Re: failed ssh breakins on my exposed www box ..
Hi,
To find out who owns the IP block you can do 'whois -h whois.arin.net <ip>'.
I don't think reporting it would achieve anything, just a friendly
warning from the ISP to the user in question.
On Sun, Mar 24, 2002 at 08:01:04AM -0800, Stephen Hassard wrote:
> sorta what I figured, but it was a pretty half assed attempt. :P
>
> on a side note, are these typically worth reporting to the ISP of the
> attacker? I tried doing a DNS lookup on the box in question, but it
> doesn't seem to have an FDQN registered. What's the best way to figure
> out the admin for a subnet from a machine's IP?
>
> Thanks,
> Steve
>
> shiftee wrote:
> > It just looks like someone is trying to brute-force an account, I'm
> > sure there are plenty of places that provide tools for this.
> >
> > Just make sure you enforce secure passwords, and keep an eye on your
> > syslog.
> >
> > On Sun, Mar 24, 2002 at 07:11:25AM -0800, Stephen Hassard wrote:
> >
> >>Hi there,
> >>
> >>I found these in my event log from yesterday:
> >>
> >> >>>
> >>Mar 23 09:33:16 www sshd[10998]: input_userauth_request: illegal user www
> >>Mar 23 09:33:18 www sshd[10998]: Failed none for illegal user www from
> >>213.26.96.103 port 2276 ssh2
> >>Mar 23 09:33:18 www sshd[10998]: Failed keyboard-interactive for illegal
> >>user www from 213.26.96.103 port 2276 ssh2
> >>Mar 23 09:33:18 www sshd[10998]: Failed password for illegal user www
> >>from 213.26.96.103 port 2276 ssh2
> >>Mar 23 09:33:19 www sshd[10997]: input_userauth_request: illegal user oracle
> >>Mar 23 09:33:19 www sshd[10997]: Failed none for illegal user oracle
> >>from 213.26.96.103 port 2275 ssh2
> >>Mar 23 09:33:19 www sshd[10997]: Failed keyboard-interactive for illegal
> >>user oracle from 213.26.96.103 port 2275 ssh2
> >>Mar 23 09:33:19 www sshd[10997]: Failed password for illegal user oracle
> >>from 213.26.96.103 port 2275 ssh2
> >>Mar 23 09:33:19 www sshd[10999]: input_userauth_request: illegal user test
> >>Mar 23 09:33:19 www sshd[10999]: Failed none for illegal user test from
> >>213.26.96.103 port 2277 ssh2
> >>Mar 23 09:33:19 www sshd[10999]: Failed keyboard-interactive for illegal
> >>user test from 213.26.96.103 port 2277 ssh2
> >>Mar 23 09:33:20 www sshd[10999]: Failed password for illegal user test
> >>from 213.26.96.103 port 2277 ssh2
> >><<<
> >>
> >>It seems that from the timestamp that it's most likely a script kiddy;
> >>The time duration beween failed password attempts seems really short.
> >>I'm just wonder if anyone's seen a script that does this and is
> >>available widely, or is it a good chance that I've got someone trying to
> >>break in? None of my other services seem to have been probed, just ssh.
> >>
> >>Thanks,
> >>Steve
> >>
> >>
> >>--
> >>To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> >>with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> >
> >
>
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
--
shiftee <shiftee@manifestation.org>
PGP Key: 0xB7A36039@wwwkeys.pgp.net
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: