Watch Out For LAN4u.info
karlp at ourldsfamily.com
karlp at ourldsfamily.com
Wed Nov 17 20:23:24 UTC 2004
I'm watching an attempt to break in to my ssh server at work from
# host lan4u.info:
lan4u.info has address 217.160.208.134
I'm getting a new entry in /var/log/messages ever 4 seconds with the
following line:
Nov 17 13:16:10 lehi sshd(pam_unix)[30807]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=lan4u.info user=root
Only the date and time changes. I suspect they have a password algorythm
changing thing that's banging against my network. I just stopped ssh,
which will give them a fit for a minute. I have to have it running for
client access, however no one was connected just now...
Here's some additional info.
traceroute to lan4u.info (217.160.208.134), 30 hops max, 38 byte packets
1 gateway (192.168.1.1) 0.533 ms 0.345 ms 0.271 ms
2 cisco (207.173.117.241) 1.162 ms 4.711 ms 1.002 ms
3 s10-0-0--26.gw02.slkc.eli.net (209.210.71.33) 12.817 ms 15.076 ms
5.584 ms
4 srp2-0.cr01.slkc.eli.net (208.186.20.49) 5.518 ms 6.231 ms 5.312 ms
5 p10-0.cr01.rcrd.eli.net (207.173.114.9) 18.302 ms 18.693 ms 18.533 ms
6 srp3-0.cr02.rcrd.eli.net (208.186.20.242) 18.214 ms 18.420 ms
18.348 ms
7 p9-0.cr01.sntd.eli.net (207.173.114.57) 21.875 ms 46.164 ms 40.998 ms
8 so-0-0-0--0.er01.plal.eli.net (207.173.114.138) 37.397 ms 22.468 ms
22.134 ms
9 ge-2-1.hsa4.SanJose1.Level3.net (209.245.146.25) 21.902 ms 23.695 ms
22.382 ms
10 so-2-3-0.bbr1.SanJose1.Level3.net (4.68.121.225) 22.331 ms 22.810 ms
22.203 ms
11 so-0-1-0.bbr1.NewYork1.Level3.net (64.159.1.41) 87.611 ms 88.030 ms
92.259 ms
12 4.68.128.105 (4.68.128.105) 154.494 ms 156.113 ms 176.315 ms
13 so-3-0-0.mp2.Frankfurt1.Level3.net (212.187.128.29) 169.577 ms
169.880 ms
so-6-0-0.mp1.Frankfurt1.Level3.net (212.187.128.62) 169.428 ms
14 ge-11-0.ipcolo1.Frankfurt1.Level3.net (195.122.136.39) 170.529 ms
ge-10-0.ipcolo1.Frankfurt1.Level3.net (195.122.136.7) 169.831 ms
ge-10-2.ipcolo1.Frankfurt1.Level3.net (195.122.136.99) 169.649 ms
15 gw-megaspace.frankfurt.eu.level3.net (212.162.44.158) 170.026 ms
171.923 ms 169.648 ms
16 pos-70.gw-backbone-b.bs.ka.schlund.net (212.227.112.126) 172.893 ms
172.768 ms 173.052 ms
17 a0kac2a.gw-distp-a.bs.ka.schlund.net (212.227.121.210) 172.306 ms
172.884
ms 172.598 ms
18 pkad1.gw-prtr-r2-a.bs.ka.schlund.net (212.227.34.194) 174.024 ms
176.512 ms 176.501 ms19 lan4u.info (217.160.208.134) 175.578 ms
172.670 ms 173.101 ms
Isn't that interesting? They are part of the German spam network,
Schlund.net (schlund.de)...
nmap -P0 lan4u.info:
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host lan4u.info (217.160.208.134) appears to be up ... good.
Initiating SYN Stealth Scan against lan4u.info (217.160.208.134)
Adding open port 995/tcp
Adding open port 443/tcp
Adding open port 10000/tcp
Adding open port 22/tcp
Adding open port 25/tcp
Adding open port 110/tcp
Adding open port 465/tcp
Adding open port 21/tcp
Adding open port 80/tcp
The SYN Stealth Scan took 9 seconds to scan 1601 ports.
For OSScan assuming that port 21 is open and port 1 is closed and neither
are firewalled
Interesting ports on lan4u.info (217.160.208.134):
(The 1592 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop-3
443/tcp open https
465/tcp open smtps
995/tcp open pop3s
10000/tcp open snet-sensor-mgmt
Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
Uptime 13.779 days (since Wed Nov 3 18:30:13 2004)
TCP Sequence Prediction: Class=random positive increments
Difficulty=3166012 (Good luck!)
IPID Sequence Generation: All zeros
Nmap run completed -- 1 IP address (1 host up) scanned in 15 seconds
And it looks like they are just hanging out on the internet.
Have some fun with these guys... uh, if you wish.
--
Karl Pearson
karlp at ourldsfamily.com
http://consulting.ourldsfamily.com
http://emailgroups.ourldsfamily.com
If you don't think the dead come back to life, Be here at quitting time
--
My Thoughts on Terrorism In America: http://www.ourldsfamily.com/wtc.shtml
--
A right is not what someone gives you; it's what no one can take from you.
-- Ramsey Clark
More information about the Redhat-install-list
mailing list