MORE SSH Hacking: heads-up
Jenkins, Jeremiah
jeremiah.jenkins at neustar.biz
Fri Jul 30 21:15:56 UTC 2004
What does your /etc/secure log say?
There are some scripts around the internet now, where they try to log in via
ssh using "test" and guest with sometimes an admin account
-----Original Message-----
From: jludwig [mailto:wralphie at comcast.net]
Sent: Friday, July 30, 2004 4:12 PM
To: For users of Fedora Core releases
Subject: Re: MORE SSH Hacking: heads-up
On Fri, 2004-07-30 at 05:45, Brian Fahrlander wrote:
> From last night's LogWatch:
> --------------------------------------------------------------------------
>
> sshd:
> Invalid Users:
> Unknown Account: 7 Time(s)
> Unknown Entries:
> authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
> rhost=johnstongrain.com : 2 Time(s)
> authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
> rhost=smms-mriley09d.chemistry.uq.edu.au : 2 Time(s)
> authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
> rhost=211.117.191.70 : 1 Time(s)
> authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
> rhost=216.97.110.1 : 1 Time(s)
> authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
> rhost=ccia-062-204-197-193.uned.es : 1 Time(s)
>
> su:
> Sessions Opened:
> brian(uid=500) -> root: 1 Time(s)
>
> ------------------------------------------------------------------------
>
> Ok, guys- what do we do with this? Should we be writing down the
> addresses from which these attempts were made? They're probably all
> 'stooge' addresses, I know, but it might help authorities to know what
> other machines have been compromised...
>
> I'll go save the log somewhere...
>
> ------------------------------------------------------------------------
Search results for: 211.117.191.70
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
ReferralServer: whois://whois.apnic.net
NetRange: 210.0.0.0 - 211.255.255.255
CIDR: 210.0.0.0/7
NetName: APNIC-CIDR-BLK2
NetHandle: NET-210-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: NS.RIPE.NET
NameServer: TINNIE.ARIN.NET
NameServer: DNS1.TELSTRA.NET
Comment: This IP address range is not registered in the ARIN
database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or
http://www.apnic.net/apnic-bin/whois2.pl
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet
Registry
Comment: for the Asia Pacific region. APNIC does not operate
networks
Comment: using this IP address range and is not able to
investigate
Comment: spam or abuse reports relating to these addresses. For
more
Comment: help, refer to http://www.apnic.net/info/faq/abuse
Comment:
RegDate: 1996-07-01
Updated: 2004-03-30
OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3100
OrgTechEmail: search-apnic-not-arin at apnic.net
# ARIN WHOIS database, last updated 2004-07-29 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
--
jludwig <wralphie at comcast.net>
--
fedora-list mailing list
fedora-list at redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
More information about the fedora-list
mailing list