On Thu, 28 Oct 2004 10:39:32 -0600 Steve Suhre <[EMAIL PROTECTED]> wrote:
> > > I'm not sure if this is the correct group...but I'm getting some > weird activity on the network. The security reports will show 50-100 > attempts to login to a server, most as root but some are attempts to > login to other seemingly random account names. The login attempts > are through ssh or telnet, all come from the same remote server, and > all fail. I'm also getting some odd cgi calls to a script on a > secure ssl server. There's nothing that this particular script could > do for a hacker, but the script is sent a random string, sometimes > many times a minute, other times it's every 2 -3 minutes. I grabbed > the ip address and blocked it, and about 10 minutes later it had > moved to another ip. I'm now blocking a range of ip's. These don't > seem like enough iterations to be very successful, the odds are > overwhelmingly in favor of the server at this rate... Does anyone > have a clue what might be happening or where I should go to find > out? If it all from a common subnet, I would block it. I would then whois to see who if there is a abuse addy I could complain to or the like. Also man login.conf. Sounds like some jerk singled you out is is possibly is trying it all on a subnet. Back in before moving stuff off common ports, I would get massive amounts of that crap. It was basically ppl trying any thing in the colleges address space. _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"