Re: Re: Attacks on ssh port

From: Craig Edwards (
Date: 09/18/04

  • Next message: Michael Sharp: "Re: Re: Attacks on ssh port"
    Date: Sat, 18 Sep 2004 14:05:21 +0100
    To: "Patrick Proniewski" <>, "Willem Jan Withagen" <>, "Liste FreeBSD-security" <freebsd-security@FreeBSD.ORG>

    as ive read this is an attack from some kiddie trying to build a floodnet.

    records show that most of the compromised boxes are linux machines which end up having suckit rootkit and an energymech installed on them, i dont know if the attacker has ever gotten into a freebsd machine and what they'd do if they did.

    On my machines i have a dummy shell which APPEARS to be a successful login but just returns weird errors (such a "Segmentation Fault") or bad data for all commands that are issued, while also logging their commands. im tempted to put this on the 'test' account and let them in on this shell to see what is attempted. just to clarify, if i did such a thing theres no way for them to break out of the shell, right? its a simple perl script, so if the perl script ends, theyre logged off? This is what i expect to happen however i don't want to risk it unless its 100% safe... And just to clarify again all commands that are issued from this fake shell never reach the REAL os, even "uname" returns a redhat 7.2 string when the real machine is actually freebsd 5...


    >On 18 sept. 2004, at 14:18, Willem Jan Withagen wrote:
    >> Hi,
    >> Is there a security problem with ssh that I've missed???
    >> Ik keep getting these hords of: Failed password for root from
    >> port 39239 ssh2
    >> with all kinds of different source addresses.
    >> They have a shot or 15 and then they are of again, but a little later
    >> on they're back and keep clogging my logs.
    >> Is there a "easy" way of getting these ip-numbers added to the
    >> blocking-list of ipfw??
    >not a ssh related problem, it's just a brute force attack, I'm
    >experiencing this on every servers I have, more than 10 times a day.
    >I'm really thinking about releasing the list of attackers IP to the
    >public. As far as I know, it's a pack of compromised machines.
    > mailing list
    >To unsubscribe, send any mail to ""

    _______________________________________________ mailing list
    To unsubscribe, send any mail to ""

  • Next message: Michael Sharp: "Re: Re: Attacks on ssh port"