Date: Thu, 28 Oct 2004 14:03:28 -0500 From: "Henry Miller" <hmiller@intradyn.com> To: "Steve Suhre" <steve@Antero.com>, freebsd-questions@freebsd.org Subject: Re: Hacker activity? Message-ID: <200410281403280734.06350AB4@mail.intradyn.com> In-Reply-To: <6.0.3.0.2.20041028102537.04be6ec0@nano.net> References: <6.0.3.0.2.20041028102537.04be6ec0@nano.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10/28/2004 at 10:39 Steve Suhre wrote: >I'm not sure if this is the correct group...but I'm getting some weird >activity on the network. The security reports will show 50-100 attempts to >login to a server, most as root but some are attempts to login to other >seemingly random account names. The login attempts are through ssh or >telnet, all come from the same remote server, and all fail. I'm also >getting some odd cgi calls to a script on a secure ssl server. There's >nothing that this particular script could do for a hacker, but the script >is sent a random string, sometimes many times a minute, other times it's >every 2 -3 minutes. I grabbed the ip address and blocked it, and about 10 >minutes later it had moved to another ip. I'm now blocking a range of >ip's. >These don't seem like enough iterations to be very successful, the odds >are >overwhelmingly in favor of the server at this rate... Does anyone have a >clue what might be happening or where I should go to find out? First, the term is cracker. Hackers are the good guys. (I know, I know, nobody else cares) There are two possibilities: an honest person has mistyped something and is connecting to your machine instead of one he has access to; or a dishonest person is trying to break into your computer. I'd bet on the latter, nobody accidently sends random strings to a cgi script. Often a script is running, attempting every computer on the Internet, or every interesting one. (It takes too long to try 4 billion addresses, when most don't have a machine behind them so they try machines that are more interesting) They may or may not be targeting you in particular, often they are just looking for any machine they can get into, meaning your not the only one they are going after. Here are some things you can try, in addition to what you have done. Not all of them will apply though, think about each. Take an old line printer out of the closet and have syslog log to that. This gives you are hard copy of what is happening. If someone does break into your system, one of their first tasks will be falsify the logs so you don't know it. They can't modify something that has been printed to paper though. Consider logging to a different machine on your network as well. In addition to blocking that address, see who owns the net block. If it is a responsible ISP and you send logs to the right person, you can sometimes solve this problem. It doesn't work often, but it sometimes helps. If nothing else it is harmless. If it looks like this is in the same country as you, or at least a country that is "friendly" to yours, you might ask a lawyer to get a cease and desist order. It is unlikely you can ever make this worth the cost, but keep it in mind. Make sure root cannot login to your system via ssh. This is the default in FreeBSD, but try to ssh into your machine as root, correct password, just to make sure. Read all the security advisories on www.freebsd.org (there are other places to get these too, some are better), and make sure your system is patched for them all. Do a security audit of that cgi script. Remember, better find nothing, than not do it and find there is a buffer overflow attack. Their goal isn't to get the script to do anything, it is to get your system to run their code in place of the script. These attacks are fairly complex, but effective. Ideally run your webserver in a Jail, but that can't always be done. Turn off telnet if you can. Nearly everything has an ssh client nowadays, so this normally isn't a problem. Basiclly what I'm suggesting is a combination of double checking the security on your machine, and trying to get them cut off. There is no One last idea: look up honeypot on google. You might want to run one yourself just to get an idea of what they are trying to do.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200410281403280734.06350AB4>