increasing failed sshd logins/clearing breadcrumb trails

John DeStefano deesto at
Tue Sep 14 19:15:44 PDT 2004

I've noticed a few posts over the past week or so regarding users'
servers being probed by remote ssh attempts.  Coincidentally (or
perhaps not so), around that time, I began getting quite a few records
of such attempts to my server, at the rate of about 3 tries per IP, and
about three IPs per night.  Unfortunately, last night (Mon Sep 13),
this attack was much more concentrated and persistent: someone from (or
spoofing from) one IP ( hammered my server with login
attempts over a 20-minute period.  The last report I got was a final,
failed root password at 20:22:13 Eastern Time (GMT-5:00).

I just read this record and logged into my server, and ran "last",
which gave me a blank record, saying only:

wtmp begins Tue Sep 14 22:01:55 EDT 2004

...which happened to be the exact time I just logged into my server. 
I'm wondering if it is a normal clean-up occurrance for the 'last' log
to turn over at a certain time/date, or if this ssh-er finally got into
my system and cleaned up his/her tracks?  I realize the power of  one
who has root privelages, but what logs would they have wiped out to
remain invisible, and what others might I have a possible chance of
looking at to determine what happened?

Do you Yahoo!?
Declare Yourself - Register online to vote today!

More information about the freebsd-questions mailing list