From owner-freebsd-questions@FreeBSD.ORG  Thu Oct 28 16:41:32 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C941C16A4CE
	for <freebsd-questions@freebsd.org>;
	Thu, 28 Oct 2004 16:41:32 +0000 (GMT)
Received: from tiny.smallweb.com (smallweb.com [216.85.125.110])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7437243D55
	for <freebsd-questions@freebsd.org>;
	Thu, 28 Oct 2004 16:41:32 +0000 (GMT)
	(envelope-from steve@Antero.com)
Received: from silver.Antero.com (silver.nano.net [216.85.125.13])
	by tiny.smallweb.com (8.12.10/8.12.10) with ESMTP id i9SGgiql022351
	for <freebsd-questions@freebsd.org>;
	Thu, 28 Oct 2004 10:42:44 -0600 (MDT)
Message-Id: <6.0.3.0.2.20041028102537.04be6ec0@nano.net>
X-Sender: antero@nano.net (Unverified)
X-Mailer: QUALCOMM Windows Eudora Version 6.0.3.0
Date: Thu, 28 Oct 2004 10:39:32 -0600
To: freebsd-questions@freebsd.org
From: Steve Suhre <steve@Antero.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Subject: Hacker activity?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Oct 2004 16:41:32 -0000



I'm not sure if this is the correct group...but I'm getting some weird 
activity on the network. The security reports will show 50-100 attempts to 
login to a server, most as root but some are attempts to login to other 
seemingly random account names. The login attempts are through ssh or 
telnet, all come from the same remote server, and all fail. I'm also 
getting some odd cgi calls to a script on a secure ssl server. There's 
nothing that this particular script could do for a hacker, but the script 
is sent a random string, sometimes many times a minute, other times it's 
every 2 -3 minutes. I grabbed the ip address and blocked it, and about 10 
minutes later it had moved to another ip. I'm now blocking a range of ip's. 
These don't seem like enough iterations to be very successful, the odds are 
overwhelmingly in favor of the server at this rate... Does anyone have a 
clue what might be happening or where I should go to find out?




---
Steve Suhre
Antero web technologies
719.634.8161
steve@Antero.com