Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 16
can anyone tell me what this is? found this in my logs, dated aug 9, just a few hours ago, since it's already aug 10 here. when i went to ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux User
    Join Date
    Aug 2003
    Posts
    289

    can anyone tell me what this is?


    can anyone tell me what this is? found this in my logs, dated aug 9, just a few hours ago, since it's already aug 10 here.

    when i went to that IP below, it just showed me a page that you get when you test if Apache is working.

    i always get the SSHD Killed, Started message in my logs whether i'm connected to the net or not. but those illegal user entries aren't there always. just now i guess.

    --------------------- SSHD Begin ------------------------

    SSHD Killed: 1 Time(s)

    SSHD Started: 2 Time(s)

    **Unmatched Entries**
    Illegal user test from 211.233.7.79
    Illegal user guest from 211.233.7.79
    Illegal user admin from 211.233.7.79
    Illegal user admin from 211.233.7.79
    succeeded
    sshd -TERM succeeded
    succeeded

    ---------------------- SSHD End -------------------------
    Registered User #345074

  2. #2
    Linux Newbie
    Join Date
    Sep 2003
    Location
    St.Charles, Missouri, USA
    Posts
    201
    Looks like someone is trying to get a shell on your puter. Doesnt look like a big problem to me, just make sure that root login is disabled on ssh. [/code]
    Powered by Gentoo
    never ever ever use the hardened option in make.conf!

  3. #3
    Linux User
    Join Date
    Aug 2003
    Posts
    289
    i explicitly close my SSH port when i connect to the Net. i know it is not stealthed, as it will reply to requests to this port. i don't have any TCP wrappers set on this port.

    who could be interested? i don't have anything of value on this machine. hehehe.. .
    Registered User #345074

  4. $spacer_open
    $spacer_close
  5. #4
    Linux User
    Join Date
    Aug 2003
    Posts
    289
    Here is a quick scan on IP address 211.233.7.79 for ports up to 1065. what the heck is this guy doing?!

    Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
    Host (211.233.7.79) appears to be up ... good.
    Initiating SYN Stealth Scan against (211.233.7.79)
    Adding open port 443/tcp
    Adding open port 80/tcp
    Adding open port 122/tcp
    The SYN Stealth Scan took 75 seconds to scan 1065 ports.
    For OSScan assuming that port 80 is open and port 1 is closed and neither are firewalled
    Interesting ports on (211.233.7.79):
    (The 1052 ports scanned but not shown below are in state: closed)
    Port State Service
    80/tcp open http
    111/tcp filtered sunrpc
    122/tcp open smakynet
    135/tcp filtered loc-srv
    136/tcp filtered profile
    137/tcp filtered netbios-ns
    138/tcp filtered netbios-dgm
    139/tcp filtered netbios-ssn
    443/tcp open https
    445/tcp filtered microsoft-ds
    514/tcp filtered shell
    515/tcp filtered printer
    593/tcp filtered http-rpc-epmap
    Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
    Uptime 92.460 days (since Sun May 9 15:09:11 2004)
    TCP Sequence Prediction: Class=random positive increments
    Difficulty=4834765 (Good luck!)
    IPID Sequence Generation: All zeros

    Nmap run completed -- 1 IP address (1 host up) scanned in 107 se

    -------------

    whois result from apnic
    Redirected to whois.nic.or.kr

    IPv4 Address : 211.233.7.0-211.233.7.255
    Network Name : KIDC-INFRA
    Connect ISP Name : KIDC
    Connect Date : 20021113
    Registration Date : 20031021

    [ Organization Information ]
    Organization ID : ORG137200
    Org Name : KOREAINTERNETDATACENTERInc.
    State : Seoul
    Address : KIDC 261-1, Nonhyun-dong, Kangnam-ku
    Zip Code : 135-010

    [ Admin Contact Information]
    Name : IP Administrator
    Org Name : KOREAINTERNETDATACENTERInc.
    State : Seoul
    Address : KIDC 261-1, Nonhyun-dong, Kangnam-ku
    Zip Code : 135-010
    Phone : +82-2-6440-2920
    Fax : +82-2-6440-2929
    E-Mail : support@kidc.net

    [ Technical Contact Information ]
    Name : IP manager
    Org Name : KOREAINTERNETDATACENTERInc.
    State : Seoul
    Address : KIDC 261-1, Nonhyun-dong, Kangnam-ku
    Zip Code : 135-010
    Phone : +82-2-6440-2925
    Fax : +82-2-6440-2929
    E-Mail : ip@kidc.net
    Registered User #345074

  6. #5
    Linux Newbie
    Join Date
    Sep 2003
    Location
    St.Charles, Missouri, USA
    Posts
    201
    i ran that scan too but decided against posting it Maybe s/he is just looking for a box to f* up, looking for a challenge, or maybe install some apps and use your box as a proxy of some kind. Why do you run sshd if you kill it everytime you get on the net
    Powered by Gentoo
    never ever ever use the hardened option in make.conf!

  7. #6
    Linux User
    Join Date
    Aug 2003
    Posts
    289
    i'll unlist it from the service soon. i keep on forgetting. but paranoia on my side, i always remember to close almost all running ports within 1065 before i connect to the Net.

    if the WHOIS results are accurate, my guess is that it's one bored sysad guy in that Korean company.
    Registered User #345074

  8. #7
    Linux Newbie
    Join Date
    Jan 2004
    Location
    Belgrade, S&M
    Posts
    177
    Maybe the address is a fake one - based on the number of open ports. But if that is the case then somebody with some kind of interest is trying to get to you Only an idiot would try to do that from such an unprotected and opened machine. Could it be a dynamic ip ?

  9. #8
    Linux Guru kkubasik's Avatar
    Join Date
    Mar 2004
    Location
    Lat: 39:03:51N Lon: 77:14:37W
    Posts
    2,396
    mabey hes some dumb **** that thinks hes cool? I would think that no one could leave themselfs that open, but if your feeling safe, you could poke around a little more, mabey even try to authentiate, if hes got security that bad, his passwords probably arent hot either....(don't screw anything up, just poke around a bit, you can find out alot by a home dir)
    Avoid the Gates of Hell. Use Linux
    A Penny for your Thoughts

    Formerly Known as qub333

  10. #9
    Just Joined!
    Join Date
    Aug 2004
    Posts
    5
    1. Make sure you have secure 8+ character passwords -- no words, no quotes from books, nothing about you. If you want, try pwgen --no-numerals and look for neat words (Like "LiQUooSH" and such); these are weaker, but they're at least random, and difficult for a little scriptkiddie to crack.

    2. Make sure SSH is the latest version, so that any security holes are relatively new and unknown.

    3. Turn off ssh when not needed, and on ports it's not needed. Block it from your Internet facing interface.

    4. Get PaX and/or SSP on that thing. If you want stack smash protected SSH, you'll have to recompile OpenSSH with a gcc that has SSP/ProPolice patched in, using gcc -fstack-protector to enable it. You'll also want to recompile every library that ssh uses with -fstack-protector to ensure that all code ssh uses (and thus, that can be used to break into ssh) is protected from stack smashes.

    That all should be enough. I can't think of anything that gets around (3) but it's possible (i.e. if netfilter has a bug).

    if (3) and (1) fail, the attacker can succeed in getting in with 100% reproducability.

    If (3) fails, (1) forces the attacker to resort to programming bugs, which should be stopped by (2).

    If (3) and (2) fail, and (1) holds, then the attacker has minimal chances of locating a programming bug which will allow him to successfully defeat (4); and not all of such bugs are guaranteed to be 100% reproducable.

    The failure of (3) depends on a bug in netfilter.

  11. #10
    Linux User
    Join Date
    Aug 2003
    Posts
    289
    yeah, it seems kinda ridiculous. the IP could've been spoofed. i mean, that IP is being used by some Internet Company, an ISP or something related. s/he could be a subscriber/customer. then again, who knows???

    ok, thanks guys! i don't think i'll poke around. that's illegal. i might get into trouble. i'll just protect myself instead.

    Registered User #345074

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •