From owner-freebsd-security@FreeBSD.ORG  Sat Sep 18 14:14:37 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id CECEE16A4CE
	for <freebsd-security@freebsd.org>;
	Sat, 18 Sep 2004 14:14:37 +0000 (GMT)
Received: from mail.xensia.net (colo1.xensia.net [217.158.173.196])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 313C543D2F
	for <freebsd-security@freebsd.org>;
	Sat, 18 Sep 2004 14:14:37 +0000 (GMT)
	(envelope-from listsucker@ipv5.net)
Received: from 81-174-3-174.f5.ngi.it ([81.174.3.174] helo=godzilla)
	by mail.xensia.net with asmtp (TLSv1:DES-CBC3-SHA:168)
	id 1C8fz1-000NoK-00; Sat, 18 Sep 2004 15:14:36 +0100
Date: Sat, 18 Sep 2004 16:14:31 +0200
From: Frankye - ML <listsucker@ipv5.net>
To: freebsd-security@freebsd.org
Message-ID: <20040918161431.53a63dd3@godzilla>
In-Reply-To: <414C2798.7060509@withagen.nl>
References: <414C2798.7060509@withagen.nl>
X-Mailer: Sylpheed-Claws 0.9.12a (GTK+ 1.2.10; i386-portbld-freebsd4.10)
X-Face: =3I@Jvohf91[b8M]~KUNFaCt}pnTO2K^E#_P4`uCU]D"pHw<vv.g[XV?Zpoi"<2\iSqtx8mg!7,l,"Fw+yCvy[a&<$zz=zGwFX0d4QIxc-e}"VNP-/=W`*P4mM2tYl;s"b=.dOsO3?zC==4G}GWr7-EZxIcVm^6snu=b<'A_g?!)eS~JFGthz?vhiuiFfkl!M?T}m-D*=R
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Subject: Re: Attacks on ssh port
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Sep 2004 14:14:37 -0000

On Sat, 18 Sep 2004 14:18:32 +0200
Willem Jan Withagen <wjw@withagen.nl> wrote:

| Hi,
| 
| Is there a security problem with ssh that I've missed???
| Ik keep getting these hords of:   
|     Failed password for root from 69.242.5.195 port 39239 ssh2
| with all kinds of different source addresses.

FYI, the past month there were a couple of (quite long) threads on this
thing on bugtraq and incidents @securityfocus.
It seems to be some worm that scans for weak passwords, someone on
incidents published a webpage on this stuff here:
http://www.jaenicke.org/sk/ with the binaries used and an irc log chatting
with one of the kiddies.
The sources seems to mainly be cracked boxes with, aemh... blank root
passwords.
(everytime I read the previous 3 words together I shudder, apologies if
they have the same effect on you :)

| they're back and keep clogging my logs.
| Is there a "easy" way of getting these ip-numbers added to the 
| blocking-list of ipfw??

I've just moved the public port of the sshd on another port, quite lame
but at least I'm not bothered by worms :)

HTH

Frankye

-- 
Frankye Fattarelli               |U| |P| |S|F|
frankye.DIESPAMMERSDIE@ipv5.net  |R| |S| |Y|I|
this email is RFC 3514 compliant |G| |H| |N|N|