[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Mon, 25 Nov 2013, stinga wrote:
They got in via the root password. I am pretty sure it wasn't brute forced.Didn't see a lot of failed attempts at login and I block ip's that fail after 5 times, could have been a low level attack over months I suppose.
That seems unlikely, unless they really targeted you. Given how little effort they subsequently made, that doesn't seem to be the case.
Even then, it would only be possible if the password wasn't at least moderately secure.
Other way was I have discovered the root password and the mysql DB password where the same, so it might have been exposed in some web script and they took a punt on it being the same.
That seems far more likely. It's the kind of thing one can easily automate.
Are you running some widely used piece of web software that makes uses of MySQL (WordPress, Joomla, vBulletin, phpBB etc)? If so, I would make sure this is updated to the latest version.
Think it was a script kiddy who didn't know much, since it would not have been that hard to work out what was happening.
It could also have been a (semi-)automated attack.
Bit more concerned on the the root password guess, had not been changed for a while it turns out either, so going to have to fix that issue.
I don't think changing passwords regularly is necessary in most cases. Making sure the root password is something that isn't used elsewhere - and definitely not on the same system - is essential though. And make sure it is reasonably secure.
And, as other have pointed out, not allowing root SSH access is a pretty sensible thing to do.
Martijn. -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq