From owner-freebsd-questions Wed May 12 19:32:45 1999 Delivered-To: freebsd-questions@freebsd.org Received: from madcow.borg.com (madcow.borg.com [205.217.206.165]) by hub.freebsd.org (Postfix) with ESMTP id 405F114E21 for ; Wed, 12 May 1999 19:32:42 -0700 (PDT) (envelope-from mark@borg.com) Received: from mail.borg.com (mail.borg.com [205.217.206.192]) by madcow.borg.com (8.9.0/8.8.8) with ESMTP id WAA02625; Wed, 12 May 1999 22:32:36 -0400 (EDT) Received: from borg.com (ip143b.borg.com [208.3.181.143]) by mail.borg.com (8.8.7/8.7.3) with ESMTP id WAA09486; Wed, 12 May 1999 22:32:31 -0400 (EDT) Message-ID: <373A3B4B.82D780C4@borg.com> Date: Wed, 12 May 1999 22:39:07 -0400 From: "Mark S. Reichman" X-Mailer: Mozilla 4.5 [en] (X11; I; FreeBSD 3.1-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: Ben Pepa Cc: freebsd-questions@FreeBSD.ORG Subject: Re: hacking attempts References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG sshd did have problems. Use ssh2 in the ports. No, I'm not an expert on this problem or an ssh2 expert. I cant even remeber where I found out sshd had problems at one time. I think I received a "root shell" mailing about the vulnerability about 6 montsh ago or more. Ben Pepa wrote: > > Hi, > > Today we had several breakins to at least 3 servers in which a > mallisouis person used our servers to ping of death whole networks and > other attacks to others networks (not our own) and also had several irc > bots running through out the night. > > My question: Is there some way to take advantage of sshd to gain access? > Each time he got into our systems, he logged in as root on the first try > and proceeded to use passwd to make a password on the 'toor' account which > he later used as a back door to the root account once I reset the root > password. As a result, I had to take three of our core FreeBSD servers > offline which affected our WAN severly (the firewall server). > > I contacted the ISP where the IP came from and they said someone spoofed > their IP address, but is this possible? Our server log indicated that the > IP it came from generated a RSA key to the server, which I thought would > have to be authenticated to that IP. > > If any one has any ideas how this person keeps getting in, I'd be > interested to know. The servers are all running FreeBSD 3.0-RELEASE, and > all have telnet, pop3, impad, sshd and apache running and one server > is running samba, squid, and webmin. > > Any input is greatly appreciated, > > Ben > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message