[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: failed ssh breakins on my exposed www box ..

You could also TCP Wrap the services.

That drops the BS quite a bit. :)

-Anne

On Sun, Mar 24, 2002 at 11:44:26AM -0500, Gary MacDougall wrote:
> I get these all the time.
> 
> I've come to expect people to do this.  It sucks, but hey,
> what can you do.  I'm fed up trying to report and chase them down.
> 
> We seriouslly need a US branch of the law-enforcement to deal
> with this sort of stuff.  I think if more people got prosecuted for
> trying to crack into a site, the level of BS would drop to zero.
> 
> Yeah, yeah, you can argue all you want about cracking and how
> valuable it is to keep a product secure.  But if you apply that logic
> to the real world, robbing a bank wouldn't be a federal offense,
> and it would be like a speeding ticket...
> 
> g.
> 
> 
> ----- Original Message -----
> From: "shiftee" <shiftee@manifestation.org>
> To: <debian-security@lists.debian.org>
> Sent: Sunday, March 24, 2002 11:35 AM
> Subject: Re: failed ssh breakins on my exposed www box ..
> 
> 
> > Hi,
> >
> > To find out who owns the IP block you can do 'whois -h whois.arin.net
> <ip>'.
> >
> > I don't think reporting it would achieve anything, just a friendly
> > warning from the ISP to the user in question.
> >
> > On Sun, Mar 24, 2002 at 08:01:04AM -0800, Stephen Hassard wrote:
> > > sorta what I figured, but it was a pretty half assed attempt. :P
> > >
> > > on a side note, are these typically worth reporting to the ISP of the
> > > attacker? I tried doing a DNS lookup on the box in question, but it
> > > doesn't seem to have an FDQN registered. What's the best way to figure
> > > out the admin for a subnet from a machine's IP?
> > >
> > > Thanks,
> > > Steve
> > >
> > > shiftee wrote:
> > > > It just looks like someone is trying to brute-force an account, I'm
> > > > sure there are plenty of places that provide tools for this.
> > > >
> > > > Just make sure you enforce secure passwords, and keep an eye on your
> > > > syslog.
> > > >
> > > > On Sun, Mar 24, 2002 at 07:11:25AM -0800, Stephen Hassard wrote:
> > > >
> > > >>Hi there,
> > > >>
> > > >>I found these in my event log from yesterday:
> > > >>
> > > >> >>>
> > > >>Mar 23 09:33:16 www sshd[10998]: input_userauth_request: illegal user
> www
> > > >>Mar 23 09:33:18 www sshd[10998]: Failed none for illegal user www from
> > > >>213.26.96.103 port 2276 ssh2
> > > >>Mar 23 09:33:18 www sshd[10998]: Failed keyboard-interactive for
> illegal
> > > >>user www from 213.26.96.103 port 2276 ssh2
> > > >>Mar 23 09:33:18 www sshd[10998]: Failed password for illegal user www
> > > >>from 213.26.96.103 port 2276 ssh2
> > > >>Mar 23 09:33:19 www sshd[10997]: input_userauth_request: illegal user
> oracle
> > > >>Mar 23 09:33:19 www sshd[10997]: Failed none for illegal user oracle
> > > >>from 213.26.96.103 port 2275 ssh2
> > > >>Mar 23 09:33:19 www sshd[10997]: Failed keyboard-interactive for
> illegal
> > > >>user oracle from 213.26.96.103 port 2275 ssh2
> > > >>Mar 23 09:33:19 www sshd[10997]: Failed password for illegal user
> oracle
> > > >>from 213.26.96.103 port 2275 ssh2
> > > >>Mar 23 09:33:19 www sshd[10999]: input_userauth_request: illegal user
> test
> > > >>Mar 23 09:33:19 www sshd[10999]: Failed none for illegal user test
> from
> > > >>213.26.96.103 port 2277 ssh2
> > > >>Mar 23 09:33:19 www sshd[10999]: Failed keyboard-interactive for
> illegal
> > > >>user test from 213.26.96.103 port 2277 ssh2
> > > >>Mar 23 09:33:20 www sshd[10999]: Failed password for illegal user test
> > > >>from 213.26.96.103 port 2277 ssh2
> > > >><<<
> > > >>
> > > >>It seems that from the timestamp that it's most likely a script kiddy;
> > > >>The time duration beween failed password attempts seems really short.
> > > >>I'm just wonder if anyone's seen a script that does this and is
> > > >>available widely, or is it a good chance that I've got someone trying
> to
> > > >>break in? None of my other services seem to have been probed, just
> ssh.
> > > >>
> > > >>Thanks,
> > > >>Steve
> > > >>
> > > >>
> > > >>--
> > > >>To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> > > >>with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> > > >
> > > >
> > >
> > >
> > >
> > > --
> > > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> > > with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> >
> > --
> > shiftee <shiftee@manifestation.org>
> > PGP Key: 0xB7A36039@wwwkeys.pgp.net
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> >
> >
> 
> 
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.342 / Virus Database: 189 - Release Date: 3/15/2002
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 

-- 

              .-"".__."``".   Anne Carasik, System Administrator
 .-.--. _...' (/)   (/)   ``'   gator@cacr.caltech.edu 
(O/ O) \-'      ` -="""=.    ',  Center for Advanced Computing Research    
~`~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Attachment: pgpwRfYFR8afz.pgp
Description: PGP signature

Reply to: