increasing failed sshd logins/clearing breadcrumb trails
deesto at yahoo.com
Tue Sep 14 19:15:44 PDT 2004
I've noticed a few posts over the past week or so regarding users'
servers being probed by remote ssh attempts. Coincidentally (or
perhaps not so), around that time, I began getting quite a few records
of such attempts to my server, at the rate of about 3 tries per IP, and
about three IPs per night. Unfortunately, last night (Mon Sep 13),
this attack was much more concentrated and persistent: someone from (or
spoofing from) one IP (126.96.36.199) hammered my server with login
attempts over a 20-minute period. The last report I got was a final,
failed root password at 20:22:13 Eastern Time (GMT-5:00).
I just read this record and logged into my server, and ran "last",
which gave me a blank record, saying only:
wtmp begins Tue Sep 14 22:01:55 EDT 2004
...which happened to be the exact time I just logged into my server.
I'm wondering if it is a normal clean-up occurrance for the 'last' log
to turn over at a certain time/date, or if this ssh-er finally got into
my system and cleaned up his/her tracks? I realize the power of one
who has root privelages, but what logs would they have wiped out to
remain invisible, and what others might I have a possible chance of
looking at to determine what happened?
Do you Yahoo!?
Declare Yourself - Register online to vote today!
More information about the freebsd-questions