Re: WATCH FOR A HACKER!!!

On Sun, 2004-10-17 at 22:02, Damien Hull wrote:
> I'm sitting here surfing the net. My dsl modem is right next to me. I
> happened to see traffic going through when there shouldn't have been.
>
> I did a "netstat -ta" to see if anything on my box was connecting to the
> net. What I found was much worse. I saw an ssh connection from my box to
> an ip address I have never seen.
>
> Here's what I found in /var/log/messages.
> Oct 17 21:40:33 tower1 sshd[31174]: Failed password for test from
> 218.21.78.22 port 3716 ssh2
> Oct 17 21:40:38 tower1 sshd[31176]: Illegal user guest from 218.21.78.22
> Oct 17 21:40:38 tower1 sshd[31176]: Failed password for illegal user
> guest from 218.21.78.22 port 3941 ssh2
> Oct 17 21:40:44 tower1 sshd[31178]: Illegal user admin from 218.21.78.22
> Oct 17 21:40:44 tower1 sshd[31178]: Failed password for illegal user
> admin from 218.21.78.22 port 4217 ssh2
> Oct 17 21:40:49 tower1 sshd[31180]: Illegal user admin from 218.21.78.22
> Oct 17 21:40:49 tower1 sshd[31180]: Failed password for illegal user
> admin from 218.21.78.22 port 4442 ssh2
> Oct 17 21:40:54 tower1 sshd[31182]: Illegal user user from 218.21.78.22
> Oct 17 21:40:54 tower1 sshd[31182]: Failed password for illegal user
> user from 218.21.78.22 port 4728 ssh2
> Oct 17 21:41:00 tower1 sshd[31184]: Failed password for root from
> 218.21.78.22 port 4993 ssh2
> Oct 17 21:41:05 tower1 sshd[31186]: Failed password for root from
> 218.21.78.22 port 1322 ssh2
> Oct 17 21:41:11 tower1 sshd[31188]: Failed password for root from
> 218.21.78.22 port 1602 ssh2
> Oct 17 21:41:19 tower1 sshd[31190]: Failed password for test from
> 218.21.78.22 port 1917 ssh2
> Oct 17 21:51:12 tower1 su(pam_unix)[31349]: session opened for user root
> by (uid=1002)
>
> It turns out that the ip is from some isp in china. Here's the whois
> info.
>
> inetnum: 218.21.64.0 - 218.21.127.255
> netname: CHINANET-GX
> descr: CHINANET Guangxi province network
> descr: China Telecom
> descr: A12,Xin-Jie-Kou-Wai Street
> descr: Beijing 100088
> country: CN
> admin-c: CH93-AP
> tech-c: CR766-AP
> mnt-by: MAINT-CHINANET
> mnt-lower: MAINT-CHINANET-GX
> changed: hostmaster@ns.chinanet.cn.net 20010731
> status: ALLOCATED NON-PORTABLE
> source: APNIC
>
> role: CHINANET GUANGXI
> address: No.35,Minzhu Road,Nanning 530015
> country: CN
> phone: +86-771-2815987
> fax-no: +86-771-2839278
> e-mail: hostmaster@gx163.net
> trouble: send spam reports to hostmaster@gx163.net
> trouble: send abuse reports to hostmaster@gx163.net
> trouble: times in GMT+8
> admin-c: CR76-AP
> tech-c: BD37-AP
> nic-hdl: CR766-AP
> remarks: http://www.gx.cninfo.net
> notify: hostmaster@gx163.net
> mnt-by: MAINT-CHINANET-GX
> changed: hostmaster@gx163.net 20021024
> source: APNIC
>
> person: Chinanet Hostmaster
> address: No.31 ,jingrong street,beijing
> address: 100032
> country: CN
> phone: +86-10-66027112
> fax-no: +86-10-58501144
> e-mail: hostmaster@ns.chinanet.cn.net
> e-mail: anti-spam@ns.chinanet.cn.net
> nic-hdl: CH93-AP
> mnt-by: MAINT-CHINANET
> changed: hostmaster@ns.chinanet.cn.net 20021016
> remarks: hostmaster is not for spam complaint,please send spam
> complaint to anti-spam@ns.chinanet.cn.net
> source: APNIC
>

These kinds of attack attemps have been happening for quite awhile.
Typically large networks block all traffic from chinanet.

We do this via our very nice ImageStream router.

IE:

Oct 17 11:13:04 routerman sshd[1867]: Failed password for illegal user
cosmin from 65.42.15.249 port 30849 ssh2
Oct 17 11:13:10 routerman sshd[1869]: Failed password for root from
65.42.15.249 port 31180 ssh2
Oct 17 11:13:16 routerman sshd[1871]: Failed password for root from
65.42.15.249 port 31508 ssh2
Oct 17 11:13:26 routerman sshd[1873]: Failed password for root from
65.42.15.249 port 31825 ssh2

So I then just add:

# route add -host 65.42.15.249 reject

Or you could block the /24 or /8 etc.

Dee

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Sun Oct 17 22:36:25 2004