Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 14 Sep 2004 19:15:43 -0700 (PDT)
From:      John DeStefano <deesto@yahoo.com>
To:        freebsd-questions@freebsd.org
Subject:   increasing failed sshd logins/clearing breadcrumb trails
Message-ID:  <20040915021543.85849.qmail@web52907.mail.yahoo.com>

next in thread | raw e-mail | index | archive | help
I've noticed a few posts over the past week or so regarding users'
servers being probed by remote ssh attempts.  Coincidentally (or
perhaps not so), around that time, I began getting quite a few records
of such attempts to my server, at the rate of about 3 tries per IP, and
about three IPs per night.  Unfortunately, last night (Mon Sep 13),
this attack was much more concentrated and persistent: someone from (or
spoofing from) one IP (211.250.185.100) hammered my server with login
attempts over a 20-minute period.  The last report I got was a final,
failed root password at 20:22:13 Eastern Time (GMT-5:00).

I just read this record and logged into my server, and ran "last",
which gave me a blank record, saying only:

wtmp begins Tue Sep 14 22:01:55 EDT 2004

...which happened to be the exact time I just logged into my server. 
I'm wondering if it is a normal clean-up occurrance for the 'last' log
to turn over at a certain time/date, or if this ssh-er finally got into
my system and cleaned up his/her tracks?  I realize the power of  one
who has root privelages, but what logs would they have wiped out to
remain invisible, and what others might I have a possible chance of
looking at to determine what happened?




		
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040915021543.85849.qmail>