Re: failed ssh breakins on my exposed www box ..

To: "shiftee" <shiftee@manifestation.org>, <debian-security@lists.debian.org>
Subject: Re: failed ssh breakins on my exposed www box ..
From: "Gary MacDougall" <gary@freeportweb.com>
Date: Sun, 24 Mar 2002 11:44:26 -0500
Message-id: <[🔎] 009f01c1d353$290b7e90$0400a8c0@gary>
References: <[🔎] 3C9DEC9D.40809@hassard.net> <[🔎] 20020324074007.A1224@manifestation.org> <[🔎] 3C9DF840.6060603@hassard.net> <[🔎] 20020324083551.B1224@manifestation.org>

I get these all the time.

I've come to expect people to do this.  It sucks, but hey,
what can you do.  I'm fed up trying to report and chase them down.

We seriouslly need a US branch of the law-enforcement to deal
with this sort of stuff.  I think if more people got prosecuted for
trying to crack into a site, the level of BS would drop to zero.

Yeah, yeah, you can argue all you want about cracking and how
valuable it is to keep a product secure.  But if you apply that logic
to the real world, robbing a bank wouldn't be a federal offense,
and it would be like a speeding ticket...

g.


----- Original Message -----
From: "shiftee" <shiftee@manifestation.org>
To: <debian-security@lists.debian.org>
Sent: Sunday, March 24, 2002 11:35 AM
Subject: Re: failed ssh breakins on my exposed www box ..


> Hi,
>
> To find out who owns the IP block you can do 'whois -h whois.arin.net
<ip>'.
>
> I don't think reporting it would achieve anything, just a friendly
> warning from the ISP to the user in question.
>
> On Sun, Mar 24, 2002 at 08:01:04AM -0800, Stephen Hassard wrote:
> > sorta what I figured, but it was a pretty half assed attempt. :P
> >
> > on a side note, are these typically worth reporting to the ISP of the
> > attacker? I tried doing a DNS lookup on the box in question, but it
> > doesn't seem to have an FDQN registered. What's the best way to figure
> > out the admin for a subnet from a machine's IP?
> >
> > Thanks,
> > Steve
> >
> > shiftee wrote:
> > > It just looks like someone is trying to brute-force an account, I'm
> > > sure there are plenty of places that provide tools for this.
> > >
> > > Just make sure you enforce secure passwords, and keep an eye on your
> > > syslog.
> > >
> > > On Sun, Mar 24, 2002 at 07:11:25AM -0800, Stephen Hassard wrote:
> > >
> > >>Hi there,
> > >>
> > >>I found these in my event log from yesterday:
> > >>
> > >> >>>
> > >>Mar 23 09:33:16 www sshd[10998]: input_userauth_request: illegal user
www
> > >>Mar 23 09:33:18 www sshd[10998]: Failed none for illegal user www from
> > >>213.26.96.103 port 2276 ssh2
> > >>Mar 23 09:33:18 www sshd[10998]: Failed keyboard-interactive for
illegal
> > >>user www from 213.26.96.103 port 2276 ssh2
> > >>Mar 23 09:33:18 www sshd[10998]: Failed password for illegal user www
> > >>from 213.26.96.103 port 2276 ssh2
> > >>Mar 23 09:33:19 www sshd[10997]: input_userauth_request: illegal user
oracle
> > >>Mar 23 09:33:19 www sshd[10997]: Failed none for illegal user oracle
> > >>from 213.26.96.103 port 2275 ssh2
> > >>Mar 23 09:33:19 www sshd[10997]: Failed keyboard-interactive for
illegal
> > >>user oracle from 213.26.96.103 port 2275 ssh2
> > >>Mar 23 09:33:19 www sshd[10997]: Failed password for illegal user
oracle
> > >>from 213.26.96.103 port 2275 ssh2
> > >>Mar 23 09:33:19 www sshd[10999]: input_userauth_request: illegal user
test
> > >>Mar 23 09:33:19 www sshd[10999]: Failed none for illegal user test
from
> > >>213.26.96.103 port 2277 ssh2
> > >>Mar 23 09:33:19 www sshd[10999]: Failed keyboard-interactive for
illegal
> > >>user test from 213.26.96.103 port 2277 ssh2
> > >>Mar 23 09:33:20 www sshd[10999]: Failed password for illegal user test
> > >>from 213.26.96.103 port 2277 ssh2
> > >><<<
> > >>
> > >>It seems that from the timestamp that it's most likely a script kiddy;
> > >>The time duration beween failed password attempts seems really short.
> > >>I'm just wonder if anyone's seen a script that does this and is
> > >>available widely, or is it a good chance that I've got someone trying
to
> > >>break in? None of my other services seem to have been probed, just
ssh.
> > >>
> > >>Thanks,
> > >>Steve
> > >>
> > >>
> > >>--
> > >>To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> > >>with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
> > >
> > >
> >
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>
> --
> shiftee <shiftee@manifestation.org>
> PGP Key: 0xB7A36039@wwwkeys.pgp.net
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>
>


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.342 / Virus Database: 189 - Release Date: 3/15/2002


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: failed ssh breakins on my exposed www box ..
  - From: "Noah L. Meyerhans" <frodo@morgul.net>
- Re: failed ssh breakins on my exposed www box ..
  - From: Anne Carasik <gator@cacr.caltech.edu>

References:
- failed ssh breakins on my exposed www box ..
  - From: Stephen Hassard <steve@hassard.net>
- Re: failed ssh breakins on my exposed www box ..
  - From: shiftee <shiftee@manifestation.org>
- Re: failed ssh breakins on my exposed www box ..
  - From: Stephen Hassard <steve@hassard.net>
- Re: failed ssh breakins on my exposed www box ..
  - From: shiftee <shiftee@manifestation.org>

Prev by Date: Re: failed ssh breakins on my exposed www box ..
Next by Date: Re: failed ssh breakins on my exposed www box ..
Previous by thread: Re: failed ssh breakins on my exposed www box ..
Next by thread: Re: failed ssh breakins on my exposed www box ..
Index(es):
- Date
- Thread