can anyone tell me what this is?

[xylex_blaiste]

can anyone tell me what this is? found this in my logs, dated aug 9, just a few hours ago, since it's already aug 10 here.

when i went to that IP below, it just showed me a page that you get when you test if Apache is working.

i always get the SSHD Killed, Started message in my logs whether i'm connected to the net or not. but those illegal user entries aren't there always. just now i guess.

--------------------- SSHD Begin ------------------------

SSHD Killed: 1 Time(s)

SSHD Started: 2 Time(s)

**Unmatched Entries**
Illegal user test from 211.233.7.79
Illegal user guest from 211.233.7.79
Illegal user admin from 211.233.7.79
Illegal user admin from 211.233.7.79
succeeded
sshd -TERM succeeded
succeeded

---------------------- SSHD End -------------------------

[gwalters]

Looks like someone is trying to get a shell on your puter. Doesnt look like a big problem to me, just make sure that root login is disabled on ssh. [/code]

[xylex_blaiste]

i explicitly close my SSH port when i connect to the Net. i know it is not stealthed, as it will reply to requests to this port. i don't have any TCP wrappers set on this port.

who could be interested? i don't have anything of value on this machine. hehehe.. .

[xylex_blaiste]

Here is a quick scan on IP address 211.233.7.79 for ports up to 1065. what the heck is this guy doing?!

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host (211.233.7.79) appears to be up ... good.
Initiating SYN Stealth Scan against (211.233.7.79)
Adding open port 443/tcp
Adding open port 80/tcp
Adding open port 122/tcp
The SYN Stealth Scan took 75 seconds to scan 1065 ports.
For OSScan assuming that port 80 is open and port 1 is closed and neither are firewalled
Interesting ports on (211.233.7.79):
(The 1052 ports scanned but not shown below are in state: closed)
Port State Service
80/tcp open http
111/tcp filtered sunrpc
122/tcp open smakynet
135/tcp filtered loc-srv
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
443/tcp open https
445/tcp filtered microsoft-ds
514/tcp filtered shell
515/tcp filtered printer
593/tcp filtered http-rpc-epmap
Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
Uptime 92.460 days (since Sun May 9 15:09:11 2004)
TCP Sequence Prediction: Class=random positive increments
Difficulty=4834765 (Good luck!)
IPID Sequence Generation: All zeros

Nmap run completed -- 1 IP address (1 host up) scanned in 107 se

-------------

whois result from apnic
Redirected to whois.nic.or.kr

IPv4 Address : 211.233.7.0-211.233.7.255
Network Name : KIDC-INFRA
Connect ISP Name : KIDC
Connect Date : 20021113
Registration Date : 20031021

[ Organization Information ]
Organization ID : ORG137200
Org Name : KOREAINTERNETDATACENTERInc.
State : Seoul
Address : KIDC 261-1, Nonhyun-dong, Kangnam-ku
Zip Code : 135-010

[ Admin Contact Information]
Name : IP Administrator
Org Name : KOREAINTERNETDATACENTERInc.
State : Seoul
Address : KIDC 261-1, Nonhyun-dong, Kangnam-ku
Zip Code : 135-010
Phone : +82-2-6440-2920
Fax : +82-2-6440-2929
E-Mail : support@kidc.net

[ Technical Contact Information ]
Name : IP manager
Org Name : KOREAINTERNETDATACENTERInc.
State : Seoul
Address : KIDC 261-1, Nonhyun-dong, Kangnam-ku
Zip Code : 135-010
Phone : +82-2-6440-2925
Fax : +82-2-6440-2929
E-Mail : ip@kidc.net

[gwalters]

i ran that scan too but decided against posting it Maybe s/he is just looking for a box to f* up, looking for a challenge, or maybe install some apps and use your box as a proxy of some kind. Why do you run sshd if you kill it everytime you get on the net

[xylex_blaiste]

i'll unlist it from the service soon. i keep on forgetting. but paranoia on my side, i always remember to close almost all running ports within 1065 before i connect to the Net.

if the WHOIS results are accurate, my guess is that it's one bored sysad guy in that Korean company.

[Goran]

Maybe the address is a fake one - based on the number of open ports. But if that is the case then somebody with some kind of interest is trying to get to you Only an idiot would try to do that from such an unprotected and opened machine. Could it be a dynamic ip ?

[kkubasik]

mabey hes some dumb **** that thinks hes cool? I would think that no one could leave themselfs that open, but if your feeling safe, you could poke around a little more, mabey even try to authentiate, if hes got security that bad, his passwords probably arent hot either....(don't screw anything up, just poke around a bit, you can find out alot by a home dir)

[bluefoxicy]

1. Make sure you have secure 8+ character passwords -- no words, no quotes from books, nothing about you. If you want, try pwgen --no-numerals and look for neat words (Like "LiQUooSH" and such); these are weaker, but they're at least random, and difficult for a little scriptkiddie to crack.

2. Make sure SSH is the latest version, so that any security holes are relatively new and unknown.

3. Turn off ssh when not needed, and on ports it's not needed. Block it from your Internet facing interface.

4. Get PaX and/or SSP on that thing. If you want stack smash protected SSH, you'll have to recompile OpenSSH with a gcc that has SSP/ProPolice patched in, using gcc -fstack-protector to enable it. You'll also want to recompile every library that ssh uses with -fstack-protector to ensure that all code ssh uses (and thus, that can be used to break into ssh) is protected from stack smashes.

That all should be enough. I can't think of anything that gets around (3) but it's possible (i.e. if netfilter has a bug).

if (3) and (1) fail, the attacker can succeed in getting in with 100% reproducability.

If (3) fails, (1) forces the attacker to resort to programming bugs, which should be stopped by (2).

If (3) and (2) fail, and (1) holds, then the attacker has minimal chances of locating a programming bug which will allow him to successfully defeat (4); and not all of such bugs are guaranteed to be 100% reproducable.

The failure of (3) depends on a bug in netfilter.

[xylex_blaiste]

yeah, it seems kinda ridiculous. the IP could've been spoofed. i mean, that IP is being used by some Internet Company, an ISP or something related. s/he could be a subscriber/customer. then again, who knows???

ok, thanks guys! i don't think i'll poke around. that's illegal. i might get into trouble. i'll just protect myself instead.