hmiller at intradyn.com
Thu Oct 28 12:02:19 PDT 2004
On 10/28/2004 at 10:39 Steve Suhre wrote:
>I'm not sure if this is the correct group...but I'm getting some weird
>activity on the network. The security reports will show 50-100
>login to a server, most as root but some are attempts to login to
>seemingly random account names. The login attempts are through ssh or
>telnet, all come from the same remote server, and all fail. I'm also
>getting some odd cgi calls to a script on a secure ssl server. There's
>nothing that this particular script could do for a hacker, but the
>is sent a random string, sometimes many times a minute, other times
>every 2 -3 minutes. I grabbed the ip address and blocked it, and about
>minutes later it had moved to another ip. I'm now blocking a range of
>These don't seem like enough iterations to be very successful, the
>overwhelmingly in favor of the server at this rate... Does anyone have
>clue what might be happening or where I should go to find out?
First, the term is cracker. Hackers are the good guys. (I know, I
know, nobody else cares)
There are two possibilities: an honest person has mistyped something
and is connecting to your machine instead of one he has access to; or a
dishonest person is trying to break into your computer. I'd bet on
the latter, nobody accidently sends random strings to a cgi script.
Often a script is running, attempting every computer on the Internet,
or every interesting one. (It takes too long to try 4 billion
addresses, when most don't have a machine behind them so they try
machines that are more interesting) They may or may not be targeting
you in particular, often they are just looking for any machine they can
get into, meaning your not the only one they are going after.
Here are some things you can try, in addition to what you have done.
Not all of them will apply though, think about each.
Take an old line printer out of the closet and have syslog log to that.
This gives you are hard copy of what is happening. If someone does
break into your system, one of their first tasks will be falsify the
logs so you don't know it. They can't modify something that has been
printed to paper though. Consider logging to a different machine on
your network as well.
In addition to blocking that address, see who owns the net block. If
it is a responsible ISP and you send logs to the right person, you can
sometimes solve this problem. It doesn't work often, but it sometimes
helps. If nothing else it is harmless.
If it looks like this is in the same country as you, or at least a
country that is "friendly" to yours, you might ask a lawyer to get a
cease and desist order. It is unlikely you can ever make this worth
the cost, but keep it in mind.
Make sure root cannot login to your system via ssh. This is the
default in FreeBSD, but try to ssh into your machine as root, correct
password, just to make sure.
Read all the security advisories on www.freebsd.org (there are other
places to get these too, some are better), and make sure your system is
patched for them all.
Do a security audit of that cgi script. Remember, better find
nothing, than not do it and find there is a buffer overflow attack.
Their goal isn't to get the script to do anything, it is to get your
system to run their code in place of the script. These attacks are
fairly complex, but effective. Ideally run your webserver in a Jail,
but that can't always be done.
Turn off telnet if you can. Nearly everything has an ssh client
nowadays, so this normally isn't a problem.
Basiclly what I'm suggesting is a combination of double checking the
security on your machine, and trying to get them cut off. There is no
One last idea: look up honeypot on google. You might want to run one
yourself just to get an idea of what they are trying to do.
More information about the freebsd-questions