Warning

 

Close

Confirm Action

Are you sure you wish to do this?

Confirm Cancel
Member Login
Posted: 10/22/2004 4:22:44 PM EST
So I went on a trip out of town for a job interview the other day. I turned SSH on and took my laptop, incase I needed some file from the home computer or something. Taking a look at the logs after I get home, I find these:

Oct 19 17:52:13 myip sshd[13672]: Did not receive identification string from 211.91.16.88
Oct 19 17:56:22 myip sshd[13703]: Illegal user patrick from 211.91.16.88
Oct 19 17:56:24 myip sshd[13705]: Illegal user patrick from 211.91.16.88
Oct 19 17:56:39 myip sshd[13717]: Illegal user rolo from 211.91.16.88
Oct 19 17:56:41 myip sshd[13719]: Illegal user iceuser from 211.91.16.88
Oct 19 17:56:44 myip sshd[13721]: Illegal user horde from 211.91.16.88
Oct 19 17:56:51 myip sshd[13727]: Illegal user wwwrun from 211.91.16.88
Oct 19 17:56:53 myip sshd[13729]: Illegal user matt from 211.91.16.88
(snipped a bunch of other tries with dumb user names)
Oct 20 23:53:32 myip sshd[21528]: Illegal user patrick from 80.55.81.122
Oct 20 23:53:37 myip sshd[21530]: Illegal user patrick from 80.55.81.122
Oct 20 23:53:56 myip sshd[21542]: Illegal user rolo from 80.55.81.122
Oct 20 23:54:01 myip sshd[21544]: Illegal user iceuser from 80.55.81.122
Oct 20 23:54:06 myip sshd[21546]: Illegal user horde from 80.55.81.122
Oct 20 23:54:25 myip sshd[21552]: Illegal user wwwrun from 80.55.81.122
Oct 20 23:54:28 myip sshd[21554]: Illegal user matt from 80.55.81.122
(snipped a bunch more tries with the same dumb user names)

Taking a closer look, I see:

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Insufficient responses for TCP sequencing (2), OS detection may be less accurate
Interesting ports on (211.91.16.88):
(The 1585 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
111/tcp open sunrpc
135/tcp filtered loc-srv
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
1434/tcp filtered ms-sql-m
1521/tcp open oracle
1720/tcp filtered H.323/Q.931
6000/tcp open X11
27374/tcp filtered subseven
Remote OS guesses: Linux Kernel 2.4.0 - 2.5.20, Linux 2.4.19-pre4 on Alpha, Linux Kernel 2.4.3 SMP (RedHat)
Nmap run completed -- 1 IP address (1 host up) scanned in 72 seconds

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Interesting ports on sd122.internetdsl.tpnet.pl (80.55.81.122):
(The 1598 ports scanned but not shown below are in state: filtered)
Port State Service
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
Uptime 1.282 days (since Thu Oct 21 13:27:55 2004)
Nmap run completed -- 1 IP address (1 host up) scanned in 319 seconds

What really seems strange is the repeated use of the same odd user names. They could at least try root - it still wouldn't work on my computer, but it's at least a user, and they'd be root if they succeeded. Is there some kind of programs that tries these name or something?
Link Posted: 10/22/2004 4:23:56 PM EST
how do you "check the logs"?
Link Posted: 10/22/2004 4:24:24 PM EST
Link Posted: 10/22/2004 4:25:15 PM EST
Now, I'm pretty damn computer literate, but I have no idea what you just said other than that there were some fucktards messing with your computer.
Link Posted: 10/22/2004 4:27:23 PM EST
Link Posted: 10/22/2004 4:27:50 PM EST

Originally Posted By ColonelKlink:

Originally Posted By Mmanwitgun:
how do you "check the logs"?



/var/log/



Try to explain it like you were instructing a 5 year old, I don't understand
Link Posted: 10/22/2004 4:30:41 PM EST

Originally Posted By Mmanwitgun:

Originally Posted By ColonelKlink:

Originally Posted By Mmanwitgun:
how do you "check the logs"?



/var/log/



Try to explain it like you were instructing a 5 year old, I don't understand



This would nice also.
Link Posted: 10/22/2004 4:34:23 PM EST
[Last Edit: 10/22/2004 4:52:42 PM EST by the]
On unix systems, various system logfiles are usually kept in the directory /var/log

/var - named so because the size varies constanty, IIRC.

/log - 'cause there be logs there.

Like C:\temp\logs or something, except that it makes more sense.

Link Posted: 10/22/2004 4:37:10 PM EST
If you don't have the penguin running in your computer, it is all geek to you.
Link Posted: 10/22/2004 4:41:39 PM EST

Originally Posted By ar-wrench:
If you don't have the penguin running in your computer, it is all geek to you.



The penguin running in your computer? sounds like some weird methaphor for doing drugs
Link Posted: 10/22/2004 4:43:00 PM EST
Link Posted: 10/22/2004 4:43:58 PM EST
Would someone kindly translate that into english?
Link Posted: 10/22/2004 4:50:55 PM EST
[Last Edit: 10/22/2004 4:51:42 PM EST by the]

Originally Posted By Zaphod:
Would someone kindly translate that into english?



(see above for what /var/log is)

"SSH" is a 'secure shell' - you get a command prompt (like C:\>)over an encrypted connection to a server. Lets you do whatever on your server, remotely.

He was looking at system logs, and saw a bunch of failed login attempts. It's odd that they didn't try logging in as 'root' - root is the master login with full permissions on a *nix system. Like the 'administrator' login on a Windows box. You get that, you get everything.

I havent used *nix in a few years. Geeks, please correct any errors.

I have also had a few tonight.
Link Posted: 10/22/2004 4:59:15 PM EST
[Last Edit: 10/22/2004 5:27:07 PM EST by fike]
unix linux operating system mascot

http://www.infoplex.com/unix/images/penguin2-150.jpg
Link Posted: 10/22/2004 5:01:30 PM EST
He is running Unix and or Linux which is an Operating System like Windows is. Unix is used more by IT guys or uber computer nerds. It has a Graphical User Interface but most Unix users dont use it. They use a shell much liek DOS is for windows. Now he is refering to log files that Unix creates and maintains. In the particular log file he was looking at it keeps tabs on external attempts made to gain control or access to his machine. If they were able to gain root access to his system they would have FULL control. Root access is like the Administrator password for a windows PC.

I hope this has help the not so nerdy type understand what mace was talking about.
Link Posted: 10/22/2004 5:02:15 PM EST

Originally Posted By the:

Originally Posted By Zaphod:
Would someone kindly translate that into english?



(see above for what /var/log is)

"SSH" is a 'secure shell' - you get a command prompt (like C:\>)over an encrypted connection to a server. Lets you do whatever on your server, remotely.

He was looking at system logs, and saw a bunch of failed login attempts. It's odd that they didn't try logging in as 'root' - root is the master login with full permissions on a *nix system. Like the 'administrator' login on a Windows box. You get that, you get everything.

I havent used *nix in a few years. Geeks, please correct any errors.

I have also had a few tonight.



Pretty much. Plus, there's no way to know what other users there are on the system. root is always the superuser on any *nix system, but there's no way to know what the usernames of the normal users with admin privileges are. So trying random usernames is pretty dumb, because there's no way to know whether that user exists at all.
Link Posted: 10/22/2004 5:02:44 PM EST
penguin = Linux
Link Posted: 10/22/2004 5:05:58 PM EST

Originally Posted By ar-wrench:
penguin = Linux



oops, thought it was unix.
Link Posted: 10/22/2004 5:09:16 PM EST

Originally Posted By ar-wrench:
penguin = Linux



Hello
Link Posted: 10/22/2004 5:10:10 PM EST
If they kept trying the same username, and not 'root' or a sendmail crack or the like, it's probably just some luser with the wrong IP address wondering why he can't get into his box.
Link Posted: 10/22/2004 5:17:23 PM EST
Link Posted: 10/22/2004 5:17:43 PM EST
Sounds like a remote FTP connection to me
Link Posted: 10/22/2004 5:18:02 PM EST
Can you track who did it from the ID numbers?
Link Posted: 10/22/2004 5:22:43 PM EST
Link Posted: 10/22/2004 5:22:45 PM EST
lol... IP
Link Posted: 10/22/2004 5:24:10 PM EST
I like to get into box.
Link Posted: 10/22/2004 5:30:32 PM EST
Okay, who has pinged the offender's address, tracrt, then tried to connect to HIS ftp, http, or SMTP ports?
Link Posted: 10/22/2004 5:31:24 PM EST

Originally Posted By Zaphod:
Can you track who did it from the ID numbers?



Sorta. That's the second part of the original messages. I ran nmap (a program that scans people's computer over the internet) on their IP addresses. Both of them have several services open on their computers. The guy with http (web access) open has it showing the test page from a fresh install. The guy with ftp on is allowing anonymous access. I'm guessing these people have a mostly stock install of some Linux variant (having never bothered to check what services are running and set their firewalls) and are trying out some hacking program. Or someone else hacked those computers and is using them to hack other computers, but if that's the case, I'd expect their attempts at hacking my computer to look a little more competent (trying to login as root, for example).
Top Top