From owner-freebsd-hackers@FreeBSD.ORG  Wed Dec 15 23:55:26 2004
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3C89F16A4CE
	for <hackers@freebsd.org>; Wed, 15 Dec 2004 23:55:26 +0000 (GMT)
Received: from beck.quonix.net (beck.quonix.net [146.145.66.90])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9795A43D79
	for <hackers@freebsd.org>; Wed, 15 Dec 2004 23:55:25 +0000 (GMT)
	(envelope-from john@essenz.com)
Received: from beck.quonix.net (localhost [127.0.0.1])
	by beck.quonix.net (8.12.11/8.12.11) with ESMTP id iBFNtKcP079789
	for <hackers@freebsd.org>; Wed, 15 Dec 2004 18:55:20 -0500 (EST)
Received: from localhost (essenz@localhost)iBFNtKKH079786
	for <hackers@freebsd.org>; Wed, 15 Dec 2004 18:55:20 -0500 (EST)
X-Authentication-Warning: beck.quonix.net: essenz owned process doing -bs
Date: Wed, 15 Dec 2004 18:55:20 -0500 (EST)
From: John Von Essen <john@essenz.com>
X-X-Sender: essenz@beck.quonix.net
To: hackers@freebsd.org
Message-ID: <20041215184645.B79679@beck.quonix.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-SpamAssassin-3.0.1-Score: -2.82/6 ALL_TRUSTED
X-MimeDefang-2.48: beck.quonix.net
X-Scanned-By: MIMEDefang 2.48 on 146.145.66.90
Subject: brute3.tar.gz
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Dec 2004 23:55:26 -0000

Sort of off topic, but thought people here would be interested.

MCI contacted me today because one of my systems is doing ssh logins
(failed) to a box they have no right ssh-ing into. After some packet
analysis, its clear that something is inside my network. The only solid
evidence I have is a machine behind one of my gateways (BigIP) was trying
to download a file called brute3.tar.gz via HTTP from 64.40.108.77. The
download was unsuccessful.

Whatever this thing is, its tricky. It only runs a few times a day, so it
is tough to find the culprit source with ethereal unless I run ethereal
all day. In packet capture mode.

Any thoughts? Has anyone heard of anything like this?

-john