MORE SSH Hacking: heads-up

Jenkins, Jeremiah jeremiah.jenkins at neustar.biz
Fri Jul 30 21:15:56 UTC 2004


What does your /etc/secure log say?

There are some scripts around the internet now, where they try to log in via
ssh using "test" and guest with sometimes an admin account

-----Original Message-----
From: jludwig [mailto:wralphie at comcast.net]
Sent: Friday, July 30, 2004 4:12 PM
To: For users of Fedora Core releases
Subject: Re: MORE SSH Hacking: heads-up


On Fri, 2004-07-30 at 05:45, Brian Fahrlander wrote:
>     From last night's LogWatch:
> --------------------------------------------------------------------------
> 
> sshd:
>    Invalid Users:
>       Unknown Account: 7 Time(s)
>    Unknown Entries:
>       authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
> rhost=johnstongrain.com  : 2 Time(s)
>       authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
> rhost=smms-mriley09d.chemistry.uq.edu.au  : 2 Time(s)
>       authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
> rhost=211.117.191.70  : 1 Time(s)
>       authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
> rhost=216.97.110.1  : 1 Time(s)
>       authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
> rhost=ccia-062-204-197-193.uned.es  : 1 Time(s)
> 
> su:
>    Sessions Opened:
>       brian(uid=500) -> root: 1 Time(s)
> 
> ------------------------------------------------------------------------
> 
>     Ok, guys- what do we do with this?  Should we be writing down the
> addresses from which these attempts were made? They're probably all
> 'stooge' addresses, I know, but it might help authorities to know what
> other machines have been compromised...
> 
>     I'll go save the log somewhere...
> 
> ------------------------------------------------------------------------
Search results for: 211.117.191.70 
        OrgName:    Asia Pacific Network Information Centre
        OrgID:      APNIC
        Address:    PO Box 2131
        City:       Milton
        StateProv:  QLD
        PostalCode: 4064
        Country:    AU
        
        ReferralServer: whois://whois.apnic.net
        
        NetRange:   210.0.0.0 - 211.255.255.255
        CIDR:       210.0.0.0/7
        NetName:    APNIC-CIDR-BLK2
        NetHandle:  NET-210-0-0-0-1
        Parent:
        NetType:    Allocated to APNIC
        NameServer: NS1.APNIC.NET
        NameServer: NS3.APNIC.NET
        NameServer: NS4.APNIC.NET
        NameServer: NS.RIPE.NET
        NameServer: TINNIE.ARIN.NET
        NameServer: DNS1.TELSTRA.NET
        Comment:    This IP address range is not registered in the ARIN
database.
        Comment:    For details, refer to the APNIC Whois Database via
        Comment:    WHOIS.APNIC.NET or
http://www.apnic.net/apnic-bin/whois2.pl
        Comment:    ** IMPORTANT NOTE: APNIC is the Regional Internet
Registry
        Comment:    for the Asia Pacific region. APNIC does not operate
networks
        Comment:    using this IP address range and is not able to
investigate
        Comment:    spam or abuse reports relating to these addresses. For
more
        Comment:    help, refer to http://www.apnic.net/info/faq/abuse
        Comment:
        RegDate:    1996-07-01
        Updated:    2004-03-30
        
        OrgTechHandle: AWC12-ARIN
        OrgTechName:   APNIC Whois Contact
        OrgTechPhone:  +61 7 3858 3100
        OrgTechEmail:  search-apnic-not-arin at apnic.net
        
        # ARIN WHOIS database, last updated 2004-07-29 19:10
        # Enter ? for additional hints on searching ARIN's WHOIS database.
        
-- 
jludwig <wralphie at comcast.net>


-- 
fedora-list mailing list
fedora-list at redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list





More information about the fedora-list mailing list