Date: Fri, 11 Dec 2009 14:22:39 +0100 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> To: $witch <a.spinella@rfc1925.net> Cc: freebsd-current@freebsd.org, Anton Shterenlikht <mexas@bristol.ac.uk>, freebsd-questions@freebsd.org Subject: Re: Root exploit for FreeBSD Message-ID: <86tyvxlk68.fsf@ds4.des.no> In-Reply-To: <op.u4rt7sclqr96hw@zeta> (witch's message of "Fri, 11 Dec 2009 12:29:44 %2B0100") References: <20091210144141.GB834@mech-cluster241.men.bris.ac.uk> <op.u4rt7sclqr96hw@zeta>
next in thread | previous in thread | raw e-mail | index | archive | help
$witch <a.spinella@rfc1925.net> writes: > but i look in syslogs of some FreeBSD internet server and there is a > great evidence that some "botnets" are (again) tryng simple > combination of uid/pwd. > > starting from Dec 8 01:00:34 (CET) hundreds of zombies are looking > for a valid username. Starting from Dec 8? This has been going on for years, and it is not targeted at FreeBSD; they attack anything that runs an SSH server. Of course, on current OpenSSH versions, it will get them nowhere, because there is no partial confirmation, so they have to guess at the user *and* the password, instead of first searching for an existing user and *then* guessing at the password. (on certain OSes - but not FreeBSD - running certain older OpenSSH versions, you could figure out if the user existed, even if you didn't have thee right password) DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86tyvxlk68.fsf>