Thanks. Right now I'm blocking 66.249.6*.* on the secure server for the cgi script and haven't seen anything for a couple hours. The other intruder is a little slicker and moves around quite a bit. My interest is in the frequency, or lack thereof. Do they attack many sites at once, like spam, hoping to hit on a server that has a dictionary password? Rather than pound one server with all they've got? Distributed hacking? I can't think of another reason why someone would even try to hack into a server by logging in 50-100 times once or twice a week. You can't get root through anything but the console and 50-100 attempts don't cover a lot of password ground on the other accounts, most of which are locked down against shell access anyway.... I'm not really concerned about the activity, it would take eons to hack into anything this way. I'm wondering if there's something going on that I don't know, maybe this is a smoke screen to divert attention from the real threat? It doesn't make a lot of sense....
At 12:32 PM 10/28/2004, Vulpes Velox wrote:
On Thu, 28 Oct 2004 10:39:32 -0600 Steve Suhre <[EMAIL PROTECTED]> wrote:
> > > I'm not sure if this is the correct group...but I'm getting some > weird activity on the network. The security reports will show 50-100 > attempts to login to a server, most as root but some are attempts to > login to other seemingly random account names. The login attempts > are through ssh or telnet, all come from the same remote server, and > all fail. I'm also getting some odd cgi calls to a script on a > secure ssl server. There's nothing that this particular script could > do for a hacker, but the script is sent a random string, sometimes > many times a minute, other times it's every 2 -3 minutes. I grabbed > the ip address and blocked it, and about 10 minutes later it had > moved to another ip. I'm now blocking a range of ip's. These don't > seem like enough iterations to be very successful, the odds are > overwhelmingly in favor of the server at this rate... Does anyone > have a clue what might be happening or where I should go to find > out?
If it all from a common subnet, I would block it. I would then whois to see who if there is a abuse addy I could complain to or the like.
Also man login.conf.
Sounds like some jerk singled you out is is possibly is trying it all on a subnet. Back in before moving stuff off common ports, I would get massive amounts of that crap. It was basically ppl trying any thing in the colleges address space.
--- Steve Suhre Antero web technologies 719.634.8161 [EMAIL PROTECTED]
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
