From owner-freebsd-security@FreeBSD.ORG Wed Apr 6 15:56:02 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C21B116A4CE for ; Wed, 6 Apr 2005 15:56:02 +0000 (GMT) Received: from nic.nic.br (nic.nic.br [200.160.7.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7BCBD43D46 for ; Wed, 6 Apr 2005 15:56:01 +0000 (GMT) (envelope-from cordeiro@nic.br) Received: from luinil.nic.br (luinil.nic.br [200.160.7.67]) by nic.nic.br (Postfix) with ESMTP id D9AA722470B for ; Wed, 6 Apr 2005 12:55:59 -0300 (BRT) Received: by luinil.nic.br (Postfix, from userid 1400) id B0F985C047; Wed, 6 Apr 2005 15:55:59 +0000 (UTC) From: Luiz Eduardo Roncato Cordeiro Organization: NBSO To: freebsd-security@freebsd.org Date: Wed, 6 Apr 2005 12:55:58 -0300 User-Agent: Lamb's MUA References: <200504061549.j36Fn8Y5082507@dc.cis.okstate.edu> In-Reply-To: <200504061549.j36Fn8Y5082507@dc.cis.okstate.edu> X-URL: http://www.nbso.nic.br/ MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200504061255.59142.cordeiro@nic.br> Subject: Re: What is this Very Stupid DOS Attack Script? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: cordeiro@nic.br List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2005 15:56:02 -0000 Hi, Probably, what you have seen is a force brute attack against your sshd. Unfortunately, this kind of attack still works. Regards, Cordeiro On Wednesday April 6 2005 12:49, Martin McCormick > wrote: > We have been noticing flurries of sshd reject messages in > which some system out there in the hinterlands hits us with a flood of > ssh login attempts. An example: > > Apr 6 05:41:51 dc sshd[88763]: Did not receive identification > string from 67.19.58.170 > Apr 6 05:49:42 dc sshd[12389]: input_userauth_request: illegal > user anonymous > Apr 6 05:49:42 dc sshd[12389]: Failed password for illegal user > anonymous from 67.19.58.170 port 32942 ssh2 > Apr 6 05:49:42 dc sshd[12389]: Received disconnect from > 67.19.58.170: 11: Bye Bye > Apr 6 05:49:42 dc sshd[12406]: input_userauth_request: illegal > user bruce > Apr 6 05:49:42 dc sshd[12406]: Failed password for illegal user > bruce from 67.19.58.170 port 32983 ssh2 > Apr 6 05:49:42 dc sshd[12406]: Received disconnect from > 67.19.58.170: 11: Bye Bye > Apr 6 05:49:42 dc sshd[12422]: input_userauth_request: illegal > user chuck > > You get the idea. This goes on for 3 or 4 minutes and then > just stops for now. I can almost promise that later, another attack > will start from some other IP address and blaze away for a few > minutes. > > Other than spewing lots of entries in to syslog, what is the > purpose of the attack? Are they just hoping to luck in to an open > account? The odds of guessing the right account name and then guessing > the correct password are astronomical to say the least. > Direct root logins are not possible so there is another roadblock. > > This seems on the surface to be aimed at simply filling up the /var > file system, but it is so stupid as to make me wonder if there is > something else more sophisticated that we truly need to be trembling > in our shoes over. > > I notice from the syslog servers, here, that the same system > is hammering other sshd applications on those devices at the same time > it is hitting this system so what ever script it is is probably just > trolling our network, looking for anything that answers. > > Thanks for any useful information as to the nature of what > appears to be more of a nuisance than a diabolical threat to security. > > Martin McCormick WB5AGZ Stillwater, OK > OSU Information Technology Division Network Operations Group > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > >