Date: Tue, 14 Sep 2004 19:15:43 -0700 (PDT) From: John DeStefano <deesto@yahoo.com> To: freebsd-questions@freebsd.org Subject: increasing failed sshd logins/clearing breadcrumb trails Message-ID: <20040915021543.85849.qmail@web52907.mail.yahoo.com>
next in thread | raw e-mail | index | archive | help
I've noticed a few posts over the past week or so regarding users' servers being probed by remote ssh attempts. Coincidentally (or perhaps not so), around that time, I began getting quite a few records of such attempts to my server, at the rate of about 3 tries per IP, and about three IPs per night. Unfortunately, last night (Mon Sep 13), this attack was much more concentrated and persistent: someone from (or spoofing from) one IP (211.250.185.100) hammered my server with login attempts over a 20-minute period. The last report I got was a final, failed root password at 20:22:13 Eastern Time (GMT-5:00). I just read this record and logged into my server, and ran "last", which gave me a blank record, saying only: wtmp begins Tue Sep 14 22:01:55 EDT 2004 ...which happened to be the exact time I just logged into my server. I'm wondering if it is a normal clean-up occurrance for the 'last' log to turn over at a certain time/date, or if this ssh-er finally got into my system and cleaned up his/her tracks? I realize the power of one who has root privelages, but what logs would they have wiped out to remain invisible, and what others might I have a possible chance of looking at to determine what happened? _______________________________ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040915021543.85849.qmail>