unsubscribe

Huy Cuong Le cuong.le at itsc.com.vn
Thu Nov 18 08:13:28 UTC 2004 


-----Original Message-----
From: redhat-install-list-bounces at redhat.com
[mailto:redhat-install-list-bounces at redhat.com] On Behalf Of Harold
Hallikainen
Sent: Thursday, November 18, 2004 4:03 AM
To: Getting started with Red Hat Linux
Subject: Re: Watch Out For LAN4u.info

I'm seeing a few thousand ssh attempts from 67.100.182.75 using a variety
of usernames, but mostly using root and having the password fail.

Harold


> I'm watching an attempt to break in to my ssh server at work from
> # host lan4u.info:
>  lan4u.info has address 217.160.208.134
>
> I'm getting a new entry in /var/log/messages ever 4 seconds with the
> following line:
> Nov 17 13:16:10 lehi sshd(pam_unix)[30807]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=lan4u.info  user=root
>
> Only the date and time changes. I suspect they have a password algorythm
> changing thing that's banging against my network. I just stopped ssh,
> which will give them a fit for a minute. I have to have it running for
> client access, however no one was connected just now...
>
> Here's some additional info.
>
> traceroute to lan4u.info (217.160.208.134), 30 hops max, 38 byte packets
>  1  gateway (192.168.1.1)  0.533 ms  0.345 ms  0.271 ms
>  2  cisco (207.173.117.241)  1.162 ms  4.711 ms  1.002 ms
>  3  s10-0-0--26.gw02.slkc.eli.net (209.210.71.33)  12.817 ms  15.076 ms
> 5.584 ms
>  4  srp2-0.cr01.slkc.eli.net (208.186.20.49)  5.518 ms  6.231 ms  5.312 ms
>  5  p10-0.cr01.rcrd.eli.net (207.173.114.9)  18.302 ms  18.693 ms  18.533
> ms
>  6  srp3-0.cr02.rcrd.eli.net (208.186.20.242)  18.214 ms  18.420 ms
> 18.348 ms
>  7  p9-0.cr01.sntd.eli.net (207.173.114.57)  21.875 ms  46.164 ms  40.998
> ms
>  8  so-0-0-0--0.er01.plal.eli.net (207.173.114.138)  37.397 ms  22.468 ms
> 22.134 ms
>  9  ge-2-1.hsa4.SanJose1.Level3.net (209.245.146.25)  21.902 ms  23.695 ms
>  22.382 ms
> 10  so-2-3-0.bbr1.SanJose1.Level3.net (4.68.121.225)  22.331 ms  22.810 ms
>  22.203 ms
> 11  so-0-1-0.bbr1.NewYork1.Level3.net (64.159.1.41)  87.611 ms  88.030 ms
> 92.259 ms
> 12  4.68.128.105 (4.68.128.105)  154.494 ms  156.113 ms  176.315 ms
> 13  so-3-0-0.mp2.Frankfurt1.Level3.net (212.187.128.29)  169.577 ms
> 169.880 ms
> so-6-0-0.mp1.Frankfurt1.Level3.net (212.187.128.62)  169.428 ms
> 14  ge-11-0.ipcolo1.Frankfurt1.Level3.net (195.122.136.39)  170.529 ms
> ge-10-0.ipcolo1.Frankfurt1.Level3.net (195.122.136.7)  169.831 ms
> ge-10-2.ipcolo1.Frankfurt1.Level3.net (195.122.136.99)  169.649 ms
> 15  gw-megaspace.frankfurt.eu.level3.net (212.162.44.158)  170.026 ms
> 171.923 ms  169.648 ms
> 16  pos-70.gw-backbone-b.bs.ka.schlund.net (212.227.112.126)  172.893 ms
> 172.768 ms  173.052 ms
> 17  a0kac2a.gw-distp-a.bs.ka.schlund.net (212.227.121.210)  172.306 ms
> 172.884
> ms  172.598 ms
> 18  pkad1.gw-prtr-r2-a.bs.ka.schlund.net (212.227.34.194)  174.024 ms
> 176.512 ms  176.501 ms19  lan4u.info (217.160.208.134)  175.578 ms
> 172.670 ms  173.101 ms
>
>
> Isn't that interesting? They are part of the German spam network,
> Schlund.net (schlund.de)...
>
>
> nmap -P0 lan4u.info:
> Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
> Host lan4u.info (217.160.208.134) appears to be up ... good.
> Initiating SYN Stealth Scan against lan4u.info (217.160.208.134)
> Adding open port 995/tcp
> Adding open port 443/tcp
> Adding open port 10000/tcp
> Adding open port 22/tcp
> Adding open port 25/tcp
> Adding open port 110/tcp
> Adding open port 465/tcp
> Adding open port 21/tcp
> Adding open port 80/tcp
> The SYN Stealth Scan took 9 seconds to scan 1601 ports.
> For OSScan assuming that port 21 is open and port 1 is closed and neither
> are firewalled
> Interesting ports on lan4u.info (217.160.208.134):
> (The 1592 ports scanned but not shown below are in state: closed)
> Port       State       Service
> 21/tcp     open        ftp
> 22/tcp     open        ssh
> 25/tcp     open        smtp
> 80/tcp     open        http
> 110/tcp    open        pop-3
> 443/tcp    open        https
> 465/tcp    open        smtps
> 995/tcp    open        pop3s
> 10000/tcp  open        snet-sensor-mgmt
> Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
> Uptime 13.779 days (since Wed Nov  3 18:30:13 2004)
> TCP Sequence Prediction: Class=random positive increments
>                          Difficulty=3166012 (Good luck!)
> IPID Sequence Generation: All zeros
> Nmap run completed -- 1 IP address (1 host up) scanned in 15 seconds
>
>
> And it looks like they are just hanging out on the internet.
>
> Have some fun with these guys... uh, if you wish.
>
> --
> Karl Pearson
> karlp at ourldsfamily.com
> http://consulting.ourldsfamily.com
> http://emailgroups.ourldsfamily.com
>  If you don't think the dead come back to life, Be here at quitting time
>  --
>  My Thoughts on Terrorism In America:
> http://www.ourldsfamily.com/wtc.shtml
>  --
>  A right is not what someone gives you; it's what no one can take from
> you.
>  -- Ramsey Clark
>
>
> _______________________________________________
> Redhat-install-list mailing list
> Redhat-install-list at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-install-list
> To Unsubscribe Go To ABOVE URL or send a message to:
> redhat-install-list-request at redhat.com
> Subject: unsubscribe
>


-- 
FCC Rules Online at http://www.hallikainen.com

_______________________________________________
Redhat-install-list mailing list
Redhat-install-list at redhat.com
https://www.redhat.com/mailman/listinfo/redhat-install-list
To Unsubscribe Go To ABOVE URL or send a message to:
redhat-install-list-request at redhat.com
Subject: unsubscribe

More information about the Redhat-install-list mailing list