Date: Tue, 4 Dec 2001 13:58:35 -0800 From: "Riley J. McIntire" <rileyjmc@pacbell.net> To: "Josh Paetzel" <friar_josh@webwarrior.net>, "Riley J. McIntire" <rileyjmc@pacbell.net> Cc: "Stephen Hovey" <shovey@buffnet.net>, "FreeBSD Questions" <freebsd-questions@FreeBSD.ORG> Subject: RE: icmp dos attack? sshd core dump Message-ID: <NCBBLBILEPCHLFJAPIIPAECAKFAA.rileyjmc@pacbell.net> In-Reply-To: <20011204135602.B446@twincat.vladsempire.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> What version of FreeBSD are you running? IIRC, there was a remote > hole in sshd on 4.3-RELEASE. Also, what is restarting sshd? root@mail# uname -a FreeBSD mail.domain.com 4.2-RELEASE FreeBSD 4.2-RELEASE #2: Sat Apr 21 14:33:05 PDT 2001 root@mail.domain.com:/usr/src/sys/compile/MAIL i386 > You have > some sort of cron job running or something? No cron job. I'm not sure how it's restarted--thought it was run from inetd but it's not. This is a firewall running ipfw/natd and sendmail for a very small network. Looking over the log files the icmp-response bandwidth limit 240/200 pps entries go for about 10 min, then quite for an hour and then the sshd core dumps start for about 3 or 4 mins. Again going from a sig 11 to sig 10. sshd restarts within 2-3 sec each time. Dec 3 14:30:09 mail /kernel: pid 49388 (sshd), uid 0: exited on signal 11 (core dumped) Dec 3 14:30:14 mail /kernel: pid 49389 (sshd), uid 0: exited on signal 11 (core dumped) Dec 3 14:30:17 mail /kernel: pid 49390 (sshd), uid 0: exited on signal 11 (core dumped) Dec 3 14:30:19 mail /kernel: pid 49391 (sshd), uid 0: exited on signal 11 (core dumped) Dec 3 14:30:27 mail /kernel: pid 49394 (sshd), uid 0: exited on signal 11 (core dumped) Dec 3 14:30:36 mail /kernel: pid 49396 (sshd), uid 0: exited on signal 10 (core dumped) Dec 3 14:30:38 mail /kernel: pid 49397 (sshd), uid 0: exited on signal 10 (core dumped) Dec 3 14:30:42 mail /kernel: pid 49398 (sshd), uid 0: exited on signal 10 (core dumped) Dec 3 14:30:45 mail /kernel: pid 49399 (sshd), uid 0: exited on signal 10 (core dumped) Dec 3 14:30:47 mail /kernel: pid 49400 (sshd), uid 0: exited on signal 10 (core dumped) > Anyways, based on that, it makes it seem local to me, like someone > is running ping -f as root or something. Still doesn't make a lot The people with physical access don't know unix. And the machine is headless anyway, only ssh/telnet access. If someone crack in they hid their footsteps. It is on the ethernet side of a cisco broadband router connected to a cable plant. Which I have nothing to do with... > of sense that that would cause sshd to dump core. Seems more > likely that they are two different things, related perhaps only in > who is doing them. > > Josh I can't see an icmp/sshd connection either, except as you say, in who. Riley To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NCBBLBILEPCHLFJAPIIPAECAKFAA.rileyjmc>