABP1RO+tr2RR5gCgiGxILJVoii477BRYGBQhoX0K
>> n2oAn3vbisLm30UUMMgZLG/TuvXkFxdc
>> =mhZx
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> Chugalug mailing list
>> Chugalug at chugalug.org
>> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>>
>
>
> _______________________________________________
> Chugalug mailing list
> Chugalug at chugalug.org
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>


-- 
- David White -
Smooth Stone Services *(soon to be CENTS)*
*Computing, Equipping, Networking, Training & Supporting *
*Nonprofit Organizations Worldwide*

Existing Website: http://www.smoothstoneservices.com
New Website (coming soon): http://developCENTS.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chugalug.org/pipermail/chugalug/attachments/20121018/aba3204e/attachment.html>


More information about the Chugalug mailing list