From owner-freebsd-questions Fri Dec 15 9:43: 6 2000 From owner-freebsd-questions@FreeBSD.ORG Fri Dec 15 09:43:04 2000 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from smtp.smed.com (smtp.smed.com [12.20.51.11]) by hub.freebsd.org (Postfix) with ESMTP id EABB437B400 for ; Fri, 15 Dec 2000 09:43:03 -0800 (PST) Received: from smtpgate.shrmed.com (keymaster.smed.com [12.20.51.2]) by smtp.smed.com (Postfix) with ESMTP id 41D6516234 for ; Fri, 15 Dec 2000 12:43:03 -0500 (EST) Received: from iesa14.shrmed.com (iesa14.shrmed.com [10.1.99.114]) by smtpgate.shrmed.com (8.9.3/8.9.3) with ESMTP id MAA07454 for ; Fri, 15 Dec 2000 12:42:58 -0500 From: Joe.Warner@smed.com Received: from Deimos.smed.com (unverified) by iesa14.shrmed.com (Content Technologies SMTPRS 2.0.15) with SMTP id for ; Fri, 15 Dec 2000 12:23:53 -0500 Received: by Deimos.smed.com(Lotus SMTP MTA v4.6.5 (863.2 5-20-1999)) id 852569B6.005F6028 ; Fri, 15 Dec 2000 12:21:45 -0500 X-Lotus-FromDomain: SMS To: freebsd-questions@freebsd.org Message-Id: <852569B6.005F5F34.00@Deimos.smed.com> Date: Fri, 15 Dec 2000 10:24:27 -0700 Subject: Intruder on our network - Please Help MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, Because of recent messages appearing in our Shiva Access logs, I believe that someone is trying to gain access to our dialup device while logged into our network. Here are some entries from yesterday: >Dec-14-2000 08:18:44 Authentication session aborted by request from NAS 10.1.264.7 >Dec-14-2000 08:18:44 Additional data from aborted session = CTRL-C pressed >Dec-14-2000 08:18:52 Request to send password (privilege = 1) from user ` L at NAS >10.1.264.7 port tty90 denied - user cannot login to internal user database Whoever this is, seems to be making attempts every morning between 07:30 and 08:30. What sent up a red flag was the fact that they're trying to use a login that doesn't correspond to our current login naming scheme. I've looked at the logs and seen where they've tried to use 'I and 'L. This morning's logs show that they're still trying to use 'L for the login. I don't understand why someone would keep trying to use a login that doesn't work. And...why start with 'I or 'L in the first place? If it were me, I'd start with something like "administrator" or "msmith". The line above that contains "(privilege = 1)" means that they're currently logged into our network but are attempting to telnet or connect directly to our dialup device and log in. I tried to capture traffic with Ethereal but didn't get much. I tried using the filter "net 10.1.264.7" but I don't think it's going to show anything until this person actually signs onto the device. Is it possible they're using a port sniffer of some kind? Is there some other utility on my FreeBSD 3.4 system that I could use to identify this activity a little better? Any help would be greatly appreciated. Thanks Joe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message