Date: Sun, 2 Jun 2002 15:01:01 -0700 From: "Crist J. Clark" <crist.clark@attbi.com> To: Drew Tomlinson <drew@mykitchentable.net> Cc: Hajimu UMEMOTO <ume@mahoroba.org>, security@FreeBSD.ORG Subject: Re: Security Messages re: hosts.allow? Message-ID: <20020602150101.I20911@blossom.cjclark.org> In-Reply-To: <000e01c20a7a$edf501a0$1b01a8c0@TAGALONG>; from drew@mykitchentable.net on Sun, Jun 02, 2002 at 02:17:40PM -0700 References: <007e01c20a47$7fabb370$1b01a8c0@TAGALONG> <20020602113409.F20911@blossom.cjclark.org> <ygelm9xikg6.wl@piano.mahoroba.org> <20020602121922.H20911@blossom.cjclark.org> <000e01c20a7a$edf501a0$1b01a8c0@TAGALONG>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jun 02, 2002 at 02:17:40PM -0700, Drew Tomlinson wrote:
> ----- Original Message -----
> From: "Crist J. Clark" <crist.clark@attbi.com>
> To: "Hajimu UMEMOTO" <ume@mahoroba.org>
> Cc: "Drew Tomlinson" <drew@mykitchentable.net>; <security@FreeBSD.ORG>
> Sent: Sunday, June 02, 2002 12:19 PM
> Subject: Re: Security Messages re: hosts.allow?
>
>
> > On Mon, Jun 03, 2002 at 03:50:33AM +0900, Hajimu UMEMOTO wrote:
> > > Hi,
> > >
> > > >>>>> On Sun, 2 Jun 2002 11:34:09 -0700
> > > >>>>> "Crist J. Clark" <crist.clark@attbi.com> said:
> > >
> > > crist.clark> server1.camelweb.com.tw. 23h59m43s IN CNAME
> dns.camelweb.com.tw.
> > > crist.clark> server1.camelweb.com.tw. 23h59m43s IN A
> 210.59.224.44
> > > crist.clark> dns.camelweb.com.tw. 22h47m42s IN A
> 210.59.224.42
> > >
> > > crist.clark> 42.224.59.210.in-addr.arpa. 9h1m47s IN PTR
> server1.camelweb.com.tw.
> > >
> > > crist.clark> But from the looks of it, these DNS entries
> themselves do not look
> > > crist.clark> malicious.
> > >
> > > No, CNAME RR cannot co-exist with A RR.
> >
> > I didn't say it wasn't broken DNS. I was saying that it does not
> look
> > like someone is trying to pretend they are someone they are not
> (which
> > is the reason tcpwrapper produces that kind of warning).
>
> Thanks for your replies. So the bottom line is that someone from this
> domain attempted to establish a ssh session with my server? This is
> just a little home server for my amusement and no one other than
> myself should access it. I guess it might be time to learn about
> "keys" and restrict access to only myself. Any reading suggestions
> for an absolute beginner?
My best guess is that the host that hit you was compromised and is
being used to scan for hosts running vulnerable SSH
daemons. Double-check that you were not running a vulnerable version
of SSH.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020602150101.I20911>