Watch Out For LAN4u.info

Bob McClure Jr robertmcclure at earthlink.net
Wed Nov 17 20:49:53 UTC 2004 

On Wed, Nov 17, 2004 at 01:23:24PM -0700, karlp at ourldsfamily.com wrote:
> I'm watching an attempt to break in to my ssh server at work from
> # host lan4u.info:
>  lan4u.info has address 217.160.208.134
> 
> I'm getting a new entry in /var/log/messages ever 4 seconds with the
> following line:
> Nov 17 13:16:10 lehi sshd(pam_unix)[30807]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=lan4u.info  user=root
> 
> Only the date and time changes. I suspect they have a password algorythm
> changing thing that's banging against my network. I just stopped ssh,
> which will give them a fit for a minute. I have to have it running for
> client access, however no one was connected just now...
> 
> Here's some additional info.
> 
> traceroute to lan4u.info (217.160.208.134), 30 hops max, 38 byte packets
>  1  gateway (192.168.1.1)  0.533 ms  0.345 ms  0.271 ms
>  2  cisco (207.173.117.241)  1.162 ms  4.711 ms  1.002 ms
>  3  s10-0-0--26.gw02.slkc.eli.net (209.210.71.33)  12.817 ms  15.076 ms 
> 5.584 ms
>  4  srp2-0.cr01.slkc.eli.net (208.186.20.49)  5.518 ms  6.231 ms  5.312 ms
>  5  p10-0.cr01.rcrd.eli.net (207.173.114.9)  18.302 ms  18.693 ms  18.533 ms
>  6  srp3-0.cr02.rcrd.eli.net (208.186.20.242)  18.214 ms  18.420 ms 
> 18.348 ms
>  7  p9-0.cr01.sntd.eli.net (207.173.114.57)  21.875 ms  46.164 ms  40.998 ms
>  8  so-0-0-0--0.er01.plal.eli.net (207.173.114.138)  37.397 ms  22.468 ms 
> 22.134 ms
>  9  ge-2-1.hsa4.SanJose1.Level3.net (209.245.146.25)  21.902 ms  23.695 ms
>  22.382 ms
> 10  so-2-3-0.bbr1.SanJose1.Level3.net (4.68.121.225)  22.331 ms  22.810 ms
>  22.203 ms
> 11  so-0-1-0.bbr1.NewYork1.Level3.net (64.159.1.41)  87.611 ms  88.030 ms 
> 92.259 ms
> 12  4.68.128.105 (4.68.128.105)  154.494 ms  156.113 ms  176.315 ms
> 13  so-3-0-0.mp2.Frankfurt1.Level3.net (212.187.128.29)  169.577 ms 
> 169.880 ms
> so-6-0-0.mp1.Frankfurt1.Level3.net (212.187.128.62)  169.428 ms
> 14  ge-11-0.ipcolo1.Frankfurt1.Level3.net (195.122.136.39)  170.529 ms
> ge-10-0.ipcolo1.Frankfurt1.Level3.net (195.122.136.7)  169.831 ms
> ge-10-2.ipcolo1.Frankfurt1.Level3.net (195.122.136.99)  169.649 ms
> 15  gw-megaspace.frankfurt.eu.level3.net (212.162.44.158)  170.026 ms 
> 171.923 ms  169.648 ms
> 16  pos-70.gw-backbone-b.bs.ka.schlund.net (212.227.112.126)  172.893 ms 
> 172.768 ms  173.052 ms
> 17  a0kac2a.gw-distp-a.bs.ka.schlund.net (212.227.121.210)  172.306 ms 
> 172.884
> ms  172.598 ms
> 18  pkad1.gw-prtr-r2-a.bs.ka.schlund.net (212.227.34.194)  174.024 ms 
> 176.512 ms  176.501 ms19  lan4u.info (217.160.208.134)  175.578 ms 
> 172.670 ms  173.101 ms
> 
> 
> Isn't that interesting? They are part of the German spam network,
> Schlund.net (schlund.de)...
> 
> 
> nmap -P0 lan4u.info:
> Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
> Host lan4u.info (217.160.208.134) appears to be up ... good.
> Initiating SYN Stealth Scan against lan4u.info (217.160.208.134)
> Adding open port 995/tcp
> Adding open port 443/tcp
> Adding open port 10000/tcp
> Adding open port 22/tcp
> Adding open port 25/tcp
> Adding open port 110/tcp
> Adding open port 465/tcp
> Adding open port 21/tcp
> Adding open port 80/tcp
> The SYN Stealth Scan took 9 seconds to scan 1601 ports.
> For OSScan assuming that port 21 is open and port 1 is closed and neither
> are firewalled
> Interesting ports on lan4u.info (217.160.208.134):
> (The 1592 ports scanned but not shown below are in state: closed)
> Port       State       Service
> 21/tcp     open        ftp
> 22/tcp     open        ssh
> 25/tcp     open        smtp
> 80/tcp     open        http
> 110/tcp    open        pop-3
> 443/tcp    open        https
> 465/tcp    open        smtps
> 995/tcp    open        pop3s
> 10000/tcp  open        snet-sensor-mgmt
> Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
> Uptime 13.779 days (since Wed Nov  3 18:30:13 2004)
> TCP Sequence Prediction: Class=random positive increments
>                          Difficulty=3166012 (Good luck!)
> IPID Sequence Generation: All zeros
> Nmap run completed -- 1 IP address (1 host up) scanned in 15 seconds
> 
> 
> And it looks like they are just hanging out on the internet.
> 
> Have some fun with these guys... uh, if you wish.
> 
> --
> Karl Pearson
> karlp at ourldsfamily.com

I monitor six servers and my daily logwatch emails indicate frequent
attacks like that.  The simplest of the kiddie scripts makes only nine
tries.  The more recent ones make 107 tries.  A new one makes over
900.  In the case of the two latter ones, I do a whois on the address
to find out who the contact point is, usually abuse at domain.tld.  Then
I send a nastygram to them with the relevant log exerpts and info
about timezone, attacked server's IP, and such.  I have gotten several
compromised servers and abusive users taken off-line that way.
Usually, some lax sysadmin discovers his machine has been cracked,
perhaps by something as simple as one of those guessing scripts.

One of the most educational things about those kiddie scripts is that
you don't want to create an account "test" with password ... yeah,
"test".  A new sysadmin learned that the hard way.

Some may say that complaining is like p***ing in the ocean, but I
think it's worthwhile.  And it's gratifying when you get back a reply
that says the offending machine or client has been quarantined.

Cheers,
-- 
Bob McClure, Jr.             Bobcat Open Systems, Inc.
robertmcclure at earthlink.net  http://www.bobcatos.com
Grace happens.

More information about the Redhat-install-list mailing list