Re: Hacker activity?

• Previous message: Stefek Zaba: "shutdown(8): supposed to dismount all FSes?"
• In reply to: Steve Suhre: "Hacker activity?"
• Next in thread: Steve Suhre: "Re: Hacker activity?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Thu, 28 Oct 2004 14:03:28 -0500
To: "Steve Suhre" <steve@Antero.com>, freebsd-questions@freebsd.org

On 10/28/2004 at 10:39 Steve Suhre wrote:

>I'm not sure if this is the correct group...but I'm getting some weird

>activity on the network. The security reports will show 50-100
attempts to
>login to a server, most as root but some are attempts to login to
other
>seemingly random account names. The login attempts are through ssh or
>telnet, all come from the same remote server, and all fail. I'm also
>getting some odd cgi calls to a script on a secure ssl server. There's

>nothing that this particular script could do for a hacker, but the
script
>is sent a random string, sometimes many times a minute, other times
it's
>every 2 -3 minutes. I grabbed the ip address and blocked it, and about
10
>minutes later it had moved to another ip. I'm now blocking a range of
>ip's.
>These don't seem like enough iterations to be very successful, the
odds
>are
>overwhelmingly in favor of the server at this rate... Does anyone have
a
>clue what might be happening or where I should go to find out?

First, the term is cracker. Hackers are the good guys. (I know, I
know, nobody else cares)

There are two possibilities: an honest person has mistyped something
and is connecting to your machine instead of one he has access to; or a
dishonest person is trying to break into your computer. I'd bet on
the latter, nobody accidently sends random strings to a cgi script.

Often a script is running, attempting every computer on the Internet,
or every interesting one. (It takes too long to try 4 billion
addresses, when most don't have a machine behind them so they try
machines that are more interesting) They may or may not be targeting
you in particular, often they are just looking for any machine they can
get into, meaning your not the only one they are going after.

Here are some things you can try, in addition to what you have done.
Not all of them will apply though, think about each.

Take an old line printer out of the closet and have syslog log to that.
 This gives you are hard copy of what is happening. If someone does
break into your system, one of their first tasks will be falsify the
logs so you don't know it. They can't modify something that has been
printed to paper though. Consider logging to a different machine on
your network as well.

In addition to blocking that address, see who owns the net block. If
it is a responsible ISP and you send logs to the right person, you can
sometimes solve this problem. It doesn't work often, but it sometimes
helps. If nothing else it is harmless.

If it looks like this is in the same country as you, or at least a
country that is "friendly" to yours, you might ask a lawyer to get a
cease and desist order. It is unlikely you can ever make this worth
the cost, but keep it in mind.

Make sure root cannot login to your system via ssh. This is the
default in FreeBSD, but try to ssh into your machine as root, correct
password, just to make sure.

Read all the security advisories on www.freebsd.org (there are other
places to get these too, some are better), and make sure your system is
patched for them all.

Do a security audit of that cgi script. Remember, better find
nothing, than not do it and find there is a buffer overflow attack.
Their goal isn't to get the script to do anything, it is to get your
system to run their code in place of the script. These attacks are
fairly complex, but effective. Ideally run your webserver in a Jail,
but that can't always be done.

Turn off telnet if you can. Nearly everything has an ssh client
nowadays, so this normally isn't a problem.

Basiclly what I'm suggesting is a combination of double checking the
security on your machine, and trying to get them cut off. There is no

One last idea: look up honeypot on google. You might want to run one
yourself just to get an idea of what they are trying to do.

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"

• Previous message: Stefek Zaba: "shutdown(8): supposed to dismount all FSes?"
• In reply to: Steve Suhre: "Hacker activity?"
• Next in thread: Steve Suhre: "Re: Hacker activity?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Public Authentication Problem on Batch Job using SCP2 when SSH Client Reboot ... to a SSH server, HOST2. ... for secure ftp login. ... The login ID is a local user account ... we found that scp2 run failed every time the SSH client ... (comp.security.ssh) Re: Limit desktop & start menu ... Create a login script that runs when users log into the TS, and map the R: ... persisitent "R" drive on the server itself and that may cure it. ... (microsoft.public.windows.terminal_services) Re: restrict ssh access ... > We have one ssh server which receives about 6000 failed attempts to ... > unsuccessful login attempts per client IP address? ... the remote server is also running OpenSSH. ... (comp.security.ssh) Re: c printf/variables content visible in compiled binary. How to hide that ? ... My script is calling ssh to do some check on a list of remote systems ... client and a server. ... (comp.unix.programmer) Re: Hyperthreading security flaw was: Hyperthreading; was Re: New to Linux. Im not impressed :( ... In the case of a multi-user server where users ... login via SSH, a legitimate user could log in, provoke the SSH ... gain more out of the stolen hostkey. ... (comp.os.linux.misc)