Watch Out For LAN4u.info

karlp at ourldsfamily.com karlp at ourldsfamily.com
Wed Nov 17 20:23:24 UTC 2004 

I'm watching an attempt to break in to my ssh server at work from
# host lan4u.info:
 lan4u.info has address 217.160.208.134

I'm getting a new entry in /var/log/messages ever 4 seconds with the
following line:
Nov 17 13:16:10 lehi sshd(pam_unix)[30807]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=lan4u.info  user=root

Only the date and time changes. I suspect they have a password algorythm
changing thing that's banging against my network. I just stopped ssh,
which will give them a fit for a minute. I have to have it running for
client access, however no one was connected just now...

Here's some additional info.

traceroute to lan4u.info (217.160.208.134), 30 hops max, 38 byte packets
 1  gateway (192.168.1.1)  0.533 ms  0.345 ms  0.271 ms
 2  cisco (207.173.117.241)  1.162 ms  4.711 ms  1.002 ms
 3  s10-0-0--26.gw02.slkc.eli.net (209.210.71.33)  12.817 ms  15.076 ms 
5.584 ms
 4  srp2-0.cr01.slkc.eli.net (208.186.20.49)  5.518 ms  6.231 ms  5.312 ms
 5  p10-0.cr01.rcrd.eli.net (207.173.114.9)  18.302 ms  18.693 ms  18.533 ms
 6  srp3-0.cr02.rcrd.eli.net (208.186.20.242)  18.214 ms  18.420 ms 
18.348 ms
 7  p9-0.cr01.sntd.eli.net (207.173.114.57)  21.875 ms  46.164 ms  40.998 ms
 8  so-0-0-0--0.er01.plal.eli.net (207.173.114.138)  37.397 ms  22.468 ms 
22.134 ms
 9  ge-2-1.hsa4.SanJose1.Level3.net (209.245.146.25)  21.902 ms  23.695 ms
 22.382 ms
10  so-2-3-0.bbr1.SanJose1.Level3.net (4.68.121.225)  22.331 ms  22.810 ms
 22.203 ms
11  so-0-1-0.bbr1.NewYork1.Level3.net (64.159.1.41)  87.611 ms  88.030 ms 
92.259 ms
12  4.68.128.105 (4.68.128.105)  154.494 ms  156.113 ms  176.315 ms
13  so-3-0-0.mp2.Frankfurt1.Level3.net (212.187.128.29)  169.577 ms 
169.880 ms
so-6-0-0.mp1.Frankfurt1.Level3.net (212.187.128.62)  169.428 ms
14  ge-11-0.ipcolo1.Frankfurt1.Level3.net (195.122.136.39)  170.529 ms
ge-10-0.ipcolo1.Frankfurt1.Level3.net (195.122.136.7)  169.831 ms
ge-10-2.ipcolo1.Frankfurt1.Level3.net (195.122.136.99)  169.649 ms
15  gw-megaspace.frankfurt.eu.level3.net (212.162.44.158)  170.026 ms 
171.923 ms  169.648 ms
16  pos-70.gw-backbone-b.bs.ka.schlund.net (212.227.112.126)  172.893 ms 
172.768 ms  173.052 ms
17  a0kac2a.gw-distp-a.bs.ka.schlund.net (212.227.121.210)  172.306 ms 
172.884
ms  172.598 ms
18  pkad1.gw-prtr-r2-a.bs.ka.schlund.net (212.227.34.194)  174.024 ms 
176.512 ms  176.501 ms19  lan4u.info (217.160.208.134)  175.578 ms 
172.670 ms  173.101 ms


Isn't that interesting? They are part of the German spam network,
Schlund.net (schlund.de)...


nmap -P0 lan4u.info:
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host lan4u.info (217.160.208.134) appears to be up ... good.
Initiating SYN Stealth Scan against lan4u.info (217.160.208.134)
Adding open port 995/tcp
Adding open port 443/tcp
Adding open port 10000/tcp
Adding open port 22/tcp
Adding open port 25/tcp
Adding open port 110/tcp
Adding open port 465/tcp
Adding open port 21/tcp
Adding open port 80/tcp
The SYN Stealth Scan took 9 seconds to scan 1601 ports.
For OSScan assuming that port 21 is open and port 1 is closed and neither
are firewalled
Interesting ports on lan4u.info (217.160.208.134):
(The 1592 ports scanned but not shown below are in state: closed)
Port       State       Service
21/tcp     open        ftp
22/tcp     open        ssh
25/tcp     open        smtp
80/tcp     open        http
110/tcp    open        pop-3
443/tcp    open        https
465/tcp    open        smtps
995/tcp    open        pop3s
10000/tcp  open        snet-sensor-mgmt
Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
Uptime 13.779 days (since Wed Nov  3 18:30:13 2004)
TCP Sequence Prediction: Class=random positive increments
                         Difficulty=3166012 (Good luck!)
IPID Sequence Generation: All zeros
Nmap run completed -- 1 IP address (1 host up) scanned in 15 seconds


And it looks like they are just hanging out on the internet.

Have some fun with these guys... uh, if you wish.

--
Karl Pearson
karlp at ourldsfamily.com
http://consulting.ourldsfamily.com
http://emailgroups.ourldsfamily.com
 If you don't think the dead come back to life, Be here at quitting time
 --
 My Thoughts on Terrorism In America: http://www.ourldsfamily.com/wtc.shtml
 --
 A right is not what someone gives you; it's what no one can take from you.
 -- Ramsey Clark

More information about the Redhat-install-list mailing list