From owner-freebsd-questions Mon Apr 29 0:45:41 2002 Delivered-To: freebsd-questions@freebsd.org Received: from dns.perimeter.co.za (dns.perimeter.co.za [196.25.164.254]) by hub.freebsd.org (Postfix) with ESMTP id F06E737B41A for ; Mon, 29 Apr 2002 00:45:32 -0700 (PDT) Received: from PATRICK (loopback.mipjhb [209.212.102.245] (may be forged)) by dns.perimeter.co.za (8.11.1/8.11.1) with SMTP id g3T7jKL88644 for ; Mon, 29 Apr 2002 09:45:22 +0200 (SAST) (envelope-from peri@perimeter.co.za) Message-ID: <004301c1ef51$84e9aa60$b50d030a@PATRICK> From: "Patrick O'Reilly" To: "FreeBSD Question List" Subject: Is this someone trying to Crack my box? Date: Mon, 29 Apr 2002 09:43:08 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi all, I have picked up the following in yesterday's /var/log/messages (thank you "daily" :) --------- Apr 28 10:17:58 dns /kernel: pid 80215 (sshd), uid 0: exited on signal 11 (core dumped) Apr 28 10:18:15 dns /kernel: pid 80216 (sshd), uid 0: exited on signal 11 (core dumped) Apr 28 10:18:32 dns /kernel: pid 80217 (sshd), uid 0: exited on signal 11 (core dumped) Apr 28 10:19:06 dns /kernel: pid 80219 (sshd), uid 0: exited on signal 11 (core dumped) Apr 28 10:19:23 dns /kernel: pid 80220 (sshd), uid 0: exited on signal 11 (core dumped) Apr 28 10:20:31 dns /kernel: pid 80241 (sshd), uid 0: exited on signal 11 (core dumped) Apr 28 10:20:48 dns /kernel: pid 80250 (sshd), uid 0: exited on signal 11 (core dumped) Apr 28 11:07:14 dns /kernel: pid 80595 (sshd), uid 0: exited on signal 10 (core dumped) Apr 28 11:07:29 dns /kernel: pid 80596 (sshd), uid 0: exited on signal 10 (core dumped) Apr 28 11:07:45 dns /kernel: pid 80597 (sshd), uid 0: exited on signal 10 (core dumped) Apr 28 11:08:01 dns /kernel: pid 80598 (sshd), uid 0: exited on signal 10 (core dumped) Apr 28 11:08:16 dns /kernel: pid 80599 (sshd), uid 0: exited on signal 10 (core dumped) Apr 28 11:08:32 dns /kernel: pid 80600 (sshd), uid 0: exited on signal 10 (core dumped) --------- The message occurs 108 times. The lines above are the first few and last few only. Is this an attempt to break in? This box is still running 4.2-RELEASE with the standard sshd shipped with that release, though bind has been updated to BIND 9.1.3. 'last' reveals nothing untoward, but any decent root kit would take care of that I'm sure. uptime is over 20 days, so the above attempt does not appear to caused a restart. Any wisdom? Regards, Patrick O'Reilly. ___ _ __ / _ )__ __ (_)_ __ ___ _/ /____ __ / __/ -_) _) / ~ ) -_), ,-/ -_) _) /_/ \__/_//_/_/~/_/\__/ \__/\__/_/ http://www.perimeter.co.za To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message