Re: Re: Attacks on ssh port

From: Craig Edwards (
Date: 09/18/04

  • Next message: Michael Sharp: "Re: Re: Attacks on ssh port"
    Date: Sat, 18 Sep 2004 14:05:21 +0100
    To: "Patrick Proniewski" <>, "Willem Jan Withagen" <>, "Liste FreeBSD-security" <freebsd-security@FreeBSD.ORG>

    as ive read this is an attack from some kiddie trying to build a floodnet.

    records show that most of the compromised boxes are linux machines which end up having suckit rootkit and an energymech installed on them, i dont know if the attacker has ever gotten into a freebsd machine and what they'd do if they did.

    On my machines i have a dummy shell which APPEARS to be a successful login but just returns weird errors (such a "Segmentation Fault") or bad data for all commands that are issued, while also logging their commands. im tempted to put this on the 'test' account and let them in on this shell to see what is attempted. just to clarify, if i did such a thing theres no way for them to break out of the shell, right? its a simple perl script, so if the perl script ends, theyre logged off? This is what i expect to happen however i don't want to risk it unless its 100% safe... And just to clarify again all commands that are issued from this fake shell never reach the REAL os, even "uname" returns a redhat 7.2 string when the real machine is actually freebsd 5...


    >On 18 sept. 2004, at 14:18, Willem Jan Withagen wrote:
    >> Hi,
    >> Is there a security problem with ssh that I've missed???
    >> Ik keep getting these hords of: Failed password for root from
    >> port 39239 ssh2
    >> with all kinds of different source addresses.
    >> They have a shot or 15 and then they are of again, but a little later
    >> on they're back and keep clogging my logs.
    >> Is there a "easy" way of getting these ip-numbers added to the
    >> blocking-list of ipfw??
    >not a ssh related problem, it's just a brute force attack, I'm
    >experiencing this on every servers I have, more than 10 times a day.
    >I'm really thinking about releasing the list of attackers IP to the
    >public. As far as I know, it's a pack of compromised machines.
    > mailing list
    >To unsubscribe, send any mail to ""

    _______________________________________________ mailing list
    To unsubscribe, send any mail to ""

  • Next message: Michael Sharp: "Re: Re: Attacks on ssh port"

    Relevant Pages

    • Re: [Full-disclosure] targetted SSH bruteforce attacks
      ... I have to access that box sometimes from other machines than my ... I have extremely good passwords that I change every ... SSH daemons using password auth exposed to the Internet _do_ get ... Is anyone else seeing this type of attack? ...
    • Re: Thought on disconnecting hacked computers
      ... > Looking at my firewall logs, it seems evident that there are many ... > attempts per hour to exploit vulnerabilities that are blocked by the ... > immediately blocked all traffic from the affected machines, ... The problem is the likelihood for one man's attack signature match ...
    • Re: Question regarding attack
      ... I recently experienced the exact same logon behavior after logging off and ... to log on again as administrator. ... > A couple of our Windows 2000/NT machines were attacked overnight recently. ... difficulty tracking down how the attack was executed. ...
    • Re: dtspcd probes toward Solaris machines
      ... compromised with the dtspcd exploit, and the attacker later used the ... machines to launch a DoS that completely filled up our pipe. ... > have the actual exploit tool used in the attack. ...
    • Re: Updated list of most popular pins
      ... the percentage of those machines owned by RGP folks. ... 48 WHITEWATER ... 45 ATTACK FROM MARS ...