hack attempt on my server...What do you do about this?

David Gavin dgavin at davegavin.com
Sat Jul 17 20:15:41 UTC 2004 

 Before you send a complaint to Ripe, you should know that they are the
Internet governing body for Europe - (Réseaux IP Européens). Check with
http://www.ripe.net/perl/whois and you'll find that the IP range actually
is assigned to:

route:        130.120.0.0/16
descr:        RENATER
descr:        Universite Pierre et Marie Curie
descr:        4 place Jussieu 75252 PARIS CEDEX 05
descr:        FRANCE
origin:       AS2200
mnt-by:       RENATER-MNT
changed:      RenSVP at Renater.fr 19991008
source:       RIPE

person:       Dominique Incerti
address:      Centre Interuniversitaire de Calcul de Toulouse
address:      118, route de Narbonne
address:      F-31062 Toulouse CEDEX, France
e-mail:       incerti at cict.fr
phone:        +33 5 61 36 60 12
fax-no:       +33 5 61 52 14 58
nic-hdl:      DI10-RIPE
mnt-by:       RENATER-MNT
changed:      rensvp at renater.fr 19961125
changed:      rensvp at renater.fr 20030326
source:       RIPE

  So it's probably some script kiddie with a French accent.....  and
incerti at cict.fr may well be interested in knowing that they have been
rattling your doorknob

Dave Gavin



Thomas Sapp said:
> Honestly, I would forward the logfile that you got that from, with
> non-pertinent info removed of course, to abuse at ripe.net.  The reason I
> say this is because of the following information:
>
> 130.120.81.14 Record Type:   IP Address
>
> OrgName:    RIPE Network Coordination Centre
> OrgID:      RIPE
> Address:    Singel 258
> Address:    1016 AB
> City:       Amsterdam
> StateProv:
> PostalCode:
> Country:    NL
>
> ReferralServer: whois://whois.ripe.net:43
>
> NetRange:   130.120.0.0 - 130.120.255.255
> CIDR:       130.120.0.0/16
> NetName:    RIPE-ERX-130-120-0-0
> NetHandle:  NET-130-120-0-0-1
> Parent:     NET-130-0-0-0-0
> NetType:    Early Registrations, Transferred to RIPE NCC
> Comment:    These addresses have been further assigned to users in
> Comment:    the RIPE NCC region. Contact information can be found in
> Comment:    the RIPE database at http://www.ripe.net/whois
> RegDate:    2003-11-12
> Updated:    2004-03-02
>
> Which I obtained from a whois query.  No guarantee that anything will
> become of the report but it's always better to be safe than sorry.
>
> On Sat, 2004-07-17 at 12:40, Jonathan T. Steadman wrote:
>> Sorry this is yet another lame question, but I am new to hosting web
>> server ect. just kinda experimenting actually and in my logs i came
>> across some garbage (its at the bottom of this email) what do you do
>> about this?  Just let it be? inform ISP?  wait and see if it is more
>> continuous?  dont know the proper thing to do i guess just making sure
>> with you guys.
>>
>> Jul 17 14:42:24 localhost sshd[6746]: Illegal user test from
>> 130.120.81.14
>> Jul 17 14:42:26 localhost sshd[6746]: Failed password for illegal user
>> test from 130.120.81.14 port 48692 ssh2
>> Jul 17 14:42:27 localhost sshd[6748]: Illegal user guest from
>> 130.120.81.14
>> Jul 17 14:42:30 localhost sshd[6748]: Failed password for illegal user
>> guest from 130.120.81.14 port 48753 ssh2
>> Jul 17 14:42:31 localhost sshd[6750]: Illegal user admin from
>> 130.120.81.14
>> Jul 17 14:42:33 localhost sshd[6750]: Failed password for illegal user
>> admin from 130.120.81.14 port 48807 ssh2
>> Jul 17 14:42:34 localhost sshd[6752]: Illegal user admin from
>> 130.120.81.14
>> Jul 17 14:42:37 localhost sshd[6752]: Failed password for illegal user
>> admin from 130.120.81.14 port 48849 ssh2
>> Jul 17 14:42:38 localhost sshd[6754]: Illegal user user from
>> 130.120.81.14
>> Jul 17 14:42:40 localhost sshd[6754]: Failed password for illegal user
>> user from 130.120.81.14 port 48879 ssh2
>> Jul 17 14:42:43 localhost sshd[6756]: Failed password for root from
>> 130.120.81.14 port 48900 ssh2
>> Jul 17 14:42:47 localhost sshd[6758]: Failed password for root from
>> 130.120.81.14 port 48913 ssh2
>> Jul 17 14:42:50 localhost sshd[6760]: Failed password for root from
>> 130.120.81.14 port 48924 ssh2
>> Jul 17 14:42:51 localhost sshd[6762]: Illegal user test from
>> 130.120.81.14
>> Jul 17 14:42:54 localhost sshd[6762]: Failed password for illegal user
>> test from 130.120.81.14 port 48931 ssh2
> --
> Thanks,
> Tom Sapp
> http://www.sappsworld.com
>
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>

More information about the fedora-list mailing list