Need your help

Garrett Cooper youshi10 at u.washington.edu
Sat Apr 28 18:44:40 UTC 2007 

maximo4k wrote:
> Hello freebsd-questions,
> 
> From: Maksym Kuvyklin<maximo4k at gmail.com>
> 
> Subject: I have suspicion that somebody use my server like zombie server.
> 
> Environment:FreeBSD  mail.ukremb.com  5.5-RELEASE  FreeBSD 5.5-RELEASE
> #6:        Mon        Apr       23       14:41:21       EDT       2007
> root at mail.ukremb.com:/usr/obj/usr/src/sys/MYKERNEL i386
> 
> Description:
> Sorry for my pure English. I am new in this community.
> I had detected that somebody tryed to penetrate via ssh into my server.
> When I had changed the port all this attempts were finished. Then server notified
> me about that somebody use my IP address and after that my network adapter had down.
> I had changed it to another one and the server had started work again. I have static IP address.
> But, now my connection is very slow. I have looked throught the logs and I had not
> found any tracks of penetration. Please, help me to solve this problem.

What I'd do is determine from another machine if there's another machine 
trying to spoof your IP, and thus trying to do a man in the middle type 
of attack, knowingly or unknowingly. Contact your ISP or talk with your 
network admin and see if you can get the offender kicked off the network 
IF you are supposed to have a static IP address. If you set the IP 
address statically yourself and you don't manage your network or you 
didn't get the AOK from your network managers, you are IP squatting, 
which isn't a good idea in the first place, and technically you are the 
one at fault for causing this issue.

If not, then you should check your machine for active connections 
(netstat -a -f inet), and see if there's anything out of the ordinary 
that you didn't expect to be running on your PC.

If you still can't determine anything, check /var/log/auth.log -- this 
assumes you're running syslog; syslog can be turned on by going to 
rc.conf, adding SYSLOG_ENABLE="YES" and then running "/etc/rc.d/syslog 
start". After that, see if there are any users logging in that are 
unknown to you, or should not be logging in.

Good things to think about when administering a system though:
1. Use strong passwords.
2. Turn off unnecessary services.
3. Reduce possible sources of entry into your system (ties into 2.).

Cheers and best of luck,

-Garrett

More information about the freebsd-questions mailing list