From owner-freebsd-hackers@FreeBSD.ORG Fri Oct 2 20:34:30 2009 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A0E4310656A3 for ; Fri, 2 Oct 2009 20:34:30 +0000 (UTC) (envelope-from reg@openpave.org) Received: from mx2.ucdavis.edu (mx2.ucdavis.edu [128.120.32.32]) by mx1.freebsd.org (Postfix) with ESMTP id 873DB8FC25 for ; Fri, 2 Oct 2009 20:34:30 +0000 (UTC) Received: from flint.openpave.org ([169.237.179.18]) by mx2.ucdavis.edu (8.13.7/8.13.1/it-defang-5.4.0) with ESMTP id n92KArj9007693 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 2 Oct 2009 13:10:54 -0700 (PDT) Received: from sandy.local (flint.local [169.237.179.18]) by flint.openpave.org (8.14.3/8.14.3) with ESMTP id n92KAd2N053338 for ; Fri, 2 Oct 2009 20:10:39 GMT (envelope-from reg@sandy.local) Received: (from reg@localhost) by sandy.local (8.14.3/8.14.3/Submit) id n92KAdgr053337 for freebsd-hackers@freebsd.org; Fri, 2 Oct 2009 13:10:39 -0700 (PDT) (envelope-from reg) Date: Fri, 2 Oct 2009 13:10:39 -0700 From: Jeremy Lea To: freebsd-hackers@freebsd.org Message-ID: <20091002201039.GA53034@flint.openpave.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.3i X-Virus-Scanned: clamav-milter 0.95.1 at av7 X-Virus-Status: Clean X-Scanned-By: MIMEDefang 2.57 on 128.120.32.32 Subject: Distributed SSH attack X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Oct 2009 20:34:30 -0000 Hi, This is off topic to this list, but I dont want to subscribe to -chat just to post there... Someone is currently running a distributed SSH attack against one of my boxes - one attempted login for root every minute or so for the last 48 hours. They wont get anywhere, since the box in question has no root password, and doesn't allow root logins via SSH anyway... But I was wondering if there were any security researchers out there that might be interested in the +-800 IPs I've collected from the botnet? The resolvable hostnames mostly appear to be in Eastern Europe and South America - I haven't spotted any that might be 'findable' to get the botnet software. I could switch out the machine for a honeypot in a VM or a jail, by moving the host to a new IP, and if you can think of a way of allowing the next login to succeed with any password, then you could try to see what they delivered... But I don't have a lot of time to help. Regards, -Jeremy -- FreeBSD - Because the best things in life are free... http://www.freebsd.org/