From owner-freebsd-security@FreeBSD.ORG Wed Apr 6 15:57:48 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 064C516A4CE for ; Wed, 6 Apr 2005 15:57:48 +0000 (GMT) Received: from freebee.digiware.nl (dsl439.iae.nl [212.61.63.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7D28143D45 for ; Wed, 6 Apr 2005 15:57:46 +0000 (GMT) (envelope-from wjw@withagen.nl) Received: from [212.61.27.71] (dual.digiware.nl [212.61.27.71]) by freebee.digiware.nl (8.13.1/8.13.1) with ESMTP id j36FvXDZ067962; Wed, 6 Apr 2005 17:57:33 +0200 (CEST) (envelope-from wjw@withagen.nl) Message-ID: <425406ED.5060400@withagen.nl> Date: Wed, 06 Apr 2005 17:57:33 +0200 From: Willem Jan Withagen User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Martin McCormick References: <200504061549.j36Fn8Y5082507@dc.cis.okstate.edu> In-Reply-To: <200504061549.j36Fn8Y5082507@dc.cis.okstate.edu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: What is this Very Stupid DOS Attack Script? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2005 15:57:48 -0000 Martin McCormick wrote: > Apr 6 05:49:42 dc sshd[12422]: input_userauth_request: illegal > user chuck > > You get the idea. This goes on for 3 or 4 minutes and then > just stops for now. I can almost promise that later, another attack > will start from some other IP address and blaze away for a few > minutes. I asked the same question a while ago. Seems that there are some linux type worms out there, that use this to target not well protected linux systems.??? I've build some swatch-rules that after two of these hits, I dump the host into ifpw-deny space. --WjW