From owner-freebsd-questions@FreeBSD.ORG Sat Apr 28 17:02:49 2007 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 99CD516A407 for ; Sat, 28 Apr 2007 17:02:49 +0000 (UTC) (envelope-from jerrymc@gizmo.acns.msu.edu) Received: from gizmo.acns.msu.edu (gizmo.acns.msu.edu [35.8.1.43]) by mx1.freebsd.org (Postfix) with ESMTP id 4A82813C457 for ; Sat, 28 Apr 2007 17:02:49 +0000 (UTC) (envelope-from jerrymc@gizmo.acns.msu.edu) Received: from gizmo.acns.msu.edu (localhost [127.0.0.1]) by gizmo.acns.msu.edu (8.13.6/8.13.6) with ESMTP id l3SH08wn008592; Sat, 28 Apr 2007 13:00:08 -0400 (EDT) (envelope-from jerrymc@gizmo.acns.msu.edu) Received: (from jerrymc@localhost) by gizmo.acns.msu.edu (8.13.6/8.13.6/Submit) id l3SH083B008589; Sat, 28 Apr 2007 13:00:08 -0400 (EDT) (envelope-from jerrymc) Date: Sat, 28 Apr 2007 13:00:08 -0400 From: Jerry McAllister To: Maksym Kuvyklin Message-ID: <20070428170007.GA8507@gizmo.acns.msu.edu> References: <200704281407.l3SE7WWV079610@www.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200704281407.l3SE7WWV079610@www.freebsd.org> User-Agent: Mutt/1.4.2.2i Cc: questions@freebsd.org Subject: Re: misc/112207: I have suspicion that somebudy use my server like zombie server. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Apr 2007 17:02:49 -0000 On Sat, Apr 28, 2007 at 02:07:32PM +0000, Maksym Kuvyklin wrote: > > >Synopsis: I have suspicion that somebudy use my server like zombie server. > >Arrival-Date: Sat Apr 28 14:20:04 GMT 2007 > >Originator: Maksym Kuvyklin > >Release: FreeBSD 5.5 STABLE > >Environment: > FreeBSD mail.ukremb.com 5.5-RELEASE FreeBSD 5.5-RELEASE #6: Mon Apr 23 14:41:21 EDT 2007 root@mail.ukremb.com:/usr/obj/usr/src/sys/MYKERNEL i386 > >Description: > Sorry for my pure English. I am new in this community. > I had detected that somebody tryed to penetrate via ssh into my server. When I had changed the port all this attempts were finished. Then server notified me about that somebody use my IP address and after that my network adapter had down. I had changed it to another one and the server had started work again. I have static IP address.But, now my connection is very slow. I have looked throught the logs and I had not found any tracks of penetration. Please, help me to solve this problem. > > I took the liberty to make a response and redirect this to the questions list. I hope that is OK. I am not a network security expert, so if someone tells you better, then, go with their information. But,,, Someone is always trying to penetrate ssh on systems. They go around and scan every machine they can find with a common list of ids. You can put in place some blocking software of firewalls to prevent those scans from getting to your machine, but it might not be all that meaningful. As for a warning that some other machine is using your IP address, this can be possible if some other machine is badly configured. It can be a lot of work to track down that machine, but that is the only way to fix it. It is possible that another machine may be using your IP address to try and steal information or use your address to either spam or attack others. Or, it may be just someone who is either incompetent or lazy with setting up their system. It is hard to tell without more examination. Definitely something like that can cause your network traffic to be very slow. If you are lucky, that machine using your IP will be physically near you and can be tracked down. Maybe some other people can help with hints on how to do it. Anyway, it may, but does not necessarily indicate that your machine has been broken in to. If you can find not other signs, then maybe you are lucky and all the problem is external to your machine. But you do need to track that bad machine using your IP and shut it down. Good luck, ////jerry