Jul 1 23:14:50 partygirl sshd[19154]: Accepted password for upload from 64.95.232.90 port 39152 ssh2 Jul 3 07:57:14 partygirl sshd[4373]: Accepted password for upload from 81.18.87.179 port 1859 ssh2 Jul 3 11:30:30 partygirl sshd[5391]: Accepted password for upload from 81.18.87.179 port 4646 ssh2 --
And with that, a skript kiddie in Romania, working from the rdsnet.ro subdomain, broke into johnbyrd.org . He installed a subdomain scanner and ssh brute force tool into a hidden directory called “/tmp/ /.of” and he began dictionary attacks on other machines.
The style of compromise is highly specific.
The attacker at 81.18.87.179 is running Windows Terminal Server 2003. The box is probably being controlled remotely by the attacker.
I’ve nuked the offending account and taken countermeasures, but he’s still knocking at the open ports, trying to get in. If you’re the attacker, give up on this box and move on, or I’m going to hit back.