Re: The crackers are out there

No. I didn't try to contact anyone.

Jim Gribbin wrote:
> Just out of curiosity, did you send the "abuse" contact anything?
> Probably wouldn't do any good, but ...
>
> Jim
>
> Damien Hull wrote:
>
>> I setup a test server on Friday. Needed something to play on.
>>
>> * Ubuntu 7.10 server
>> * User: administrator
>> * Password: password
>> * OpenSSH server: port 22 (default)
>>
>> I was about to change the password but changed my mined at the last
>> minute. I thought it would be cool to see how long it took before
>> someone got in. Well, I was unable to login this morning.
>>
>> 1. Rebooted the server in single user mode ( hit the power button )
>> 2. Checked /var/log/auth.log ( grep administrator auth.log | less )
>> 3. The cracker got in yesterday
>> 4. It took about 3 days for someone to break in
>>
>> Nov 18 17:26:55 email sshd[18468]: Accepted password for
>> administrator from 82.79.221.68 port 1758 ssh2
>> Nov 18 17:26:55 email sshd[18474]: pam_unix(ssh:session): session
>> opened for user administrator by (uid=0)
>> Nov 18 17:31:36 email passwd[18616]: pam_unix(passwd:chauthtok):
>> password changed for administrator
>> Nov 18 17:33:14 email sshd[18474]: pam_unix(ssh:session): session
>> closed for user administrator
>> Nov 19 01:47:54 email sshd[18897]: Accepted password for
>> administrator from 82.78.219.48 port 2624 ssh2
>>
>> whois on 82.79.221.68
>>
>> administrator@email:/$ whois 82.79.221.68
>> % This is the RIPE Whois query server #2.
>> % The objects are in RPSL format.
>> %
>> % Rights restricted by copyright.
>> % See http://www.ripe.net/db/copyright.html
>>
>> % Note: This output has been filtered.
>> % To receive output for a database update, use the "-B" flag
>>
>> % Information related to '82.76.0.0 - 82.79.255.255'
>>
>> inetnum: 82.76.0.0 - 82.79.255.255
>> org: ORG-RA18-RIPE
>> admin-c: CN19-RIPE
>> netname: RO-RDS-20030714
>> descr: RCS & RDS SA
>> country: RO
>> tech-c: RDS-RIPE
>> status: ALLOCATED PA
>> mnt-by: RIPE-NCC-HM-MNT
>> mnt-lower: AS8708-MNT
>> mnt-routes: AS8708-MNT
>> source: RIPE # Filtered
>>
>> organisation: ORG-RA18-RIPE
>> org-name: RCS & RDS SA
>> org-type: LIR
>> address: Forum 2000 Building
>> 71-75 Dr. Staicovici
>> address: 050557
>> address: Bucharest
>> address: Romania
>> phone: +40 21 3010850
>> phone: +40 21 3010888
>> fax-no: +40 21 3010892
>> admin-c: CN19-RIPE
>> mnt-ref: AS8708-MNT
>> mnt-ref: RIPE-NCC-HM-MNT
>> mnt-by: RIPE-NCC-HM-MNT
>> source: RIPE # Filtered
>>
>> role: Romania Data Systems NOC
>> address: 71-75 Dr. Staicovici
>> address: Bucharest / ROMANIA
>> phone: +40 21 30 10 888
>> fax-no: +40 21 30 10 892
>> abuse-mailbox: abuse@rcs-rds.ro
>> admin-c: CN19-RIPE
>> admin-c: GEPU1-RIPE
>> tech-c: CN19-RIPE
>> tech-c: GEPU1-RIPE
>> nic-hdl: RDS-RIPE
>> mnt-by: AS8708-MNT
>> remarks:
>> +--------------------------------------------------------------+
>> remarks: | ABUSE CONTACT: abuse@rcs-rds.ro IN CASE OF HACK
>> ATTACKS, |
>> remarks: | ILLEGAL ACTIVITY, VIOLATION, SCANS, PROBES,
>> SPAM, ETC. |
>> remarks: | !! PLEASE DO NOT CONTACT OTHER PERSONS FOR THESE
>> PROBLEMS !! |
>> remarks:
>> +--------------------------------------------------------------+
>> source: RIPE # Filtered
>>
>> person: Ciprian Nica
>> remarks: Senior IP Engineer
>> remarks: Romania Data Systems
>> address: Bucharest, Romania
>> phone: + 40 31 400 42 43
>> abuse-mailbox: abuse@rcs-rds.ro
>> remarks: ------------------------------------------------
>> remarks: | Please don't send me any abuse complaints. |
>> remarks: | Use abuse@rcs-rds.ro for that or contact |
>> remarks: | your service provider or local authorities |
>> remarks: ------------------------------------------------
>> nic-hdl: CN19-RIPE
>> mnt-by: NIMACI-MNT
>> source: RIPE # Filtered
>>
>> % Information related to '82.76.0.0/14AS8708'
>>
>> route: 82.76.0.0/14
>> descr: RDSNET
>> origin: AS8708
>> mnt-by: AS8708-MNT
>> source: RIPE # Filtered
>>
>>
>> administrator@email:/$
>>
>> NOTE:
>> I have no idea what the person did once they got onto the system. I'll
>> have to do some searching. I'll backup /var. If anyone wants to see my
>> logs let me know. I will reinstall Ubuntu today.
>>
>> Stay safe!
>>
>>
>> ---------
>> To unsubscribe, send email to <aklug-request@aklug.org>
>> with 'unsubscribe' in the message body.
>>
>>
>>
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>
>

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Mon Nov 19 13:18:02 2007