From owner-freebsd-security@FreeBSD.ORG Sat Sep 18 13:02:47 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9E63016A4CE for ; Sat, 18 Sep 2004 13:02:47 +0000 (GMT) Received: from brainbox.winbot.co.uk (cpc2-mapp3-6-0-cust221.nott.cable.ntl.com [81.101.250.221]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1EAF243D48 for ; Sat, 18 Sep 2004 13:02:47 +0000 (GMT) (envelope-from brain@winbot.co.uk) Received: from brain.brainbox.winbot.co.uk ([10.0.0.2] helo=brain) by brainbox.winbot.co.uk with smtp (Exim 4.24; FreeBSD) id 1C8fre-000EPt-VB; Sat, 18 Sep 2004 15:06:58 +0100 Date: Sat, 18 Sep 2004 14:05:21 +0100 From: "Craig Edwards" To: "Patrick Proniewski" , "Willem Jan Withagen" , "Liste FreeBSD-security" Organization: Crypt Software X-mailer: Foxmail 5.0 [en] Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: Subject: Re: Re: Attacks on ssh port X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: brain@winbot.co.uk List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Sep 2004 13:02:47 -0000 as ive read this is an attack from some kiddie trying to build a floodnet. records show that most of the compromised boxes are linux machines which end up having suckit rootkit and an energymech installed on them, i dont know if the attacker has ever gotten into a freebsd machine and what they'd do if they did. On my machines i have a dummy shell which APPEARS to be a successful login but just returns weird errors (such a "Segmentation Fault") or bad data for all commands that are issued, while also logging their commands. im tempted to put this on the 'test' account and let them in on this shell to see what is attempted. just to clarify, if i did such a thing theres no way for them to break out of the shell, right? its a simple perl script, so if the perl script ends, theyre logged off? This is what i expect to happen however i don't want to risk it unless its 100% safe... And just to clarify again all commands that are issued from this fake shell never reach the REAL os, even "uname" returns a redhat 7.2 string when the real machine is actually freebsd 5... Thanks, Craig >On 18 sept. 2004, at 14:18, Willem Jan Withagen wrote: > >> Hi, >> >> Is there a security problem with ssh that I've missed??? >> Ik keep getting these hords of: Failed password for root from >> 69.242.5.195 port 39239 ssh2 >> with all kinds of different source addresses. >> >> They have a shot or 15 and then they are of again, but a little later >> on they're back and keep clogging my logs. >> Is there a "easy" way of getting these ip-numbers added to the >> blocking-list of ipfw?? > > >not a ssh related problem, it's just a brute force attack, I'm >experiencing this on every servers I have, more than 10 times a day. >I'm really thinking about releasing the list of attackers IP to the >public. As far as I know, it's a pack of compromised machines. > >patpro > >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >