From owner-freebsd-questions@FreeBSD.ORG Thu Oct 28 19:15:14 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DA45E16A4CE for ; Thu, 28 Oct 2004 19:15:14 +0000 (GMT) Received: from tiny.smallweb.com (smallweb.com [216.85.125.110]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7BF8D43D31 for ; Thu, 28 Oct 2004 19:15:14 +0000 (GMT) (envelope-from steve@Antero.com) Received: from silver.Antero.com (silver.nano.net [216.85.125.13]) by tiny.smallweb.com (8.12.10/8.12.10) with ESMTP id i9SJGRql027159; Thu, 28 Oct 2004 13:16:27 -0600 (MDT) Message-Id: <6.0.3.0.2.20041028124740.03d9f700@nano.net> X-Sender: antero@nano.net (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.3.0 Date: Thu, 28 Oct 2004 13:13:14 -0600 To: Vulpes Velox From: Steve Suhre In-Reply-To: <20041028133250.77c30503@vixen42.24-119-122-191.cpe.cableon e.net> References: <6.0.3.0.2.20041028102537.04be6ec0@nano.net> <20041028133250.77c30503@vixen42.24-119-122-191.cpe.cableone.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed cc: freebsd-questions@freebsd.org Subject: Re: Hacker activity? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Oct 2004 19:15:15 -0000 Thanks. Right now I'm blocking 66.249.6*.* on the secure server for the cgi script and haven't seen anything for a couple hours. The other intruder is a little slicker and moves around quite a bit. My interest is in the frequency, or lack thereof. Do they attack many sites at once, like spam, hoping to hit on a server that has a dictionary password? Rather than pound one server with all they've got? Distributed hacking? I can't think of another reason why someone would even try to hack into a server by logging in 50-100 times once or twice a week. You can't get root through anything but the console and 50-100 attempts don't cover a lot of password ground on the other accounts, most of which are locked down against shell access anyway.... I'm not really concerned about the activity, it would take eons to hack into anything this way. I'm wondering if there's something going on that I don't know, maybe this is a smoke screen to divert attention from the real threat? It doesn't make a lot of sense.... At 12:32 PM 10/28/2004, Vulpes Velox wrote: >On Thu, 28 Oct 2004 10:39:32 -0600 >Steve Suhre wrote: > > > > > > > I'm not sure if this is the correct group...but I'm getting some > > weird activity on the network. The security reports will show 50-100 > > attempts to login to a server, most as root but some are attempts to > > login to other seemingly random account names. The login attempts > > are through ssh or telnet, all come from the same remote server, and > > all fail. I'm also getting some odd cgi calls to a script on a > > secure ssl server. There's nothing that this particular script could > > do for a hacker, but the script is sent a random string, sometimes > > many times a minute, other times it's every 2 -3 minutes. I grabbed > > the ip address and blocked it, and about 10 minutes later it had > > moved to another ip. I'm now blocking a range of ip's. These don't > > seem like enough iterations to be very successful, the odds are > > overwhelmingly in favor of the server at this rate... Does anyone > > have a clue what might be happening or where I should go to find > > out? > >If it all from a common subnet, I would block it. I would then whois >to see who if there is a abuse addy I could complain to or the like. > >Also man login.conf. > >Sounds like some jerk singled you out is is possibly is trying it all >on a subnet. Back in before moving stuff off common ports, I would get >massive amounts of that crap. It was basically ppl trying any thing in >the colleges address space. --- Steve Suhre Antero web technologies 719.634.8161 steve@Antero.com