Attacks on ssh port

Craig Edwards brain at winbot.co.uk
Sat Sep 18 06:02:47 PDT 2004 

as ive read this is an attack from some kiddie trying to build a floodnet.

records show that most of the compromised boxes are linux machines which end up having suckit rootkit and an energymech installed on them, i dont know if the attacker has ever gotten into a freebsd machine and what they'd do if they did.

On my machines i have a dummy shell which APPEARS to be a successful login but just returns weird errors (such a "Segmentation Fault") or bad data for all commands that are issued, while also logging their commands. im tempted to put this on the 'test' account and let them in on this shell to see what is attempted. just to clarify, if i did such a thing theres no way for them to break out of the shell, right? its a simple perl script, so if the perl script ends, theyre logged off? This is what i expect to happen however i don't want to risk it unless its 100% safe... And just to clarify again all commands that are issued from this fake shell never reach the REAL os, even "uname" returns a redhat 7.2 string when the real machine is actually freebsd 5...

Thanks,
Craig

>On 18 sept. 2004, at 14:18, Willem Jan Withagen wrote:
>
>> Hi,
>>
>> Is there a security problem with ssh that I've missed???
>> Ik keep getting these hords of:      Failed password for root from 
>> 69.242.5.195 port 39239 ssh2
>> with all kinds of different source addresses.
>>
>> They have a shot or 15 and then they are of again, but a little later 
>> on they're back and keep clogging my logs.
>> Is there a "easy" way of getting these ip-numbers added to the 
>> blocking-list of ipfw??
>
>
>not a ssh related problem, it's just a brute force attack, I'm 
>experiencing this on every servers I have, more than 10 times a day. 
>I'm really thinking about releasing the list of attackers IP to the 
>public. As far as I know, it's a pack of compromised machines.
>
>patpro
>
>_______________________________________________
>freebsd-security at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-security
>To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
>

More information about the freebsd-security mailing list