Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 4 Dec 2001 13:58:35 -0800
From:      "Riley J. McIntire" <rileyjmc@pacbell.net>
To:        "Josh Paetzel" <friar_josh@webwarrior.net>, "Riley J. McIntire" <rileyjmc@pacbell.net>
Cc:        "Stephen Hovey" <shovey@buffnet.net>, "FreeBSD Questions" <freebsd-questions@FreeBSD.ORG>
Subject:   RE: icmp dos attack?   sshd core dump
Message-ID:  <NCBBLBILEPCHLFJAPIIPAECAKFAA.rileyjmc@pacbell.net>
In-Reply-To: <20011204135602.B446@twincat.vladsempire.net>

next in thread | previous in thread | raw e-mail | index | archive | help
> What version of FreeBSD are you running?  IIRC, there was a remote
> hole in sshd on 4.3-RELEASE.  Also, what is restarting sshd?

root@mail# uname -a
FreeBSD mail.domain.com 4.2-RELEASE FreeBSD 4.2-RELEASE #2: Sat Apr 21
14:33:05 PDT 2001     root@mail.domain.com:/usr/src/sys/compile/MAIL
i386


> You have
> some sort of cron job running or something?

No cron job. I'm not sure how it's restarted--thought it was run from
inetd but it's not.  This is a firewall running ipfw/natd and sendmail
for a very small network.  Looking over the log files the
icmp-response bandwidth limit 240/200 pps entries go for about 10 min,
then quite for an hour and then the sshd core dumps start for about 3 or
4 mins.  Again going from a sig 11 to sig 10.  sshd restarts within 2-3
sec each time.

Dec  3 14:30:09 mail /kernel: pid 49388 (sshd), uid 0: exited on signal
11 (core dumped)
Dec  3 14:30:14 mail /kernel: pid 49389 (sshd), uid 0: exited on signal
11 (core dumped)
Dec  3 14:30:17 mail /kernel: pid 49390 (sshd), uid 0: exited on signal
11 (core dumped)
Dec  3 14:30:19 mail /kernel: pid 49391 (sshd), uid 0: exited on signal
11 (core dumped)
Dec  3 14:30:27 mail /kernel: pid 49394 (sshd), uid 0: exited on signal
11 (core dumped)
Dec  3 14:30:36 mail /kernel: pid 49396 (sshd), uid 0: exited on signal
10 (core dumped)
Dec  3 14:30:38 mail /kernel: pid 49397 (sshd), uid 0: exited on signal
10 (core dumped)
Dec  3 14:30:42 mail /kernel: pid 49398 (sshd), uid 0: exited on signal
10 (core dumped)
Dec  3 14:30:45 mail /kernel: pid 49399 (sshd), uid 0: exited on signal
10 (core dumped)
Dec  3 14:30:47 mail /kernel: pid 49400 (sshd), uid 0: exited on signal
10 (core dumped)


> Anyways, based on that, it makes it seem local to me, like someone
> is running ping -f as root or something.  Still doesn't make a lot

The people with physical access don't know unix.  And the machine is
headless anyway, only  ssh/telnet access.  If someone crack in they hid
their footsteps.  It is on the ethernet side of a cisco broadband router
connected to a cable plant.  Which I have nothing to do with...

> of sense that that would cause sshd to dump core.  Seems more
> likely that they are two different things, related perhaps only in
> who is doing them.
>
> Josh

I can't see an icmp/sshd connection either, except as you say, in who.

Riley




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NCBBLBILEPCHLFJAPIIPAECAKFAA.rileyjmc>