Watch Out For LAN4u.info
Harold Hallikainen
harold at hallikainen.com
Wed Nov 17 21:03:09 UTC 2004
I'm seeing a few thousand ssh attempts from 67.100.182.75 using a variety
of usernames, but mostly using root and having the password fail.
Harold
> I'm watching an attempt to break in to my ssh server at work from
> # host lan4u.info:
> lan4u.info has address 217.160.208.134
>
> I'm getting a new entry in /var/log/messages ever 4 seconds with the
> following line:
> Nov 17 13:16:10 lehi sshd(pam_unix)[30807]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=lan4u.info user=root
>
> Only the date and time changes. I suspect they have a password algorythm
> changing thing that's banging against my network. I just stopped ssh,
> which will give them a fit for a minute. I have to have it running for
> client access, however no one was connected just now...
>
> Here's some additional info.
>
> traceroute to lan4u.info (217.160.208.134), 30 hops max, 38 byte packets
> 1 gateway (192.168.1.1) 0.533 ms 0.345 ms 0.271 ms
> 2 cisco (207.173.117.241) 1.162 ms 4.711 ms 1.002 ms
> 3 s10-0-0--26.gw02.slkc.eli.net (209.210.71.33) 12.817 ms 15.076 ms
> 5.584 ms
> 4 srp2-0.cr01.slkc.eli.net (208.186.20.49) 5.518 ms 6.231 ms 5.312 ms
> 5 p10-0.cr01.rcrd.eli.net (207.173.114.9) 18.302 ms 18.693 ms 18.533
> ms
> 6 srp3-0.cr02.rcrd.eli.net (208.186.20.242) 18.214 ms 18.420 ms
> 18.348 ms
> 7 p9-0.cr01.sntd.eli.net (207.173.114.57) 21.875 ms 46.164 ms 40.998
> ms
> 8 so-0-0-0--0.er01.plal.eli.net (207.173.114.138) 37.397 ms 22.468 ms
> 22.134 ms
> 9 ge-2-1.hsa4.SanJose1.Level3.net (209.245.146.25) 21.902 ms 23.695 ms
> 22.382 ms
> 10 so-2-3-0.bbr1.SanJose1.Level3.net (4.68.121.225) 22.331 ms 22.810 ms
> 22.203 ms
> 11 so-0-1-0.bbr1.NewYork1.Level3.net (64.159.1.41) 87.611 ms 88.030 ms
> 92.259 ms
> 12 4.68.128.105 (4.68.128.105) 154.494 ms 156.113 ms 176.315 ms
> 13 so-3-0-0.mp2.Frankfurt1.Level3.net (212.187.128.29) 169.577 ms
> 169.880 ms
> so-6-0-0.mp1.Frankfurt1.Level3.net (212.187.128.62) 169.428 ms
> 14 ge-11-0.ipcolo1.Frankfurt1.Level3.net (195.122.136.39) 170.529 ms
> ge-10-0.ipcolo1.Frankfurt1.Level3.net (195.122.136.7) 169.831 ms
> ge-10-2.ipcolo1.Frankfurt1.Level3.net (195.122.136.99) 169.649 ms
> 15 gw-megaspace.frankfurt.eu.level3.net (212.162.44.158) 170.026 ms
> 171.923 ms 169.648 ms
> 16 pos-70.gw-backbone-b.bs.ka.schlund.net (212.227.112.126) 172.893 ms
> 172.768 ms 173.052 ms
> 17 a0kac2a.gw-distp-a.bs.ka.schlund.net (212.227.121.210) 172.306 ms
> 172.884
> ms 172.598 ms
> 18 pkad1.gw-prtr-r2-a.bs.ka.schlund.net (212.227.34.194) 174.024 ms
> 176.512 ms 176.501 ms19 lan4u.info (217.160.208.134) 175.578 ms
> 172.670 ms 173.101 ms
>
>
> Isn't that interesting? They are part of the German spam network,
> Schlund.net (schlund.de)...
>
>
> nmap -P0 lan4u.info:
> Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
> Host lan4u.info (217.160.208.134) appears to be up ... good.
> Initiating SYN Stealth Scan against lan4u.info (217.160.208.134)
> Adding open port 995/tcp
> Adding open port 443/tcp
> Adding open port 10000/tcp
> Adding open port 22/tcp
> Adding open port 25/tcp
> Adding open port 110/tcp
> Adding open port 465/tcp
> Adding open port 21/tcp
> Adding open port 80/tcp
> The SYN Stealth Scan took 9 seconds to scan 1601 ports.
> For OSScan assuming that port 21 is open and port 1 is closed and neither
> are firewalled
> Interesting ports on lan4u.info (217.160.208.134):
> (The 1592 ports scanned but not shown below are in state: closed)
> Port State Service
> 21/tcp open ftp
> 22/tcp open ssh
> 25/tcp open smtp
> 80/tcp open http
> 110/tcp open pop-3
> 443/tcp open https
> 465/tcp open smtps
> 995/tcp open pop3s
> 10000/tcp open snet-sensor-mgmt
> Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
> Uptime 13.779 days (since Wed Nov 3 18:30:13 2004)
> TCP Sequence Prediction: Class=random positive increments
> Difficulty=3166012 (Good luck!)
> IPID Sequence Generation: All zeros
> Nmap run completed -- 1 IP address (1 host up) scanned in 15 seconds
>
>
> And it looks like they are just hanging out on the internet.
>
> Have some fun with these guys... uh, if you wish.
>
> --
> Karl Pearson
> karlp at ourldsfamily.com
> http://consulting.ourldsfamily.com
> http://emailgroups.ourldsfamily.com
> If you don't think the dead come back to life, Be here at quitting time
> --
> My Thoughts on Terrorism In America:
> http://www.ourldsfamily.com/wtc.shtml
> --
> A right is not what someone gives you; it's what no one can take from
> you.
> -- Ramsey Clark
>
>
> _______________________________________________
> Redhat-install-list mailing list
> Redhat-install-list at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-install-list
> To Unsubscribe Go To ABOVE URL or send a message to:
> redhat-install-list-request at redhat.com
> Subject: unsubscribe
>
--
FCC Rules Online at http://www.hallikainen.com
More information about the Redhat-install-list
mailing list