SSH Attempts: Link to RedHat?

From: Gregg Sperling (gs-list@glsrms.com)
Date: 12/18/01 

Date: Mon, 17 Dec 2001 17:50:23 -0600
To: incidents@securityfocus.com
From: Gregg Sperling <gs-list@glsrms.com>

Early yesterday, I received a single connection attempt on three of my
Linux-based direct connected Internet servers:

Dec 16 01:56:08 srvr001 sshd2[42]: connection from "24.5.243.0" (ip
address blocked to protect user)
Dec 16 01:56:09 srvr001 sshd2[6969]: Local disconnected: Connection closed
by remote host.
Dec 16 01:56:09 srvr001 sshd2[6969]: connection lost: 'Connection closed by
remote host.'
Dec 16 01:56:40 srvr002 sshd2[41]: connection from "24.5.243.0" (ip address
blocked to protect user)
Dec 16 01:56:41 srvr002 sshd2[10007]: Local disconnected: Connection closed
by remote host.
Dec 16 01:56:41 srvr002 sshd2[10007]: connection lost: 'Connection closed
by remote host.'
Dec 16 02:02:41 srvr003 sshd2[44]: connection from "24.5.243.0" (ip address
blocked to protect user)
Dec 16 02:02:42 srvr003 sshd2[13440]: Local disconnected: Connection closed
by remote host.
Dec 16 02:02:42 srvr003 sshd2[13440]: connection lost: 'Connection closed
by remote host.'

I ran some diagnostic tests on the IP address listed, and found it to be a
RedHat based Linux system with several ports open,
including HTTP, Telnet, FTP, X11, and "others."

I connected to the website connected to this server, and found somebody's
personal webpage. I found their email address, and sent the
owner an email.

Surprisingly, I have had several pleasant exchanges with the individual who
runs the server. He has offered to allow me access
into his server with root access. I'd like to find out what breach, if
any, caused this connection attempt.

Besides checking the standard /var/log/messages log, are there any
suggestions as to where I should check for possible breaches
in this individual's system?

Hints? Suggestions? Ideas?

Thanks in advance for your time,
Gregg Sperling
gsperling -at- glsrms -dot- com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: IIS not sending SMTP
    ... Please try to disable your software firewall (you will still be protected by ... "The connection was dropped by the remote host" ... and see what you have around the time you try to send to a remote host. ... >>> Is the remote server the ISP in this case? ...
    (microsoft.public.inetserver.iis)
  • Re: IIS 6 FTP Cannot logon externally
    ... That works through the VPN tunnel. ... unable to access the server directly from outside. ... IE 7 ftp connection is not working for isolation mode, ... Still getting connection closed by remote host when trying to connect ...
    (microsoft.public.inetserver.iis.ftp)
  • RE: SSH Attempts: Link to RedHat?
    ... I received a single connection attempt on three of my ... by remote host. ... I connected to the website connected to this server, ... and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: SSH Attempts: Link to RedHat?
    ... > by remote host. ... > runs the server. ... > any, caused this connection attempt. ... But if he's offering a complete stranger root access to ...
    (Incidents)
  • Re: Outgoing POP3 email missing/lost/not received
    ... Funny thing is that I have had this ISP for 8 years and it has always been ... It looks like when you last ran CEICW, you set the ISP's mail server to: ... Internet Connection Wizard. ... After the wizard completes, the following network connection ...
    (microsoft.public.windows.server.sbs)