Date: Sat, 28 Apr 2007 13:00:08 -0400 From: Jerry McAllister <jerrymc@msu.edu> To: Maksym Kuvyklin <maximo4k@gmail.com> Cc: questions@freebsd.org Subject: Re: misc/112207: I have suspicion that somebudy use my server like zombie server. Message-ID: <20070428170007.GA8507@gizmo.acns.msu.edu> In-Reply-To: <200704281407.l3SE7WWV079610@www.freebsd.org> References: <200704281407.l3SE7WWV079610@www.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Apr 28, 2007 at 02:07:32PM +0000, Maksym Kuvyklin wrote: > > >Synopsis: I have suspicion that somebudy use my server like zombie server. > >Arrival-Date: Sat Apr 28 14:20:04 GMT 2007 > >Originator: Maksym Kuvyklin > >Release: FreeBSD 5.5 STABLE > >Environment: > FreeBSD mail.ukremb.com 5.5-RELEASE FreeBSD 5.5-RELEASE #6: Mon Apr 23 14:41:21 EDT 2007 root@mail.ukremb.com:/usr/obj/usr/src/sys/MYKERNEL i386 > >Description: > Sorry for my pure English. I am new in this community. > I had detected that somebody tryed to penetrate via ssh into my server. When I had changed the port all this attempts were finished. Then server notified me about that somebody use my IP address and after that my network adapter had down. I had changed it to another one and the server had started work again. I have static IP address.But, now my connection is very slow. I have looked throught the logs and I had not found any tracks of penetration. Please, help me to solve this problem. > > I took the liberty to make a response and redirect this to the questions list. I hope that is OK. I am not a network security expert, so if someone tells you better, then, go with their information. But,,, Someone is always trying to penetrate ssh on systems. They go around and scan every machine they can find with a common list of ids. You can put in place some blocking software of firewalls to prevent those scans from getting to your machine, but it might not be all that meaningful. As for a warning that some other machine is using your IP address, this can be possible if some other machine is badly configured. It can be a lot of work to track down that machine, but that is the only way to fix it. It is possible that another machine may be using your IP address to try and steal information or use your address to either spam or attack others. Or, it may be just someone who is either incompetent or lazy with setting up their system. It is hard to tell without more examination. Definitely something like that can cause your network traffic to be very slow. If you are lucky, that machine using your IP will be physically near you and can be tracked down. Maybe some other people can help with hints on how to do it. Anyway, it may, but does not necessarily indicate that your machine has been broken in to. If you can find not other signs, then maybe you are lucky and all the problem is external to your machine. But you do need to track that bad machine using your IP and shut it down. Good luck, ////jerry
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070428170007.GA8507>