From owner-freebsd-questions@FreeBSD.ORG  Sat Apr 14 12:19:50 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id A10BC16A400
	for <freebsd-questions@freebsd.org>;
	Sat, 14 Apr 2007 12:19:50 +0000 (UTC)
	(envelope-from corwin@aeternal.net)
Received: from amber.aeternal.net (amber.aeternal.net [212.232.17.148])
	by mx1.freebsd.org (Postfix) with ESMTP id 5ECD313C483
	for <freebsd-questions@freebsd.org>;
	Sat, 14 Apr 2007 12:19:50 +0000 (UTC)
	(envelope-from corwin@aeternal.net)
Received: from localhost (localhost.aeternal.net [127.0.0.1])
	by amber.aeternal.net (Postfix) with ESMTP id 8AF43B822
	for <freebsd-questions@freebsd.org>;
	Sat, 14 Apr 2007 14:19:47 +0200 (CEST)
X-Virus-Scanned: by amavisd-new at aeternal.net
Received: from amber.aeternal.net ([127.0.0.1])
	by localhost (amber.aeternal.net [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 8g9RMVM13Xnq for <freebsd-questions@freebsd.org>;
	Sat, 14 Apr 2007 14:19:47 +0200 (CEST)
Received: from [127.0.0.1] (chello085216248040.chello.sk [85.216.248.40])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	(Authenticated sender: corwin@aeternal.net)
	by amber.aeternal.net (Postfix) with ESMTP id 76543B821
	for <freebsd-questions@freebsd.org>;
	Sat, 14 Apr 2007 14:19:46 +0200 (CEST)
Message-ID: <4620C6E2.9050502@aeternal.net>
Date: Sat, 14 Apr 2007 14:19:46 +0200
From: Martin Hudec <corwin@aeternal.net>
User-Agent: Thunderbird 1.5.0.10 (Windows/20070221)
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
References: <80f4f2b20704140425w2631ee3co5547b772f6c972e8@mail.gmail.com>	<4620BC95.3070107@FreeBSD.org>
	<80f4f2b20704140509w6546e0dcqd54e302fbecb5ed7@mail.gmail.com>
In-Reply-To: <80f4f2b20704140509w6546e0dcqd54e302fbecb5ed7@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: Given this evidence,	should I be worried that I may have been
 hacked
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: corwin@aeternal.net
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Apr 2007 12:19:50 -0000

Jim Stapleton wrote:
> I have DSA. I will change it to a nonstandard port, but I was
> wondering what your oppinion on a good way to check if this is the
> result of me being hacked, or just someone loosing interest.

If you are hacked, then something might or might not be going on your 
system (check for unusual stuff, like rise in number of processes, or 
disk usage, or network traffic, and think about it). You know how your 
system behave on day to day, do you?

Nevertheless generally speaking, 99.99% of these brute attempts to get 
ssh access is coming from various zombies, blindly trying out port 22, 
that's why the port change is usual advice. There are easier ways on how 
to get inside than just bruteforcing via login credentials wild 
guessing. For example take unsecured web server with some full-of-bugs 
content management system. Exploiting a vulnerability will allow someone 
(this time definitely not a zombie) to get into the system and go 
forward with any dark actions he/she might have in the mind.

nice sunny weekend,
Martin