On Fri, Dec 18, 2009 at 11:35:02AM +0000, Chris G wrote:
Yes, other people with a shell login on the machine 'out there' will have the same (permitted) IP address. I'd already said that and agreed that it is something to be considered. However it's not a machine with hundreds of users, shell logins there belong to paid for accounts, they're not freely available. I.e. it's certainly not a trusted machine but it's not at the other extreme either.
I was recently asked to take a look at a machine that had suddenly started to not work "correctly". In the process of looking I discovered a root kit and other evidence that the machine had been broken into.
Anyhow, I reported this back to the owner to let him decide what he wanted to do. Six or seven hours later I got email from my IDS to let me know that someone was attempting to brute force ssh logins from the remote machine and it had blocked them. They had seen that I had logged in and were trying my username and guessing passwords based on the log files of the remote machine, I wouldn't be surprised if the passwords they were trying were also those that would be used to access the remote machine.
Adam