From owner-freebsd-hackers@FreeBSD.ORG  Thu Dec 16 13:50:03 2004
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 654FA16A4CE
	for <hackers@freebsd.org>; Thu, 16 Dec 2004 13:50:03 +0000 (GMT)
Received: from beck.quonix.net (beck.quonix.net [146.145.66.90])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8B59B43D48
	for <hackers@freebsd.org>; Thu, 16 Dec 2004 13:50:02 +0000 (GMT)
	(envelope-from john@essenz.com)
Received: from beck.quonix.net (localhost [127.0.0.1])
	by beck.quonix.net (8.12.11/8.12.11) with ESMTP id iBGDnvST087432;
	Thu, 16 Dec 2004 08:49:57 -0500 (EST)
Received: from localhost (essenz@localhost)iBGDnvWw087429;
	Thu, 16 Dec 2004 08:49:57 -0500 (EST)
X-Authentication-Warning: beck.quonix.net: essenz owned process doing -bs
Date: Thu, 16 Dec 2004 08:49:57 -0500 (EST)
From: John Von Essen <john@essenz.com>
X-X-Sender: essenz@beck.quonix.net
To: Peter Jeremy <PeterJeremy@optushome.com.au>
In-Reply-To: <20041216091351.GD91817@cirb503493.alcatel.com.au>
Message-ID: <20041216083803.A87235@beck.quonix.net>
References: <20041215184645.B79679@beck.quonix.net>
 <20041216091351.GD91817@cirb503493.alcatel.com.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-SpamAssassin-3.0.1-Score: -2.82/6 ALL_TRUSTED
X-MimeDefang-2.48: beck.quonix.net
X-Scanned-By: MIMEDefang 2.48 on 146.145.66.90
cc: hackers@freebsd.org
cc: John Von Essen <john@essenz.com>
Subject: Re: brute3.tar.gz
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Dec 2004 13:50:03 -0000

Running tcpdump to a file worked out. This morning I was able to find the
source machine by looking at that packet capture file. Someone gained
legitimate access to the box via ssh using the oracle user. My stupid
incompetent DBA's never set the password to something that wouldn't be
obvious, like something other then oracle/oracle. ARgh! I hate DBA's - all
they do is mess shit up... and yet they make more money then sysadmins
(at least at this company).

-john

On Thu, 16 Dec 2004, Peter Jeremy wrote:

> On Wed, 2004-Dec-15 18:55:20 -0500, John Von Essen wrote:
> >Whatever this thing is, its tricky. It only runs a few times a day, so it
> >is tough to find the culprit source with ethereal unless I run ethereal
> >all day. In packet capture mode.
>
> Depending on how much disk space you have spare on your firewall and
> how much ssh traffic you get normally, running "tcpdump -w ... port 22"
> for a day or so may be feasible.  You can add the target boxes address
> to the filter and you won't get anything except the culprit address.
> (Of course, permanently running tcpdump may or may not be practical for
> other reasons).
>
> --
> Peter Jeremy
>