I setup a test server on Friday. Needed something to play on.
* Ubuntu 7.10 server
* User: administrator
* Password: password
* OpenSSH server: port 22 (default)
I was about to change the password but changed my mined at the last
minute. I thought it would be cool to see how long it took before
someone got in. Well, I was unable to login this morning.
1. Rebooted the server in single user mode ( hit the power button )
2. Checked /var/log/auth.log ( grep administrator auth.log | less )
3. The cracker got in yesterday
4. It took about 3 days for someone to break in
Nov 18 17:26:55 email sshd[18468]: Accepted password for
administrator from 82.79.221.68 port 1758 ssh2
Nov 18 17:26:55 email sshd[18474]: pam_unix(ssh:session): session
opened for user administrator by (uid=0)
Nov 18 17:31:36 email passwd[18616]: pam_unix(passwd:chauthtok):
password changed for administrator
Nov 18 17:33:14 email sshd[18474]: pam_unix(ssh:session): session
closed for user administrator
Nov 19 01:47:54 email sshd[18897]: Accepted password for
administrator from 82.78.219.48 port 2624 ssh2
whois on 82.79.221.68
administrator@email:/$ whois 82.79.221.68
% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html
% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag
% Information related to '82.76.0.0 - 82.79.255.255'
inetnum: 82.76.0.0 - 82.79.255.255
org: ORG-RA18-RIPE
admin-c: CN19-RIPE
netname: RO-RDS-20030714
descr: RCS & RDS SA
country: RO
tech-c: RDS-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: AS8708-MNT
mnt-routes: AS8708-MNT
source: RIPE # Filtered
organisation: ORG-RA18-RIPE
org-name: RCS & RDS SA
org-type: LIR
address: Forum 2000 Building
71-75 Dr. Staicovici
address: 050557
address: Bucharest
address: Romania
phone: +40 21 3010850
phone: +40 21 3010888
fax-no: +40 21 3010892
admin-c: CN19-RIPE
mnt-ref: AS8708-MNT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered
role: Romania Data Systems NOC
address: 71-75 Dr. Staicovici
address: Bucharest / ROMANIA
phone: +40 21 30 10 888
fax-no: +40 21 30 10 892
abuse-mailbox: abuse@rcs-rds.ro
admin-c: CN19-RIPE
admin-c: GEPU1-RIPE
tech-c: CN19-RIPE
tech-c: GEPU1-RIPE
nic-hdl: RDS-RIPE
mnt-by: AS8708-MNT
remarks:
+--------------------------------------------------------------+
remarks: | ABUSE CONTACT: abuse@rcs-rds.ro IN CASE OF HACK
ATTACKS, |
remarks: | ILLEGAL ACTIVITY, VIOLATION, SCANS, PROBES,
SPAM, ETC. |
remarks: | !! PLEASE DO NOT CONTACT OTHER PERSONS FOR THESE
PROBLEMS !! |
remarks:
+--------------------------------------------------------------+
source: RIPE # Filtered
person: Ciprian Nica
remarks: Senior IP Engineer
remarks: Romania Data Systems
address: Bucharest, Romania
phone: + 40 31 400 42 43
abuse-mailbox: abuse@rcs-rds.ro
remarks: ------------------------------------------------
remarks: | Please don't send me any abuse complaints. |
remarks: | Use abuse@rcs-rds.ro for that or contact |
remarks: | your service provider or local authorities |
remarks: ------------------------------------------------
nic-hdl: CN19-RIPE
mnt-by: NIMACI-MNT
source: RIPE # Filtered
% Information related to '82.76.0.0/14AS8708'
route: 82.76.0.0/14
descr: RDSNET
origin: AS8708
mnt-by: AS8708-MNT
source: RIPE # Filtered
administrator@email:/$
NOTE:
I have no idea what the person did once they got onto the system. I'll
have to do some searching. I'll backup /var. If anyone wants to see my
logs let me know. I will reinstall Ubuntu today.
Stay safe!
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Mon Nov 19 10:04:55 2007
This archive was generated by hypermail 2.1.8 : Mon Nov 19 2007 - 10:04:55 AKST