From owner-freebsd-questions@FreeBSD.ORG  Fri Dec 11 13:22:40 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id DE0A11065672;
	Fri, 11 Dec 2009 13:22:40 +0000 (UTC) (envelope-from des@des.no)
Received: from tim.des.no (tim.des.no [194.63.250.121])
	by mx1.freebsd.org (Postfix) with ESMTP id 9DC448FC15;
	Fri, 11 Dec 2009 13:22:40 +0000 (UTC)
Received: from ds4.des.no (des.no [84.49.246.2])
	by smtp.des.no (Postfix) with ESMTP id 964296D452;
	Fri, 11 Dec 2009 13:22:39 +0000 (UTC)
Received: by ds4.des.no (Postfix, from userid 1001)
	id 6703C844FF; Fri, 11 Dec 2009 14:22:39 +0100 (CET)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: $witch <a.spinella@rfc1925.net>
References: <20091210144141.GB834@mech-cluster241.men.bris.ac.uk>
	<op.u4rt7sclqr96hw@zeta>
Date: Fri, 11 Dec 2009 14:22:39 +0100
In-Reply-To: <op.u4rt7sclqr96hw@zeta> (witch's message of "Fri, 11 Dec 2009
	12:29:44 +0100")
Message-ID: <86tyvxlk68.fsf@ds4.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.95 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-current@freebsd.org, Anton Shterenlikht <mexas@bristol.ac.uk>,
	freebsd-questions@freebsd.org
Subject: Re: Root exploit for FreeBSD
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Dec 2009 13:22:41 -0000

$witch <a.spinella@rfc1925.net> writes:
> but i look in syslogs of some FreeBSD internet server and there is a
> great evidence that some "botnets" are (again) tryng simple
> combination of  uid/pwd.
>
> starting from Dec  8 01:00:34 (CET) hundreds of zombies are looking
> for a valid username.

Starting from Dec 8?  This has been going on for years, and it is not
targeted at FreeBSD; they attack anything that runs an SSH server.  Of
course, on current OpenSSH versions, it will get them nowhere, because
there is no partial confirmation, so they have to guess at the user
*and* the password, instead of first searching for an existing user and
*then* guessing at the password.

(on certain OSes - but not FreeBSD - running certain older OpenSSH
versions, you could figure out if the user existed, even if you didn't
have thee right password)

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no