Date: Wed, 27 Feb 2002 14:21:04 +0000 From: Scott Mitchell <scott.mitchell@mail.com> To: Bill Moran <wmoran@potentialtech.com> Cc: Jim Freeze <jim@freeze.org>, questions@FreeBSD.ORG Subject: Re: Is this a breakin (attempt)? Message-ID: <20020227142104.A31592@localhost> In-Reply-To: <02022708505801.00825@proxy.pt.com>; from wmoran@potentialtech.com on Wed, Feb 27, 2002 at 08:50:58AM -0500 References: <20020227081821.A12905@freeze.org> <02022708505801.00825@proxy.pt.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Feb 27, 2002 at 08:50:58AM -0500, Bill Moran wrote: > On Wednesday 27 February 2002 08:18, Jim Freeze wrote: > > Hi: > > > > I have received the the following report the last two days > > from the daily security emails and I am not sure how serious > > this is. The log says that it has accepted the following ssh > > TCP packets, but does this necessarily mean that they succesfully > > logged in to my machine? I do not recognize any of the addresses > > and I only have a few accounts on this machine. Also, doing a last > > on the machine only shows the known users logging in. Is there an > > ssh activity log that I can check? > > > > > ipfw: 2300 Accept TCP 212.185.220.151:64965 63.106.140.202:21 in via sis0 > > > ipfw: 2900 Accept TCP 63.217.26.40:22 63.106.140.204:22 in via sis0 > > > ipfw: 2300 Accept TCP 64.228.85.123:1075 63.106.140.202:21 in via sis0 > > > ipfw: 2600 Accept TCP 62.226.84.105:2320 63.106.140.205:21 in via sis0 > > > ipfw: 2900 Accept TCP 63.204.77.126:4671 63.106.140.204:22 in via sis0 Some of these connection requests were directed at your FTP port (21), not ssh (22). Are you actually running an FTP server? If not, you're firewall should probably be set to deny packets to that port. Apart from that, complete agreement with everything Bill said. This is the kind of crap you're likely to see every day on a machine attached to the 'net, but you seem to be well on top of it. Scott -- =========================================================================== Scott Mitchell | PGP Key ID | "Eagles may soar, but weasels Cambridge, England | 0x54B171B9 | don't get sucked into jet engines" scott.mitchell@mail.com | 0xAA775B8B | -- Anon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020227142104.A31592>