From owner-freebsd-questions@FreeBSD.ORG Thu Oct 28 18:33:29 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 13C2916A4CE for ; Thu, 28 Oct 2004 18:33:29 +0000 (GMT) Received: from mail.cableone.net (scanmail2.cableone.net [24.116.0.122]) by mx1.FreeBSD.org (Postfix) with ESMTP id B7F6543D46 for ; Thu, 28 Oct 2004 18:33:28 +0000 (GMT) (envelope-from vvelox@vvelox.net) Received: from vixen42.24-119-122-191.cpe.cableone.net (unverified [24.119.122.25]) by smail2.cableone.net (SurgeMail 1.9b) with ESMTP id 24324289 for multiple; Thu, 28 Oct 2004 11:31:56 -0700 Date: Thu, 28 Oct 2004 13:32:50 -0500 From: Vulpes Velox To: Steve Suhre Message-ID: <20041028133250.77c30503@vixen42.24-119-122-191.cpe.cableone.net> In-Reply-To: <6.0.3.0.2.20041028102537.04be6ec0@nano.net> References: <6.0.3.0.2.20041028102537.04be6ec0@nano.net> X-Mailer: Sylpheed-Claws 0.9.12b (GTK+ 1.2.10; i386-portbld-freebsd4.10) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Server: High Performance Mail Server - http://surgemail.com cc: freebsd-questions@freebsd.org Subject: Re: Hacker activity? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Oct 2004 18:33:29 -0000 On Thu, 28 Oct 2004 10:39:32 -0600 Steve Suhre wrote: > > > I'm not sure if this is the correct group...but I'm getting some > weird activity on the network. The security reports will show 50-100 > attempts to login to a server, most as root but some are attempts to > login to other seemingly random account names. The login attempts > are through ssh or telnet, all come from the same remote server, and > all fail. I'm also getting some odd cgi calls to a script on a > secure ssl server. There's nothing that this particular script could > do for a hacker, but the script is sent a random string, sometimes > many times a minute, other times it's every 2 -3 minutes. I grabbed > the ip address and blocked it, and about 10 minutes later it had > moved to another ip. I'm now blocking a range of ip's. These don't > seem like enough iterations to be very successful, the odds are > overwhelmingly in favor of the server at this rate... Does anyone > have a clue what might be happening or where I should go to find > out? If it all from a common subnet, I would block it. I would then whois to see who if there is a abuse addy I could complain to or the like. Also man login.conf. Sounds like some jerk singled you out is is possibly is trying it all on a subnet. Back in before moving stuff off common ports, I would get massive amounts of that crap. It was basically ppl trying any thing in the colleges address space.