crack attempt?
aha -- i think i actually attracted a script kiddie!
----- Forwarded message from root <root@serensoft.com> -----
Subject: boss 2004/08/09 02:02 system check
From: root <root@serensoft.com>
Date: Mon, 09 Aug 2004 02:02:05 -0500
To: root@serensoft.com
This mail is sent by logcheck. If you do not want to receive it any more,
please modify the configuration files in /etc/logcheck or deinstall logcheck.
Possible Security Violations
=-=-=-=-=-=-=-=-=-=
Aug 9 02:01:13 boss PAM_unix[17097]: authentication failure; (uid=0) -> guest for ssh service
Aug 9 02:01:15 boss sshd[17097]: Failed password for guest from 216.57.26.222 port 4839 ssh2
Aug 9 02:01:23 boss PAM_unix[17107]: authentication failure; (uid=0) -> guest for ssh service
Aug 9 02:01:24 boss PAM_unix[17109]: authentication failure; (uid=0) -> root for ssh service
Aug 9 02:01:25 boss sshd[17107]: Failed password for guest from 216.57.26.222 port 1261 ssh2
Aug 9 02:01:26 boss sshd[17109]: Failed password for root from 216.57.26.222 port 1302 ssh2
Aug 9 02:01:28 boss PAM_unix[17113]: authentication failure; (uid=0) -> root for ssh service
Aug 9 02:01:30 boss sshd[17113]: Failed password for root from 216.57.26.222 port 1450 ssh2
Aug 9 02:01:31 boss PAM_unix[17119]: authentication failure; (uid=0) -> root for ssh service
Aug 9 02:01:34 boss sshd[17119]: Failed password for root from 216.57.26.222 port 1574 ssh2
Aug 9 02:01:35 boss PAM_unix[17122]: authentication failure; (uid=0) -> root for ssh service
Aug 9 02:01:37 boss sshd[17122]: Failed password for root from 216.57.26.222 port 1630 ssh2
Aug 9 02:01:40 boss PAM_unix[17125]: authentication failure; (uid=0) -> root for ssh service
Aug 9 02:01:41 boss sshd[17125]: Failed password for root from 216.57.26.222 port 1823 ssh2
Aug 9 02:01:43 boss PAM_unix[17127]: authentication failure; (uid=0) -> root for ssh service
Aug 9 02:01:45 boss sshd[17127]: Failed password for root from 216.57.26.222 port 1939 ssh2
Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Aug 9 02:01:13 boss PAM_unix[17097]: authentication failure; (uid=0) -> guest for ssh service
Aug 9 02:01:15 boss sshd[17097]: Failed password for guest from 216.57.26.222 port 4839 ssh2
Aug 9 02:01:23 boss PAM_unix[17107]: authentication failure; (uid=0) -> guest for ssh service
Aug 9 02:01:24 boss PAM_unix[17109]: authentication failure; (uid=0) -> root for ssh service
Aug 9 02:01:25 boss sshd[17107]: Failed password for guest from 216.57.26.222 port 1261 ssh2
Aug 9 02:01:26 boss sshd[17109]: Failed password for root from 216.57.26.222 port 1302 ssh2
Aug 9 02:01:28 boss PAM_unix[17113]: authentication failure; (uid=0) -> root for ssh service
Aug 9 02:01:30 boss sshd[17113]: Failed password for root from 216.57.26.222 port 1450 ssh2
Aug 9 02:01:31 boss PAM_unix[17119]: authentication failure; (uid=0) -> root for ssh service
Aug 9 02:01:34 boss sshd[17119]: Failed password for root from 216.57.26.222 port 1574 ssh2
Aug 9 02:01:35 boss PAM_unix[17122]: authentication failure; (uid=0) -> root for ssh service
Aug 9 02:01:37 boss sshd[17122]: Failed password for root from 216.57.26.222 port 1630 ssh2
Aug 9 02:01:40 boss PAM_unix[17125]: authentication failure; (uid=0) -> root for ssh service
Aug 9 02:01:41 boss sshd[17125]: Failed password for root from 216.57.26.222 port 1823 ssh2
Aug 9 02:01:43 boss PAM_unix[17127]: authentication failure; (uid=0) -> root for ssh service
Aug 9 02:01:45 boss sshd[17127]: Failed password for root from 216.57.26.222 port 1939 ssh2
----- End forwarded message -----
the fact that each attempt is a few seconds from the previous
one (and that there were only eight tries) leads me to believe
this was a human, and not a 'bot of some sort.
he even tried "guest"! (standard windows hole -- is it of likely
cnocern to a debian system?)
$ whois 222.26.57.216.in-addr.arpa
No match found for 222.26.57.216.in-addr.arpa.
# ARIN WHOIS database, last updated 2004-08-09 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
$ whois 216.57.26.222
OrgName: eLink Communications INC.
OrgID: ELNK
Address: 39 Broadway
Address: 19th Floor
City: New York
StateProv: NY
PostalCode: 10006
Country: US
NetRange: 216.57.0.0 - 216.57.63.255
CIDR: 216.57.0.0/18
NetName: EUREKANETWORKS-IP-D8390000-18
NetHandle: NET-216-57-0-0-1
Parent: NET-216-0-0-0-0
NetType: Direct Allocation
NameServer: NS-AUTH1.ISP.E-NT.NET
NameServer: NS-AUTH2.ISP.E-NT.NET
NameServer: NS-AUTH3.ISP.E-NT.NET
Comment:
RegDate:
Updated: 2004-04-19
AbuseHandle: ENAA-ARIN
AbuseName: Eureka Networks Abuse Administrator
AbusePhone: +1-800-562-4206
AbuseEmail: abuse@isp.e-nt.net
NOCHandle: EIA-ARIN
NOCName: Eureka Networks IP Administrator
NOCPhone: +1-800-562-4206
NOCEmail: ipadmin@isp.e-nt.net
TechHandle: EIA-ARIN
TechName: Eureka Networks IP Administrator
TechPhone: +1-800-562-4206
TechEmail: ipadmin@isp.e-nt.net
OrgAbuseHandle: ENAA-ARIN
OrgAbuseName: Eureka Networks Abuse Administrator
OrgAbusePhone: +1-800-562-4206
OrgAbuseEmail: abuse@isp.e-nt.net
OrgNOCHandle: EIA-ARIN
OrgNOCName: Eureka Networks IP Administrator
OrgNOCPhone: +1-800-562-4206
OrgNOCEmail: ipadmin@isp.e-nt.net
OrgTechHandle: EIA-ARIN
OrgTechName: Eureka Networks IP Administrator
OrgTechPhone: +1-800-562-4206
OrgTechEmail: ipadmin@isp.e-nt.net
# ARIN WHOIS database, last updated 2004-08-09 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
--
I use Debian/GNU Linux version 3.0;
Linux boss 2.4.18-bf2.4 #1 Son Apr 14 09:53:28 CEST 2002 i586 unknown
DEBIAN NEWBIE TIP #50 from Will Trillich <will@serensoft.com>
:
Want to specify EDITOR SETTINGS WHEN LAUNCHING FROM MUTT?
Put something like this in your ~/.muttrc file:
set editor="vim -c 'set ft=mail tw=64'"
That ensures that Vim syntax highlighting is set for "mail"
patterns, and that text will wrap automatically at 64
columns. (For more info, try ":help tw" or ":help ft" when
inside Vim. Also, browse /usr/share/doc/mutt/html/manual.html
for the full scoop on customizing Mutt.)
Also see http://newbieDoc.sourceForge.net/ ...
Reply to: