misc/112207: I have suspicion that somebudy use my server like zombie server.

Jerry McAllister jerrymc at msu.edu
Sat Apr 28 17:02:49 UTC 2007

On Sat, Apr 28, 2007 at 02:07:32PM +0000, Maksym Kuvyklin wrote:

> >Synopsis:       I have suspicion that somebudy use my server like zombie server.
> >Arrival-Date:   Sat Apr 28 14:20:04 GMT 2007
> >Originator:     Maksym Kuvyklin
> >Release:        FreeBSD 5.5 STABLE
> >Environment:
> FreeBSD mail.ukremb.com 5.5-RELEASE FreeBSD 5.5-RELEASE #6: Mon Apr 23 14:41:21 EDT 2007     root at mail.ukremb.com:/usr/obj/usr/src/sys/MYKERNEL  i386
> >Description:
> Sorry for my pure English. I am new in this community.
> I had detected that somebody tryed to penetrate via ssh into my server. When I had changed the port all this attempts were finished. Then server notified me about that somebody use my IP address and after that my network adapter had down. I had changed it to another one and the server had started work again. I have static IP address.But, now my connection is very slow. I have looked throught the logs and I had not found any tracks of penetration. Please, help me to solve this problem.

I took the liberty to make a response and redirect this to the questions list.
I hope that is OK.

I am not a network security expert, so if someone tells you better,
then, go with their information.  But,,,

Someone is always trying to penetrate ssh on systems.   They go around
and scan every machine they can find with a common list of ids.  You 
can put in place some blocking software of firewalls to prevent those 
scans from getting to your machine, but it might not be all that meaningful.

As for a warning that some other machine is using your IP address,
this can be possible if some other machine is badly configured.  It
can be a lot of work to track down that machine, but that is the only
way to fix it.   It is possible that another machine may be using your
IP address to try and steal information or use your address to either
spam or attack others.  Or, it may be just someone who is either 
incompetent or lazy with setting up their system.   It is hard to 
tell without more examination.   Definitely something like that can
cause your network traffic to be very slow.    

If you are lucky, that machine using your IP will be physically near
you and can be tracked down.   Maybe some other people can help with
hints on how to do it.

Anyway, it may, but does not necessarily indicate that your machine
has been broken in to.   If you can find not other signs, then maybe
you are lucky and all the problem is external to your machine.  But
you do need to track that bad machine using your IP and shut it down.

Good luck,


More information about the freebsd-questions mailing list