Re: The crackers are out there

Just out of curiosity, did you send the "abuse" contact anything?
Probably wouldn't do any good, but ...

Jim

Damien Hull wrote:
> I setup a test server on Friday. Needed something to play on.
>
> * Ubuntu 7.10 server
> * User: administrator
> * Password: password
> * OpenSSH server: port 22 (default)
>
> I was about to change the password but changed my mined at the last
> minute. I thought it would be cool to see how long it took before
> someone got in. Well, I was unable to login this morning.
>
> 1. Rebooted the server in single user mode ( hit the power button )
> 2. Checked /var/log/auth.log ( grep administrator auth.log | less )
> 3. The cracker got in yesterday
> 4. It took about 3 days for someone to break in
>
> Nov 18 17:26:55 email sshd[18468]: Accepted password for
> administrator from 82.79.221.68 port 1758 ssh2
> Nov 18 17:26:55 email sshd[18474]: pam_unix(ssh:session): session
> opened for user administrator by (uid=0)
> Nov 18 17:31:36 email passwd[18616]: pam_unix(passwd:chauthtok):
> password changed for administrator
> Nov 18 17:33:14 email sshd[18474]: pam_unix(ssh:session): session
> closed for user administrator
> Nov 19 01:47:54 email sshd[18897]: Accepted password for
> administrator from 82.78.219.48 port 2624 ssh2
>
> whois on 82.79.221.68
>
> administrator@email:/$ whois 82.79.221.68
> % This is the RIPE Whois query server #2.
> % The objects are in RPSL format.
> %
> % Rights restricted by copyright.
> % See http://www.ripe.net/db/copyright.html
>
> % Note: This output has been filtered.
> % To receive output for a database update, use the "-B" flag
>
> % Information related to '82.76.0.0 - 82.79.255.255'
>
> inetnum: 82.76.0.0 - 82.79.255.255
> org: ORG-RA18-RIPE
> admin-c: CN19-RIPE
> netname: RO-RDS-20030714
> descr: RCS & RDS SA
> country: RO
> tech-c: RDS-RIPE
> status: ALLOCATED PA
> mnt-by: RIPE-NCC-HM-MNT
> mnt-lower: AS8708-MNT
> mnt-routes: AS8708-MNT
> source: RIPE # Filtered
>
> organisation: ORG-RA18-RIPE
> org-name: RCS & RDS SA
> org-type: LIR
> address: Forum 2000 Building
> 71-75 Dr. Staicovici
> address: 050557
> address: Bucharest
> address: Romania
> phone: +40 21 3010850
> phone: +40 21 3010888
> fax-no: +40 21 3010892
> admin-c: CN19-RIPE
> mnt-ref: AS8708-MNT
> mnt-ref: RIPE-NCC-HM-MNT
> mnt-by: RIPE-NCC-HM-MNT
> source: RIPE # Filtered
>
> role: Romania Data Systems NOC
> address: 71-75 Dr. Staicovici
> address: Bucharest / ROMANIA
> phone: +40 21 30 10 888
> fax-no: +40 21 30 10 892
> abuse-mailbox: abuse@rcs-rds.ro
> admin-c: CN19-RIPE
> admin-c: GEPU1-RIPE
> tech-c: CN19-RIPE
> tech-c: GEPU1-RIPE
> nic-hdl: RDS-RIPE
> mnt-by: AS8708-MNT
> remarks:
> +--------------------------------------------------------------+
> remarks: | ABUSE CONTACT: abuse@rcs-rds.ro IN CASE OF HACK
> ATTACKS, |
> remarks: | ILLEGAL ACTIVITY, VIOLATION, SCANS, PROBES,
> SPAM, ETC. |
> remarks: | !! PLEASE DO NOT CONTACT OTHER PERSONS FOR THESE
> PROBLEMS !! |
> remarks:
> +--------------------------------------------------------------+
> source: RIPE # Filtered
>
> person: Ciprian Nica
> remarks: Senior IP Engineer
> remarks: Romania Data Systems
> address: Bucharest, Romania
> phone: + 40 31 400 42 43
> abuse-mailbox: abuse@rcs-rds.ro
> remarks: ------------------------------------------------
> remarks: | Please don't send me any abuse complaints. |
> remarks: | Use abuse@rcs-rds.ro for that or contact |
> remarks: | your service provider or local authorities |
> remarks: ------------------------------------------------
> nic-hdl: CN19-RIPE
> mnt-by: NIMACI-MNT
> source: RIPE # Filtered
>
> % Information related to '82.76.0.0/14AS8708'
>
> route: 82.76.0.0/14
> descr: RDSNET
> origin: AS8708
> mnt-by: AS8708-MNT
> source: RIPE # Filtered
>
>
> administrator@email:/$
>
> NOTE:
> I have no idea what the person did once they got onto the system. I'll
> have to do some searching. I'll backup /var. If anyone wants to see my
> logs let me know. I will reinstall Ubuntu today.
>
> Stay safe!
>
>
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>
>
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Mon Nov 19 12:15:35 2007