From owner-freebsd-questions Tue Dec 4 14: 0:53 2001 Delivered-To: freebsd-questions@freebsd.org Received: from aji.wilshire.net (worm.wilshire.net [64.161.77.242]) by hub.freebsd.org (Postfix) with ESMTP id 61C3037B425 for ; Tue, 4 Dec 2001 13:58:59 -0800 (PST) Received: from emilyd (emilyd.wilshire.net [10.100.123.20]) by aji.wilshire.net (8.11.1/8.11.1) with SMTP id fB4Lu6x25051; Tue, 4 Dec 2001 13:56:07 -0800 (PST) From: "Riley J. McIntire" To: "Josh Paetzel" , "Riley J. McIntire" Cc: "Stephen Hovey" , "FreeBSD Questions" Subject: RE: icmp dos attack? sshd core dump Date: Tue, 4 Dec 2001 13:58:35 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-reply-to: <20011204135602.B446@twincat.vladsempire.net> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > What version of FreeBSD are you running? IIRC, there was a remote > hole in sshd on 4.3-RELEASE. Also, what is restarting sshd? root@mail# uname -a FreeBSD mail.domain.com 4.2-RELEASE FreeBSD 4.2-RELEASE #2: Sat Apr 21 14:33:05 PDT 2001 root@mail.domain.com:/usr/src/sys/compile/MAIL i386 > You have > some sort of cron job running or something? No cron job. I'm not sure how it's restarted--thought it was run from inetd but it's not. This is a firewall running ipfw/natd and sendmail for a very small network. Looking over the log files the icmp-response bandwidth limit 240/200 pps entries go for about 10 min, then quite for an hour and then the sshd core dumps start for about 3 or 4 mins. Again going from a sig 11 to sig 10. sshd restarts within 2-3 sec each time. Dec 3 14:30:09 mail /kernel: pid 49388 (sshd), uid 0: exited on signal 11 (core dumped) Dec 3 14:30:14 mail /kernel: pid 49389 (sshd), uid 0: exited on signal 11 (core dumped) Dec 3 14:30:17 mail /kernel: pid 49390 (sshd), uid 0: exited on signal 11 (core dumped) Dec 3 14:30:19 mail /kernel: pid 49391 (sshd), uid 0: exited on signal 11 (core dumped) Dec 3 14:30:27 mail /kernel: pid 49394 (sshd), uid 0: exited on signal 11 (core dumped) Dec 3 14:30:36 mail /kernel: pid 49396 (sshd), uid 0: exited on signal 10 (core dumped) Dec 3 14:30:38 mail /kernel: pid 49397 (sshd), uid 0: exited on signal 10 (core dumped) Dec 3 14:30:42 mail /kernel: pid 49398 (sshd), uid 0: exited on signal 10 (core dumped) Dec 3 14:30:45 mail /kernel: pid 49399 (sshd), uid 0: exited on signal 10 (core dumped) Dec 3 14:30:47 mail /kernel: pid 49400 (sshd), uid 0: exited on signal 10 (core dumped) > Anyways, based on that, it makes it seem local to me, like someone > is running ping -f as root or something. Still doesn't make a lot The people with physical access don't know unix. And the machine is headless anyway, only ssh/telnet access. If someone crack in they hid their footsteps. It is on the ethernet side of a cisco broadband router connected to a cable plant. Which I have nothing to do with... > of sense that that would cause sshd to dump core. Seems more > likely that they are two different things, related perhaps only in > who is doing them. > > Josh I can't see an icmp/sshd connection either, except as you say, in who. Riley To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message