MORE SSH Hacking: heads-up

Ow Mun Heng Ow.Mun.Heng at wdc.com
Mon Aug 2 19:21:01 UTC 2004 

On Fri, 2004-07-30 at 14:17, Jenkins, Jeremiah wrote:
> Not /etc/secure , /var/log/secure....man, I can tell it's friday
> 
This was in my logs last night at 11.56pm.

Aug  1 23:56:28 neuromancer sshd[22962]: Illegal user test from 203.185.29.89
Aug  1 23:56:30 neuromancer sshd[22962]: Failed password for illegal user test from 203.185.29.89 port 40688 ssh2
Aug  1 23:56:34 neuromancer sshd[23055]: Illegal user guest from 203.185.29.89
Aug  1 23:56:37 neuromancer sshd[23055]: Failed password for illegal user guest from 203.185.29.89 port 40779 ssh2

whois returned it as a ISP in Hong Kong.


> -----Original Message-----
> From: Jenkins, Jeremiah [mailto:jeremiah.jenkins at neustar.biz]
> Sent: Friday, July 30, 2004 5:16 PM
> To: 'For users of Fedora Core releases'
> Subject: RE: MORE SSH Hacking: heads-up
> 
> 
> What does your /etc/secure log say?
> 
> There are some scripts around the internet now, where they try to log in via
> ssh using "test" and guest with sometimes an admin account
> 
> -----Original Message-----
> From: jludwig [mailto:wralphie at comcast.net]
> Sent: Friday, July 30, 2004 4:12 PM
> To: For users of Fedora Core releases
> Subject: Re: MORE SSH Hacking: heads-up
> 
> 
> On Fri, 2004-07-30 at 05:45, Brian Fahrlander wrote:
> >     From last night's LogWatch:
> > --------------------------------------------------------------------------
> > 
> > sshd:
> >    Invalid Users:
> >       Unknown Account: 7 Time(s)
> >    Unknown Entries:
> >       authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
> > rhost=johnstongrain.com  : 2 Time(s)
> >       authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
> > rhost=smms-mriley09d.chemistry.uq.edu.au  : 2 Time(s)
> >       authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
> > rhost=211.117.191.70  : 1 Time(s)
> >       authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
> > rhost=216.97.110.1  : 1 Time(s)
> >       authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
> > rhost=ccia-062-204-197-193.uned.es  : 1 Time(s)
> > 
> > su:
> >    Sessions Opened:
> >       brian(uid=500) -> root: 1 Time(s)
> > 
> > ------------------------------------------------------------------------
> > 
> >     Ok, guys- what do we do with this?  Should we be writing down the
> > addresses from which these attempts were made? They're probably all
> > 'stooge' addresses, I know, but it might help authorities to know what
> > other machines have been compromised...
> > 
> >     I'll go save the log somewhere...
> > 
> > ------------------------------------------------------------------------
> Search results for: 211.117.191.70 
>         OrgName:    Asia Pacific Network Information Centre
>         OrgID:      APNIC
>         Address:    PO Box 2131
>         City:       Milton
>         StateProv:  QLD
>         PostalCode: 4064
>         Country:    AU
>         
>         ReferralServer: whois://whois.apnic.net
>         
>         NetRange:   210.0.0.0 - 211.255.255.255
>         CIDR:       210.0.0.0/7
>         NetName:    APNIC-CIDR-BLK2
>         NetHandle:  NET-210-0-0-0-1
>         Parent:
>         NetType:    Allocated to APNIC
>         NameServer: NS1.APNIC.NET
>         NameServer: NS3.APNIC.NET
>         NameServer: NS4.APNIC.NET
>         NameServer: NS.RIPE.NET
>         NameServer: TINNIE.ARIN.NET
>         NameServer: DNS1.TELSTRA.NET
>         Comment:    This IP address range is not registered in the ARIN
> database.
>         Comment:    For details, refer to the APNIC Whois Database via
>         Comment:    WHOIS.APNIC.NET or
> http://www.apnic.net/apnic-bin/whois2.pl
>         Comment:    ** IMPORTANT NOTE: APNIC is the Regional Internet
> Registry
>         Comment:    for the Asia Pacific region. APNIC does not operate
> networks
>         Comment:    using this IP address range and is not able to
> investigate
>         Comment:    spam or abuse reports relating to these addresses. For
> more
>         Comment:    help, refer to http://www.apnic.net/info/faq/abuse
>         Comment:
>         RegDate:    1996-07-01
>         Updated:    2004-03-30
>         
>         OrgTechHandle: AWC12-ARIN
>         OrgTechName:   APNIC Whois Contact
>         OrgTechPhone:  +61 7 3858 3100
>         OrgTechEmail:  search-apnic-not-arin at apnic.net
>         
>         # ARIN WHOIS database, last updated 2004-07-29 19:10
>         # Enter ? for additional hints on searching ARIN's WHOIS database.
>         
> -- 
> jludwig <wralphie at comcast.net>
> 
> 
> -- 
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
> 
> 
> -- 
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list

-- 
Ow Mun Heng
Fedora GNU/Linux Core 2 on D600 1.4Ghz CPU kernel
2.6.7-2.jul1-interactive 
Neuromancer 12:19:27 up 3:38, 5 users, load average: 1.71, 1.38, 1.25

More information about the fedora-list mailing list