From owner-freebsd-questions  Wed Feb 27  5:19: 7 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from freebsdportal.com (freeze.org [63.106.140.202])
	by hub.freebsd.org (Postfix) with ESMTP id 0CB5737B402
	for <questions@freebsd.org>; Wed, 27 Feb 2002 05:19:04 -0800 (PST)
Received: (from jfreeze@localhost)
	by freebsdportal.com (8.11.6/8.11.6) id g1RDIMP12944
	for questions@freebsd.org; Wed, 27 Feb 2002 08:18:22 -0500 (EST)
	(envelope-from jfreeze)
Date: Wed, 27 Feb 2002 08:18:22 -0500
From: Jim Freeze <jim@freeze.org>
To: questions@freebsd.org
Subject: Is this a breakin (attempt)?
Message-ID: <20020227081821.A12905@freeze.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Hi:

I have received the the following report the last two days 
from the daily security emails and I am not sure how serious
this is. The log says that it has accepted the following ssh
TCP packets, but does this necessarily mean that they succesfully
logged in to my machine? I do not recognize any of the addresses
and I only have a few accounts on this machine. Also, doing a last
on the machine only shows the known users logging in. Is there an
ssh activity log that I can check?

> ipfw: 2300 Accept TCP 212.185.220.151:64965 63.106.140.202:21 in via sis0
> ipfw: 2900 Accept TCP 63.217.26.40:22 63.106.140.204:22 in via sis0
> ipfw: 2300 Accept TCP 64.228.85.123:1075 63.106.140.202:21 in via sis0
> ipfw: 2600 Accept TCP 62.226.84.105:2320 63.106.140.205:21 in via sis0
> ipfw: 2900 Accept TCP 63.204.77.126:4671 63.106.140.204:22 in via sis0

nslookup 212.185.220.151
Name:    pD4B9DC97.dip.t-dialin.net

nslookup 63.217.26.40
Name:    63-217-26-40.sdsl.cais.net

nslookup 64.228.85.123
Name:    HSE-Toronto-ppp135100.sympatico.ca

nslookup 62.226.84.105
Name:    p3EE25469.dip.t-dialin.net

nslookup 63.204.77.126
Name:    adsl-63-204-77-126.gamerscircle.net


Thanks

-- 
Jim Freeze
"Give some people an attoparsec and
they'll take 16.093 Tera-angstroms"

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message