Re: unsuccessful hacking attempt at my machine
From: Bill Unruh (unruh_at_string.physics.ubc.ca)
Date: 26 Jan 2005 01:36:13 GMT
"H. S." <firstname.lastname@example.org> writes:
>Apparently, _Gandalf Parker_, on 25/01/05 19:20,typed:
>> "H. S." <email@example.com> wrote in news:5KyJd.2901$Yg6.658300
>>>like somebody was trying the dictionary attack(?).
>> Not quite dictionary. They are running a "high probability" scan. Default
>> logins with default passwords. The named-account tries are probably
>> trying the same name again as a password, or mabey the "100 most commonly
>> used passwords" for each one.
>> An awful lot of effort against one machine. Most of the drive-by probes
>> stop after the defaults. You piss someone off? Or have something running
>> which looks like it might have a large collection of personal info?
>No to the first one. Since I saw very similar logs at my friend's
>machine (running FC2, see my other post), I think it was some kind of a
>general script that was being used and not specifically just on my
>machine. However, I am interested in (pardon my ignorance in this field,
>it is not my speciality):
>1) knowing how somebody got my IP address. Well okay, my ADSL connection
>has been up for quite a few days. Since I am online, it shouldn't be
>quite difficult to get my IP. But if I were him/her, how would I find
>out an IP address to attack?
for ((i=0;i<256;i++)); do for ((j=0;j<256;j++));do for((k=0;k<256;k++));do
for ((l=0;l<256;l++)); do if ssh $i.$j.$k.$l ....
>2) how does one know if an sshd is running on port 22 of this IP
>address? I am dropping traffic on IDENT port 113 (helps?). Does one just
>try and see if a response can be obtained on port 22 without knowing
>what kind of OS is running (I imagine Windows machines usually do not
>have sshd running on them, linux ones usually do)?
sure. A script does not care if it fails 99% of the time.
>3) Those source IP addresses from where the login attempts seem to be
>originating, can they be trusted? I guess if one wanted a connection,
>s/he has to use the valid IP address at the scanning machine.
It is almost certainly a cracked box.
>Yes to the second. Well, this is the machine I do my research work when
>at home. That is why *only* ssh is allowed to it through the hardware
>router. And now even that ssh is limited to only from trusted IPs.
>Thanks for your explanation,
>Please remove the underscores ( the '_' symbols) from my email address
>to obtain the correct one. Apologies, but the fudging is to remove spam.