Think I've been cracked... not certain

C Hamel

30 Jul 2004 30 Jul '04

02:16

I have never before seen this. I have the firewall engaged. Not certain what ot make of it. All I know is that my internet connection went down the last two times of the three this happened , and has been a little flakey all day long. ==== Jul 29 05:30:53 linux sshd[6054]: Illegal user test from 163.19.207.248 Jul 29 05:30:53 linux sshd[6054]: input_userauth_request: illegal user test Jul 29 05:30:53 linux sshd[6054]: Failed password for illegal user test from 163.19.207.248 port 55657 ssh2 Jul 29 05:30:53 linux sshd[6054]: Received disconnect from 163.19.207.248: 11: Bye Bye Jul 29 05:30:59 linux sshd[6055]: Illegal user guest from 163.19.207.248 Jul 29 05:30:59 linux sshd[6055]: input_userauth_request: illegal user guest Jul 29 05:30:59 linux sshd[6055]: Failed password for illegal user guest from 163.19.207.248 port 55662 ssh2 Jul 29 05:31:00 linux sshd[6055]: Received disconnect from 163.19.207.248: 11: Bye Bye -- ...CH "The more they over-think the plumbing, the easier it is to stop up the drain." Scotty

Show replies by date

Patrick Shanahan

30 Jul 30 Jul

02:36

New subject: [SLE] Think I've been cracked... not certain

* C Hamel [07-29-04 21:16]:

...

I have never before seen this. I have the firewall engaged. Not certain what ot make of it. All I know is that my internet connection went down the last two times of the three this happened , and has been a little flakey all day long. ==== Jul 29 05:30:53 linux sshd[6054]: Illegal user test from 163.19.207.248 Jul 29 05:30:53 linux sshd[6054]: input_userauth_request: illegal user test Jul 29 05:30:53 linux sshd[6054]: Failed password for illegal user test from 163.19.207.248 port 55657 ssh2 Jul 29 05:30:53 linux sshd[6054]: Received disconnect from 163.19.207.248: 11: Bye Bye Jul 29 05:30:59 linux sshd[6055]: Illegal user guest from 163.19.207.248 Jul 29 05:30:59 linux sshd[6055]: input_userauth_request: illegal user guest Jul 29 05:30:59 linux sshd[6055]: Failed password for illegal user guest from 163.19.207.248 port 55662 ssh2 Jul 29 05:31:00 linux sshd[6055]: Received disconnect from 163.19.207.248: 11: Bye Bye

Why would you think that you had been cracked? What here looks like someone has successfully accessed your machine? -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/photos

Don Parris

03:15

New subject: [SLE] Think I've been cracked... not certain

Patrick Shanahan wrote:

...

* C Hamel [07-29-04 21:16]:

...
I have never before seen this. I have the firewall engaged. Not certain what ot make of it. All I know is that my internet connection went down the last two times of the three this happened , and has been a little flakey all day long. ==== Jul 29 05:30:53 linux sshd[6054]: Illegal user test from 163.19.207.248 Jul 29 05:30:53 linux sshd[6054]: input_userauth_request: illegal user test Jul 29 05:30:53 linux sshd[6054]: Failed password for illegal user test from 163.19.207.248 port 55657 ssh2 Jul 29 05:30:53 linux sshd[6054]: Received disconnect from 163.19.207.248: 11: Bye Bye Jul 29 05:30:59 linux sshd[6055]: Illegal user guest from 163.19.207.248 Jul 29 05:30:59 linux sshd[6055]: input_userauth_request: illegal user guest Jul 29 05:30:59 linux sshd[6055]: Failed password for illegal user guest from 163.19.207.248 port 55662 ssh2 Jul 29 05:31:00 linux sshd[6055]: Received disconnect from 163.19.207.248: 11: Bye Bye

Why would you think that you had been cracked? What here looks like someone has successfully accessed your machine?

Looks to me like someone might have attempted, but got rejected by your system. They tried twice, got rejected twice. Looks like your firewall works. Patrick, I'm sure he thinks he's been cracked because of the dropped connection. My guess is - and it is just that - that in their attempts to access his system, they did something that caused the connection to drop. I would say if your system & data are still o.k., you're _likely_ to be in good shape. You could try tracking down the IP address, at least find out what domain it belongs to. You may or may not be able to track the user (fat chance, I'm sure). If you can, great. Let him know you've contacted the FBI. Monitor your system for the next few days, and catch one of the "real" gurus on this list in the morning. :) Regards, Don

Patrick Shanahan

03:29

New subject: [SLE] Think I've been cracked... not certain

* Don Parris [07-29-04 22:24]:

...

Looks to me like someone might have attempted, but got rejected by your system. They tried twice, got rejected twice. Looks like your firewall works. Patrick, I'm sure he thinks he's been cracked because of the dropped connection. My guess is - and it is just that - that in their attempts to access his system, they did something that caused the connection to drop. I would say if your system & data are still o.k., you're _likely_ to be in good shape. You could try tracking down the IP address, at least find out what domain it belongs to. You may or may not be able to track the user (fat chance, I'm sure). If you can, great. Let him know you've contacted the FBI.

Monitor your system for the next few days, and catch one of the "real" gurus on this list in the morning. :)

In the meantime, perhaps download rkhunter (root kit hunter) from sourceforge, install and run to check your system quickly. But, I believe that access was attempted and failed per your logs. The connection dropped because access was denied. -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/photos

C Hamel

15:32

New subject: [SLE] Think I've been cracked... not certain

On Thursday 29 July 2004 22:29, Patrick Shanahan wrote:

...

* Don Parris [07-29-04 22:24]:

...
Looks to me like someone might have attempted, but got rejected by your system. They tried twice, got rejected twice. Looks like your firewall works. Patrick, I'm sure he thinks he's been cracked because of the dropped connection. My guess is - and it is just that - that in their attempts to access his system, they did something that caused the connection to drop. I would say if your system & data are still o.k., you're _likely_ to be in good shape. You could try tracking down the IP address, at least find out what domain it belongs to. You may or may not be able to track the user (fat chance, I'm sure). If you can, great. Let him know you've contacted the FBI.

Monitor your system for the next few days, and catch one of the "real" gurus on this list in the morning. :)

In the meantime, perhaps download rkhunter (root kit hunter) from sourceforge, install and run to check your system quickly. But, I believe that access was attempted and failed per your logs. The connection dropped because access was denied. -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/photos That sounds like a good idea. Thanks!

Now that you mention it, I guess it did fail. I was a little paranoid since nothing like that has ever happened. What I didn't think to mention at the time of the 1st writing was that I have a 2-channel modem (ISDN) and only one channel was operatiing during one of these 'attacks' ...the 2nd channel lit up as if the phone had been answered ...but I have that disabled in the INIT. -- ...CH "The more they over-think the plumbing, the easier it is to stop up the drain." Scotty

Patrick Shanahan

18:41

New subject: [SLE] Think I've been cracked... not certain

* C Hamel [07-30-04 10:36]:

...

On Thursday 29 July 2004 22:29, Patrick Shanahan wrote:

...
In the meantime, perhaps download rkhunter (root kit hunter) from sourceforge, install and run to check your system quickly. But, I believe that access was attempted and failed per your logs. The connection dropped because access was denied.

...

That sounds like a good idea. Thanks!

Cannot hurt anything. available http://www.rootkit.nl./rkhunter I run it each night from cron. -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/photos

C Hamel

19:20

New subject: [SLE] Think I've been cracked... not certain

...

* C Hamel [07-30-04 10:36]:

...
On Thursday 29 July 2004 22:29, Patrick Shanahan wrote:

...
In the meantime, perhaps download rkhunter (root kit hunter) from sourceforge, install and run to check your system quickly. But, I believe that access was attempted and failed per your logs. The connection dropped because access was denied.

That sounds like a good idea. Thanks!

Cannot hurt anything.

available http://www.rootkit.nl./rkhunter

I run it each night from cron. -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/photos ...And I d/l the file, scanned the system, fixed a couple things, scanned again. I'm secure. :-) -- ...CH "The more they over-think the plumbing,

On Friday 30 July 2004 13:41, Patrick Shanahan wrote: the easier it is to stop up the drain." Scotty

Patrick Shanahan

19:21

New subject: [SLE] Think I've been cracked... not certain

* Patrick Shanahan [07-30-04 13:47]:

...

available http://www.rootkit.nl./rkhunter

I run it each night from cron.

And I have an rpm available if you desire, less then 80k. -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/photos

Alex Angerhofer

19:30

New subject: [SLE] Think I've been cracked... not certain

On Fri, 30 Jul 2004, Patrick Shanahan wrote:

...

* Patrick Shanahan [07-30-04 13:47]:

...
available http://www.rootkit.nl./rkhunter

I run it each night from cron.

And I have an rpm available if you desire, less then 80k.

I'd be interested in that, too. Given it is so small, perhaps you can post it to the list if the list allows attachments? Cheers, Alex.

Patrick Shanahan

19:47

New subject: [SLE] Think I've been cracked... not certain

* Alex Angerhofer [07-30-04 14:31]:

...

On Fri, 30 Jul 2004, Patrick Shanahan wrote:

...
And I have an rpm available if you desire, less then 80k.

I'd be interested in that, too. Given it is so small, perhaps you can post it to the list if the list allows attachments?

Available http://wahoo.no-ip.org/~pat/rkhunter-1.1.3-1.cjo.noarch.rpm -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/photos

Alex Angerhofer

20:32

New subject: [SLE] Think I've been cracked... not certain

On Fri, 30 Jul 2004, Patrick Shanahan wrote:

...

* Alex Angerhofer [07-30-04 14:31]:

...
On Fri, 30 Jul 2004, Patrick Shanahan wrote:

...
And I have an rpm available if you desire, less then 80k.

I'd be interested in that, too. Given it is so small, perhaps you can post it to the list if the list allows attachments?

Available http://wahoo.no-ip.org/~pat/rkhunter-1.1.3-1.cjo.noarch.rpm

Thank you very much. AA

Fred Miller

31 Jul 31 Jul

03:48

New subject: [SLE] Think I've been cracked... not certain

On Friday July 30 2004 3:47 pm, Patrick Shanahan wrote:

...

* Alex Angerhofer [07-30-04 14:31]:

...
On Fri, 30 Jul 2004, Patrick Shanahan wrote:

...
And I have an rpm available if you desire, less then 80k.

I'd be interested in that, too. Given it is so small, perhaps you can post it to the list if the list allows attachments?

Available http://wahoo.no-ip.org/~pat/rkhunter-1.1.3-1.cjo.noarch.rpm

Thanks.....runs well! NO problems here, which I didn't think there were. Fred -- "Ballmer is no more designed for the art of persuasion than the Abrams tank is for delivering meals on wheels."

Patrick Shanahan

04:02

New subject: [SLE] Think I've been cracked... not certain

* Fred Miller [07-30-04 22:52]:

...

On Friday July 30 2004 3:47 pm, Patrick Shanahan wrote:

...
Available http://wahoo.no-ip.org/~pat/rkhunter-1.1.3-1.cjo.noarch.rpm

Thanks.....runs well! NO problems here, which I didn't think there were.

There are updates occasionally. I will try to notify the list and present an updated rpm. Remember, memory is ?? the first thing to go. I was a junior in High School when we got our first (black&white) tv <grin>. -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/photos

Fred Miller

04:04

New subject: [SLE] Think I've been cracked... not certain

On Saturday July 31 2004 12:02 am, Patrick Shanahan wrote:

...

* Fred Miller [07-30-04 22:52]:

...
On Friday July 30 2004 3:47 pm, Patrick Shanahan wrote:

...
Available http://wahoo.no-ip.org/~pat/rkhunter-1.1.3-1.cjo.noarch.rpm

Thanks.....runs well! NO problems here, which I didn't think there were.

There are updates occasionally. I will try to notify the list and present an updated rpm.

Remember, memory is ?? the first thing to go. I was a junior in High School when we got our first (black&white) tv <grin>.

I can remember that.....I think. :) You didn't get back to me on the printing...what happened? Fred -- "Ballmer is no more designed for the art of persuasion than the Abrams tank is for delivering meals on wheels."

C Hamel

30 Jul 30 Jul

21:39

New subject: [SLE] Think I've been cracked... not certain

...

* Patrick Shanahan [07-30-04 13:47]:

...
available http://www.rootkit.nl./rkhunter

I run it each night from cron.

And I have an rpm available if you desire, less then 80k. -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/photos Thanks! That would be very much appreciated! -- ...CH "The more they over-think the plumbing,

On Friday 30 July 2004 14:21, Patrick Shanahan wrote: the easier it is to stop up the drain." Scotty

C Hamel

15:35

New subject: [SLE] Think I've been cracked... not certain

...

Patrick Shanahan wrote:

...
* C Hamel [07-29-04 21:16]:

...
I have never before seen this. I have the firewall engaged. Not certain what ot make of it. All I know is that my internet connection went down the last two times of the three this happened , and has been a little flakey all day long. ==== Jul 29 05:30:53 linux sshd[6054]: Illegal user test from 163.19.207.248 Jul 29 05:30:53 linux sshd[6054]: input_userauth_request: illegal user test Jul 29 05:30:53 linux sshd[6054]: Failed password for illegal user test from 163.19.207.248 port 55657 ssh2 Jul 29 05:30:53 linux sshd[6054]: Received disconnect from 163.19.207.248: 11: Bye Bye Jul 29 05:30:59 linux sshd[6055]: Illegal user guest from 163.19.207.248 Jul 29 05:30:59 linux sshd[6055]: input_userauth_request: illegal user guest Jul 29 05:30:59 linux sshd[6055]: Failed password for illegal user guest from 163.19.207.248 port 55662 ssh2 Jul 29 05:31:00 linux sshd[6055]: Received disconnect from 163.19.207.248: 11: Bye Bye

Why would you think that you had been cracked? What here looks like someone has successfully accessed your machine?

Looks to me like someone might have attempted, but got rejected by your system. They tried twice, got rejected twice. Looks like your firewall works. Patrick, I'm sure he thinks he's been cracked because of the dropped connection. My guess is - and it is just that - that in their attempts to access his system, they did something that caused the connection to drop. I would say if your system & data are still o.k., you're _likely_ to be in good shape. You could try tracking down the IP address, at least find out what domain it belongs to. You may or may not be able to track the user (fat chance, I'm sure). If you can, great. Let him know you've contacted the FBI.

Monitor your system for the next few days, and catch one of the "real" gurus on this list in the morning. :)

Regards, Don Thanks for the ideas. <G> Sound good. -- ...CH "The more they over-think the plumbing,

On Thursday 29 July 2004 22:15, Don Parris wrote: the easier it is to stop up the drain." Scotty

Togan Muftuoglu

03:32

New subject: [SLE] Think I've been cracked... not certain

* C Hamel; on 29 Jul, 2004 wrote:

...

I have never before seen this. I have the firewall engaged. Not certain what ot make of it. All I know is that my internet connection went down the last two times of the three this happened , and has been a little flakey all day long. ==== Jul 29 05:30:53 linux sshd[6054]: Illegal user test from 163.19.207.248 Jul 29 05:30:53 linux sshd[6054]: input_userauth_request: illegal user test Jul 29 05:30:53 linux sshd[6054]: Failed password for illegal user test from 163.19.207.248 port 55657 ssh2 Jul 29 05:30:53 linux sshd[6054]: Received disconnect from 163.19.207.248: 11: Bye Bye Jul 29 05:30:59 linux sshd[6055]: Illegal user guest from 163.19.207.248 Jul 29 05:30:59 linux sshd[6055]: input_userauth_request: illegal user guest Jul 29 05:30:59 linux sshd[6055]: Failed password for illegal user guest from 163.19.207.248 port 55662 ssh2 Jul 29 05:31:00 linux sshd[6055]: Received disconnect from 163.19.207.248: 11: Bye Bye

Based on the above the only thing known is your sshd server has received request for users *test* and *guest* and has rejected those requests based on the reasn no such user exists. Firewall engaged has nothing related to that as you either let the packet enter or you do not. If you port 22 (ssh) open that means people can try to enter. If you want to increase security you may want to limit the IPs or domains or users via sshd (man sshd_config) or/and user tcp_wrapers or/and only let specific IPs thru the firewall (if you are using SuSEfirewall2 FW_TRUSTED_NETS) On the other hand there is no relevant info in the above logs that says you have been cracked. Those login tries are very common though it has been in the increase lately Hope this helps -- Togan Muftuoglu | Unofficial SuSE FAQ Maintainer | Please reply to the list; http://susefaq.sf.net | Please don't put me in TO/CC. Nisi defectum, haud refiecendum

Mike McMullin

10:05

New subject: [SLE] Think I've been cracked... not certain

On Thu, 2004-07-29 at 23:32, Togan Muftuoglu wrote:

...

* C Hamel; on 29 Jul, 2004 wrote:

...
I have never before seen this. I have the firewall engaged. Not certain what ot make of it. All I know is that my internet connection went down the last two times of the three this happened , and has been a little flakey all day long. ==== Jul 29 05:30:53 linux sshd[6054]: Illegal user test from 163.19.207.248 Jul 29 05:30:53 linux sshd[6054]: input_userauth_request: illegal user test Jul 29 05:30:53 linux sshd[6054]: Failed password for illegal user test from 163.19.207.248 port 55657 ssh2 Jul 29 05:30:53 linux sshd[6054]: Received disconnect from 163.19.207.248: 11: Bye Bye Jul 29 05:30:59 linux sshd[6055]: Illegal user guest from 163.19.207.248 Jul 29 05:30:59 linux sshd[6055]: input_userauth_request: illegal user guest Jul 29 05:30:59 linux sshd[6055]: Failed password for illegal user guest from 163.19.207.248 port 55662 ssh2 Jul 29 05:31:00 linux sshd[6055]: Received disconnect from 163.19.207.248: 11: Bye Bye

Based on the above the only thing known is your sshd server has received request for users *test* and *guest* and has rejected those requests based on the reasn no such user exists.

Firewall engaged has nothing related to that as you either let the packet enter or you do not. If you port 22 (ssh) open that means people can try to enter.

If you want to increase security you may want to limit the IPs or domains or users via sshd (man sshd_config) or/and user tcp_wrapers or/and only let specific IPs thru the firewall (if you are using SuSEfirewall2 FW_TRUSTED_NETS)

On the other hand there is no relevant info in the above logs that says you have been cracked. Those login tries are very common though it has been in the increase lately

An increase in activity would not surprise me at all. I had my SMC-Barricade broadband switch set up to e-mail me when any kind of off connection was attempted. I get less e-mail from this list than I did from using that setting. I did do one thing that Patrick Shanahan has suggested in this thread. I dl'ed a root kit hunter and it on my main system. (The other ones run in windows mostly, so forget it. :() Mike

John

03:40

New subject: [SLE] Think I've been cracked... not certain

On Thursday 29 July 2004 21:16, C Hamel wrote:

...

I have never before seen this. I have the firewall engaged. Not certain what ot make of it. All I know is that my internet connection went down the last two times of the three this happened , and has been a little flakey all day long. ==== Jul 29 05:30:53 linux sshd[6054]: Illegal user test from 163.19.207.248 Jul 29 05:30:53 linux sshd[6054]: input_userauth_request: illegal user test Jul 29 05:30:53 linux sshd[6054]: Failed password for illegal user test from 163.19.207.248 port 55657 ssh2 Jul 29 05:30:53 linux sshd[6054]: Received disconnect from 163.19.207.248: 11: Bye Bye Jul 29 05:30:59 linux sshd[6055]: Illegal user guest from 163.19.207.248 Jul 29 05:30:59 linux sshd[6055]: input_userauth_request: illegal user guest Jul 29 05:30:59 linux sshd[6055]: Failed password for illegal user guest from 163.19.207.248 port 55662 ssh2 Jul 29 05:31:00 linux sshd[6055]: Received disconnect from 163.19.207.248: 11: Bye Bye

Along with what everyone else is saying, remember too, I believe I read somewhere that there is or is going to be some kind of attack on SSH ports(?) (wish I could remember where I read it, sorry)

Louis Richards

13:33

New subject: [SLE] Think I've been cracked... not certain

John wrote:

...

On Thursday 29 July 2004 21:16, C Hamel wrote:

...
I have never before seen this. I have the firewall engaged. Not certain what ot make of it. All I know is that my internet connection went down the last two times of the three this happened , and has been a little flakey all day long. ==== Jul 29 05:30:53 linux sshd[6054]: Illegal user test from 163.19.207.248 Jul 29 05:30:53 linux sshd[6054]: input_userauth_request: illegal user test Jul 29 05:30:53 linux sshd[6054]: Failed password for illegal user test from 163.19.207.248 port 55657 ssh2 Jul 29 05:30:53 linux sshd[6054]: Received disconnect from 163.19.207.248: 11: Bye Bye Jul 29 05:30:59 linux sshd[6055]: Illegal user guest from 163.19.207.248 Jul 29 05:30:59 linux sshd[6055]: input_userauth_request: illegal user guest Jul 29 05:30:59 linux sshd[6055]: Failed password for illegal user guest from 163.19.207.248 port 55662 ssh2 Jul 29 05:31:00 linux sshd[6055]: Received disconnect from 163.19.207.248: 11: Bye Bye

Along with what everyone else is saying, remember too, I believe I read somewhere that there is or is going to be some kind of attack on SSH ports(?) (wish I could remember where I read it, sorry)

Don't feel lonely ... or special. If it's hitting this little box, it's most likely an automated attempt. Jul 29 20:02:03 server sshd[28496]: Illegal user test from ::ffff:66.37.140.11 Jul 29 20:02:03 server sshd[28496]: reverse mapping checking getaddrinfo for host11.unused.colo.firstlink.com failed - POSSIBLE BREAKIN ATTEMPT! Jul 29 20:02:04 server sshd[28498]: Illegal user guest from ::ffff:66.37.140.11 Jul 29 20:02:04 server sshd[28498]: reverse mapping checking getaddrinfo for host11.unused.colo.firstlink.com failed - POSSIBLE BREAKIN ATTEMPT! Louis

David SMITH

13:44

New subject: [SLE] Think I've been cracked... not certain

On Thu, Jul 29, 2004 at 09:16:38PM -0500, C Hamel wrote:

...

I have never before seen this. I have the firewall engaged. Not certain what ot make of it. All I know is that my internet connection went down the last two times of the three this happened , and has been a little flakey all day long. [snip]

Someone on our local LUG has noted that there are some people around trying brute-force attacks on SSH servers (i.e. try lots of combinations of username and password to see if any of them work). If you don't need it, disable sshd; otherwise: Make sure that your sshd is installed and configured properly: o Up to date - there were a few security holes a while ago o root (and any other priviledged user) login is disabled o SSH v1 is disabled - allow only SSH v2 o Disable password login if possible, allowing only public/private key login Also, make sure all the passwords on your system are strong. Otherwise, it doesn't look like anything serious (unless the attacking IP is yours), but the disappearing net connection looks worthy of investigation (of course, it could just be the cracker overloading the link). -- David Smith Work Email: Dave.Smith@st.com STMicroelectronics Home Email: David.Smith@ds-electronics.co.uk Bristol, England GPG Key: 0xF13192F2

Rhugga

14:20

New subject: [SLE] Think I've been cracked... not certain

David SMITH wrote:

...

On Thu, Jul 29, 2004 at 09:16:38PM -0500, C Hamel wrote:

...
I have never before seen this. I have the firewall engaged. Not certain what ot make of it. All I know is that my internet connection went down the last two times of the three this happened , and has been a little flakey all day long.

[snip]

Someone on our local LUG has noted that there are some people around trying brute-force attacks on SSH servers (i.e. try lots of combinations of username and password to see if any of them work).

If you don't need it, disable sshd; otherwise:

Make sure that your sshd is installed and configured properly:

o Up to date - there were a few security holes a while ago o root (and any other priviledged user) login is disabled o SSH v1 is disabled - allow only SSH v2 o Disable password login if possible, allowing only public/private key login

Also, make sure all the passwords on your system are strong.

Otherwise, it doesn't look like anything serious (unless the attacking IP is yours), but the disappearing net connection looks worthy of investigation (of course, it could just be the cracker overloading the link).

Yea, I have actually been tracking these losers if anyone wants a list of their IP addresses. I was going to put our 500-node linux cluster to work against these IP addresses and soon as I verify they are truly the attackers. (I am suspect because a lot of these IP address are local to the US) -Rhugga

Steve Kratz

15:04

New subject: [SLE] Think I've been cracked... not certain

Reverse DOS attack :) I like it!

...

-----Original Message----- From: Rhugga [mailto:suse-list@sandiego420.com] Sent: Friday, July 30, 2004 9:21 AM To: David SMITH Cc: suse-linux-e@suse.com Subject: Re: [SLE] Think I've been cracked... not certain

David SMITH wrote:

...
On Thu, Jul 29, 2004 at 09:16:38PM -0500, C Hamel wrote:

...
I have never before seen this. I have the firewall engaged. Not certain what ot make of it. All I know is that my internet connection went down the last two times of the three this happened , and has been a little flakey all day long.

[snip]

Someone on our local LUG has noted that there are some people around trying brute-force attacks on SSH servers (i.e. try lots of combinations of username and password to see if any of them work).

If you don't need it, disable sshd; otherwise:

Make sure that your sshd is installed and configured properly:

o Up to date - there were a few security holes a while ago o root (and any other priviledged user) login is disabled o SSH v1 is disabled - allow only SSH v2 o Disable password login if possible, allowing only public/private key login

Also, make sure all the passwords on your system are strong.

Otherwise, it doesn't look like anything serious (unless the attacking IP is yours), but the disappearing net connection looks worthy of investigation (of course, it could just be the cracker overloading the link).

Yea, I have actually been tracking these losers if anyone wants a list of their IP addresses. I was going to put our 500-node linux cluster to work against these IP addresses and soon as I verify they are truly the attackers. (I am suspect because a lot of these IP address are local to the US)

-Rhugga

-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com

Patrick Shanahan

15:08

New subject: [SLE] Think I've been cracked... not certain

* Rhugga [07-30-04 09:24]:

...

Yea, I have actually been tracking these losers if anyone wants a list of their IP addresses. I was going to put our 500-node linux cluster to work against these IP addresses and soon as I verify they are truly the attackers. (I am suspect because a lot of these IP address are local to the US)

Jul 24 09:54:14 wahoo sshd[6977]: Failed password for test from 140.112.57.187 port 59900 ssh2 Jul 24 09:54:16 wahoo sshd[6978]: Failed password for illegal user guest from 140.112.57.187 port 59910 ssh2 187.57.112.140.in-addr.arpa domain name pointer neutrino.gl.ntu.edu.tw Jul 25 08:36:55 wahoo sshd[15365]: Failed password for test from 210.99.38.200 port 3094 ssh2 Jul 25 08:36:57 wahoo sshd[15367]: Failed password for illegal user guest from 210.99.38.200 port 3136 ssh2 hostmaster@nic.or.kr Jul 25 16:16:19 wahoo sshd[994]: Failed password for test from 218.244.240.195 port 41405 ssh2 Jul 25 16:16:21 wahoo sshd[995]: Failed password for illegal user guest from 218.244.240.195 port 41446 ssh2 bill.pang@bj.datadragon.net Jul 26 18:26:33 wahoo sshd[17575]: Failed password for test from 202.134.73.89 port 51844 ssh2 Jul 26 18:26:35 wahoo sshd[17588]: Failed password for illegal user guest from 202.134.73.89 port 52003 ssh2 89.73.134.202.in-addr.arpa domain name pointer ip-89-73-134-202.rev.dyxnet.com Jul 26 19:32:03 wahoo sshd[19627]: Failed password for test from 211.117.66.166 port 36543 ssh2 Jul 26 19:32:05 wahoo sshd[19628]: Failed password for illegal user guest from 211.117.66.166 port 36556 ssh2 hostmaster@nic.or.kr Jul 28 14:31:26 wahoo sshd[5664]: reverse mapping checking getaddrinfo for johnstongrain.com failed - POSSIBLE BREAKIN ATTEMPT! Jul 28 14:31:26 wahoo sshd[5664]: Failed password for test from 208.145.229.70 port 1796 ssh2 70.229.145.208.in-addr.arpa domain name pointer johnstongrain.com Jul 29 17:23:18 wahoo sshd[29735]: Failed password for test from 216.99.211.35 port 57480 ssh2 Jul 29 17:23:20 wahoo sshd[29736]: Failed password for illegal user guest from 216.99.211.35 port 57530 ssh2 35.211.99.216.in-addr.arpa domain name pointer 216-99-211-35.dsl.aracnet.com -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/photos

C Hamel

15:45

New subject: [SLE] Think I've been cracked... not certain

...

David SMITH wrote:

...
On Thu, Jul 29, 2004 at 09:16:38PM -0500, C Hamel wrote:

...
I have never before seen this. I have the firewall engaged. Not certain what ot make of it. All I know is that my internet connection went down the last two times of the three this happened , and has been a little flakey all day long.

[snip]

Someone on our local LUG has noted that there are some people around trying brute-force attacks on SSH servers (i.e. try lots of combinations of username and password to see if any of them work).

If you don't need it, disable sshd; otherwise:

Make sure that your sshd is installed and configured properly:

o Up to date - there were a few security holes a while ago o root (and any other priviledged user) login is disabled o SSH v1 is disabled - allow only SSH v2 o Disable password login if possible, allowing only public/private key login

Also, make sure all the passwords on your system are strong.

Otherwise, it doesn't look like anything serious (unless the attacking IP is yours), but the disappearing net connection looks worthy of investigation (of course, it could just be the cracker overloading the link).

Yea, I have actually been tracking these losers if anyone wants a list of their IP addresses. I was going to put our 500-node linux cluster to work against these IP addresses and soon as I verify they are truly the attackers. (I am suspect because a lot of these IP address are local to the US)

-Rhugga I'm afraid I don't know too much about this... but with such a list I am

On Friday 30 July 2004 09:20, Rhugga wrote: presuming the IPs could be put in the hosts.deny file? Guess I'll have to fire up the man pages, again. <G> -- ...CH "The more they over-think the plumbing, the easier it is to stop up the drain." Scotty

C Hamel

15:43

New subject: [SLE] Think I've been cracked... not certain

...

On Thu, Jul 29, 2004 at 09:16:38PM -0500, C Hamel wrote:

...
I have never before seen this. I have the firewall engaged. Not certain what ot make of it. All I know is that my internet connection went down the last two times of the three this happened , and has been a little flakey all day long.

[snip]

Someone on our local LUG has noted that there are some people around trying brute-force attacks on SSH servers (i.e. try lots of combinations of username and password to see if any of them work).

If you don't need it, disable sshd; otherwise:

Make sure that your sshd is installed and configured properly:

o Up to date - there were a few security holes a while ago o root (and any other priviledged user) login is disabled o SSH v1 is disabled - allow only SSH v2 o Disable password login if possible, allowing only public/private key login

Also, make sure all the passwords on your system are strong.

Otherwise, it doesn't look like anything serious (unless the attacking IP is yours), but the disappearing net connection looks worthy of investigation (of course, it could just be the cracker overloading the link).

-- David Smith Work Email: Dave.Smith@st.com STMicroelectronics Home Email: David.Smith@ds-electronics.co.uk Bristol, England GPG Key: 0xF13192F2 Actually, the SSH service isn't used at all, here. Guess I could just tell runlevel editor not to bother with it, huh. Good idea. Thanks! -- ...CH "The more they over-think the plumbing,

On Friday 30 July 2004 08:44, David SMITH wrote: the easier it is to stop up the drain." Scotty

Rhugga

23:47

New subject: [SLE] Think I've been cracked... not certain

C Hamel wrote:

...

I have never before seen this. I have the firewall engaged. Not certain what ot make of it. All I know is that my internet connection went down the last two times of the three this happened , and has been a little flakey all day long. ==== Jul 29 05:30:53 linux sshd[6054]: Illegal user test from 163.19.207.248 Jul 29 05:30:53 linux sshd[6054]: input_userauth_request: illegal user test Jul 29 05:30:53 linux sshd[6054]: Failed password for illegal user test from 163.19.207.248 port 55657 ssh2 Jul 29 05:30:53 linux sshd[6054]: Received disconnect from 163.19.207.248: 11: Bye Bye Jul 29 05:30:59 linux sshd[6055]: Illegal user guest from 163.19.207.248 Jul 29 05:30:59 linux sshd[6055]: input_userauth_request: illegal user guest Jul 29 05:30:59 linux sshd[6055]: Failed password for illegal user guest from 163.19.207.248 port 55662 ssh2 Jul 29 05:31:00 linux sshd[6055]: Received disconnect from 163.19.207.248: 11: Bye Bye

Use snort or tcpdump to really see what's going on. If this is the only attack you are seeing against your box, it is likely some script kiddie's playing with all the hackware out there. (because these attacks are blantantly simple and sshd is the last service a true hacker would target being there are so many easier services to target) What you really wanna watch out for are the ICMP and UDP type attacks you will only detect using snort or tcpdump. (which is what snort uses) This is where the real threat lies..... -rhugga

7215

Age (days ago)

7216

Last active (days ago)

List overview

Download

26 comments

12 participants

participants (12)

Alex Angerhofer
C Hamel
David SMITH
Don Parris
Fred Miller
John
Louis Richards
Mike McMullin
Patrick Shanahan
Rhugga
Steve Kratz
Togan Muftuoglu