From owner-freebsd-stable@FreeBSD.ORG Fri Dec 25 02:40:21 2009 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 853AA1065670 for ; Fri, 25 Dec 2009 02:40:21 +0000 (UTC) (envelope-from chris#@1command.com) Received: from mail.1command.com (dsl081-172-045.sea1.dsl.speakeasy.net [64.81.172.45]) by mx1.freebsd.org (Postfix) with ESMTP id 3013F8FC0C for ; Fri, 25 Dec 2009 02:40:20 +0000 (UTC) Received: from webmail.1command.com (localhost.1command.com [127.0.0.1]) by mail.1command.com (8.13.3/8.13.3) with ESMTP id nBP2dm36039811; Thu, 24 Dec 2009 18:39:54 -0800 (PST) (envelope-from chris#@1command.com) Received: from udns.ultimatedns.net ([64.81.172.214]) (Local authenticated user inf0s) by webmail.1command.com with HTTP; Thu, 24 Dec 2009 18:40:18 -0800 (PST) Message-ID: In-Reply-To: <600C0C33850FFE49B76BDD81AED4D25801371D8056@IMCMBX3.MITRE.ORG> References: <4B20B509.4050501@yahoo.it> <600C0C33850FFE49B76BDD81AED4D25801371D8056@IMCMBX3.MITRE.ORG> Date: Thu, 24 Dec 2009 18:40:18 -0800 (PST) From: "Chris H" To: freebsd-stable@freebsd.org User-Agent: HRC Internet Messaging/1.5.2 [SVN] MIME-Version: 1.0 Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: 8bit Cc: Subject: RE: Hacked - FreeBSD 7.1-Release X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Dec 2009 02:40:21 -0000 On Tue, December 22, 2009 8:35 am, Andresen, Jason R. wrote: > Squirrel wrote: > >> most likely could be some kind of remote code execution or SQLi executed in >> the context of some php scripts, you should audit php code of your web >> interface and of the websites you host. also consider the strenght of your >> passwords, lots of login attempts to ssh/ftp may mean a he has tried a >> bruteforce (or a dictionary attack maybe). you should also check webmin logs, >> there are a few bruteforcer for webmin out there, (*hint*) consider the lenght >> of your average password if it's more than 7-8 characters aplhanumeric with >> simbols most likely this isn't the case. > > While it's true that it's a good idea to check your password strength, pretty > much any host connected to the internet is going to be hit daily by bots > looking for weak passwords. It's one area where you logs don't help much > because there is too much noise. That's why there's GREP(1), AWK(1), FIND(1), TAIL(1), and CAT(1) Consider the following... adding the following to your /etc/rc.conf: # SECURITY RELATED #################################### syslogd_flags="-ss" log_in_vain="YES" tcp_keepalive="YES" now your log file will /really/ sing (log_in_vain="YES"). Of course, unless you have a great deal of time on your hands, visually parsing that "noisy" log will be quite tedious, and time consuming. So you have a few options... If your running X11, simply run tail in a root window - there are quite a few utilities in ports for doing just this - some that'll only write messages you want to see. You could also create a script out of cron that will only produce messages you are interested in, for example: ~# cat /var/log/messages | ssh will emit any attempt to ssh into your box you can also redirect the messages to a file: ~# cat /var/log/messages | ssh >>~/EVIL_DOERS You could also add en entry to PERIODIC(8) that will provide a daily report on any attempts you are interested in. HTH --Chris H > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"