Re: Look what I've found

From: erik (erik_at_geenspam.vanwesten.net)
Date: 09/12/03 

Date: Fri, 12 Sep 2003 20:24:26 +0200

Nico Kadel-Garcia wrote:

> Silviu Minut wrote:
>> I just found the following entry in my /var/log/secure:
>>
>> Sep 11 19:20:56 zeus sshd[14580]: Did not receive identification
>> string from 193.95.229.34
>>
>> So I finger -l root@193.95.229.34 - he's there.
>> I also http://193.95.229.34 and there's some toolkits! So the guy is
>> up to something. I'm not sure what created that entry in my logs.
>> Remotely, I did
>>
>> telnet my.ip.add.ress 22
>>
>> and the entry created was
>>
>> Sep 11 23:14:44 zeus sshd[14829]: Bad protocol version identification
>> '????^F' from 35.9.26.229
>>
>> and I also scanned myself (also remotely) with nmap and I got no log.
>> Runing RH9.0 with latest patches, iptables, with everything closed,
>> except port 22.
>>
>> Has he broken in already? How can I tell?
>> Should I send email to root@193.95.229.34?
>> Do I call the police? The FBI? KGB? :)
>>
>> Actually, I don't think he broke in. It was kind of fun to see all
>> that, so I though I'd share it with others.
>
> Looks like that site is in Austria: the KGB would probably be more
> competent than growsing to the FBI, since it doesn't actually involve
> money yet, but send them a note anyway.

Bad advice. Please study some geography first.

> And the materials look like a
> typical idiot script-kiddie, not competent enough to be *REALLY*
> dangerous. He was probably port-scanning for active ports on your and
> other boxes, found SSH, gathered the init string for it, then
> disconnected. The "sshscan" tool does the same thing when scanning a
> subnet for the SSH versions: some of the older ones do have some known
> exploits.

And what is wrong with just ringing the doorbell. There certainly is no
law against that. You cannot even call it portscanning. Testing one
port isn't considered portscanning.

>
> And go to his upstream host:
> http://www.samspade.org/t/lookat?a=193.95.229.34 shows that his
> upstream is apparently "uta.at", who get their connectivity from
> ip-plus.net. They're more likely to act than that site is.

Why would they want to act. Please do not overreact.

EJ 

-- 
Remove the obvious part (including the dot) for my email address.
http://www.vanwesten.net for examples of ipf and pf.

Relevant Pages

  • Re: Probes on port 3000
    ... > Lately I am seeing probes on port 3000. ... The logs say ... > whole string of them from the same IP: ...
    (comp.security.misc)
  • Re: Probes on port 3000
    ... >> Lately I am seeing probes on port 3000. ... The logs say ... >> whole string of them from the same IP: ... Probes are often made by non-professionals, or by guys who know how to ...
    (comp.security.misc)
  • Merry Christmas!
    ... dictionaries and every variant possibility has a separate "word" entry. ... The byte string of the "word", whose length is specified by a four ... match is found for a source byte sequence in the dictionary. ...
    (rec.arts.sf.written)
  • Merry Christmas! Linux RULES! New applications to develop!
    ... dictionaries and every variant possibility has a separate "word" ... Each entry in the dictionary contains: ... The byte string of the "word", whose length is specified by a four ... addresses whose entry is selected by the first byte of the sequence. ...
    (comp.os.linux.misc)
  • Re: java.util.Deflater (+Inflater) mit eigenem Dictionary
    ... davon werden jetzt quadratisch wieder Substrings gesucht. ... Strings zu jedem String nur die Anzahlen der Superstrings vergleichen, ... Erstellt einen neuen Eintrag. ... Entry(String text, Entry left, Entry right) { ...
    (de.comp.lang.java)