On Tue, Dec 6, 2011 at 2:40 PM, <m.roth at 5-cent.us> wrote: > >> >>> But based on what we know and what we have been told and what we have >>> worked out ourselves as well, its almost certainly bruteforced ssh >>> passwords. >> >> So, coincidence that they were CentOS, and pre-5.6? Did they have >> admins in common? > > Just incompetent ones. I believe I remember a map on the article, and they > had one or more in Poland, and some in southeast Asia, etc. I'm not convinced, having seen some very sophisticated attacks here, using combinations of known low level web service exploits combined with recently published local exploits to get root access. The ones I saw used a java/structs exploit plus a glib bug that should have been fixed in 5.4, but it was pretty clear that attempts were being made in a coordinated way to use recently published vulnerabilities. Not sure what might have been left in 5.5, though. -- Les Mikesell lesmikesell at gmail.com