apparently someone used the admin directory of an oscommerce install to use file_manager and upload and run error.php which turns out to be webadmin.php, and they were able to view /etc/passwd! apart from blocking the ip address, and maybe changing passwords, what real damage could they do? they now know user account names, but /etc/shadow was not accessed. there were both GET and POSTs in the httpd access logs, so I'm not sure what they did in the POSTs of course. but doing a get on view?file=/etc/passwd is obviously concerning. whats your advice??? cdb.
Knowing the usernames makes it easier to try brute-force attacks because now attackers don't have to guess usernames anymore. If your users have weak passwords I'd change them to something more secure immediately.
this I knew brute force attacks I already am aware of - can I limit ssl logins to only certain accounts? they've been trying to guess passwords for ftp accounts already. they cant get at /etc/shadow so they cant get the encrypted pws. cdb.
Yes, edit your sshd_config file. Use AllowUsers directive to specify the accounts you want to allow ssh. e.g. (Add to bottom of file if not already present) AllowUsers user1 user2 user3 Dont forget to restart the sshd service. You might also want to look into something like fail2ban with permanent bans and low retry values to delay their attacks and give you time to assess the situation further.
