Hacker activity?

Steve Suhre steve at Antero.com
Thu Oct 28 12:15:15 PDT 2004 


Thanks. Right now I'm blocking 66.249.6*.* on the secure server for the cgi 
script and haven't seen anything for a couple hours. The other intruder is 
a little slicker and moves around quite a bit. My interest is in the 
frequency, or lack thereof. Do they attack many sites at once, like spam, 
hoping to hit on a server that has a dictionary password? Rather than pound 
one server with all they've got? Distributed hacking? I can't think of 
another reason why someone would even try to hack into a server by logging 
in 50-100 times once or twice a week. You can't get root through anything 
but the console and 50-100 attempts don't cover a lot of password ground on 
the other accounts, most of which are locked down against shell access 
anyway.... I'm not really concerned about the activity, it would take eons 
to hack into anything this way. I'm wondering if there's something going on 
that I don't know, maybe this is a smoke screen to divert attention from 
the real threat? It doesn't make a lot of sense....




At 12:32 PM 10/28/2004, Vulpes Velox wrote:
>On Thu, 28 Oct 2004 10:39:32 -0600
>Steve Suhre <steve at Antero.com> wrote:
>
> >
> >
> > I'm not sure if this is the correct group...but I'm getting some
> > weird activity on the network. The security reports will show 50-100
> > attempts to login to a server, most as root but some are attempts to
> > login to other seemingly random account names. The login attempts
> > are through ssh or telnet, all come from the same remote server, and
> > all fail. I'm also getting some odd cgi calls to a script on a
> > secure ssl server. There's nothing that this particular script could
> > do for a hacker, but the script is sent a random string, sometimes
> > many times a minute, other times it's every 2 -3 minutes. I grabbed
> > the ip address and blocked it, and about 10 minutes later it had
> > moved to another ip. I'm now blocking a range of ip's. These don't
> > seem like enough iterations to be very successful, the odds are
> > overwhelmingly in favor of the server at this rate... Does anyone
> > have a clue what might be happening or where I should go to find
> > out?
>
>If it all from a common subnet, I would block it. I would then whois
>to see who if there is a abuse addy I could complain to or the like.
>
>Also man login.conf.
>
>Sounds like some jerk singled you out is is possibly is trying it all
>on a subnet. Back in before moving stuff off common ports, I would get
>massive amounts of that crap. It was basically ppl trying any thing in
>the colleges address space.



---
Steve Suhre
Antero web technologies
719.634.8161
steve at Antero.com

More information about the freebsd-questions mailing list