Date: Fri, 15 Dec 2000 10:24:27 -0700 From: Joe.Warner@smed.com To: freebsd-questions@freebsd.org Subject: Intruder on our network - Please Help Message-ID: <852569B6.005F5F34.00@Deimos.smed.com>
next in thread | raw e-mail | index | archive | help
Hi, Because of recent messages appearing in our Shiva Access logs, I believe that someone is trying to gain access to our dialup device while logged into our network. Here are some entries from yesterday: >Dec-14-2000 08:18:44 Authentication session aborted by request from NAS 10.1.264.7 >Dec-14-2000 08:18:44 Additional data from aborted session = CTRL-C pressed >Dec-14-2000 08:18:52 Request to send password (privilege = 1) from user ` L at NAS >10.1.264.7 port tty90 denied - user cannot login to internal user database Whoever this is, seems to be making attempts every morning between 07:30 and 08:30. What sent up a red flag was the fact that they're trying to use a login that doesn't correspond to our current login naming scheme. I've looked at the logs and seen where they've tried to use 'I and 'L. This morning's logs show that they're still trying to use 'L for the login. I don't understand why someone would keep trying to use a login that doesn't work. And...why start with 'I or 'L in the first place? If it were me, I'd start with something like "administrator" or "msmith". The line above that contains "(privilege = 1)" means that they're currently logged into our network but are attempting to telnet or connect directly to our dialup device and log in. I tried to capture traffic with Ethereal but didn't get much. I tried using the filter "net 10.1.264.7" but I don't think it's going to show anything until this person actually signs onto the device. Is it possible they're using a port sniffer of some kind? Is there some other utility on my FreeBSD 3.4 system that I could use to identify this activity a little better? Any help would be greatly appreciated. Thanks Joe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?852569B6.005F5F34.00>