Date: Thu, 28 Oct 2004 13:32:50 -0500 From: Vulpes Velox <vvelox@vvelox.net> To: Steve Suhre <steve@Antero.com> Cc: freebsd-questions@freebsd.org Subject: Re: Hacker activity? Message-ID: <20041028133250.77c30503@vixen42.24-119-122-191.cpe.cableone.net> In-Reply-To: <6.0.3.0.2.20041028102537.04be6ec0@nano.net> References: <6.0.3.0.2.20041028102537.04be6ec0@nano.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 28 Oct 2004 10:39:32 -0600 Steve Suhre <steve@Antero.com> wrote: > > > I'm not sure if this is the correct group...but I'm getting some > weird activity on the network. The security reports will show 50-100 > attempts to login to a server, most as root but some are attempts to > login to other seemingly random account names. The login attempts > are through ssh or telnet, all come from the same remote server, and > all fail. I'm also getting some odd cgi calls to a script on a > secure ssl server. There's nothing that this particular script could > do for a hacker, but the script is sent a random string, sometimes > many times a minute, other times it's every 2 -3 minutes. I grabbed > the ip address and blocked it, and about 10 minutes later it had > moved to another ip. I'm now blocking a range of ip's. These don't > seem like enough iterations to be very successful, the odds are > overwhelmingly in favor of the server at this rate... Does anyone > have a clue what might be happening or where I should go to find > out? If it all from a common subnet, I would block it. I would then whois to see who if there is a abuse addy I could complain to or the like. Also man login.conf. Sounds like some jerk singled you out is is possibly is trying it all on a subnet. Back in before moving stuff off common ports, I would get massive amounts of that crap. It was basically ppl trying any thing in the colleges address space.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041028133250.77c30503>