I noticed Oded’s blog was attacked which makes me remember some things:
I was once invited to analyze a Linux machine that was invaded. I ended up writing an article about it to the brazilian Linux Magazine.
The problem with the machine was a VERY weak root passw0rd. We could also find the tools they used to break that machine, cause they have installed them there to attack other machines.
We could see a file containing about 18000 user+password combinations, a modified SSH client and a script that runs it all based on an IP range. We saw also IRC bots and other stuff.
In the case of that machine, the attack was silent. They just wanted to use the machine to attack other machines. Pretty stupid.
Its easy to learn about this attacks. Just connect to the Internet a machine with a plain Linux installation and “passw0rd” as the root’s password, wait 1 or 2 weeks and your machine will be attacked. One way to verify the crackers are already in is to reinstall the netstat command (because they’ll modify your previous one) and see if there is some connection to IRC ports (around 6667).
If you investigate this IRC bot you’ll able to connect the IRC server, find the chat room, and actually talk to the cracker. I did this once and was not very funny.
More information in Attacks to GRC.com by Steve Gibson.
Number one thing I do on a publicly accessible system is disable root from ssh access.
I’d love to see how was the talking with the cracker, do you have the log or can share more with us about this episode?