Re: unsuccessful hacking attempt at my machine

From: Bill Unruh (unruh_at_string.physics.ubc.ca)
Date: 01/26/05


Date: 26 Jan 2005 01:36:13 GMT


"H. S." <g_reate_xcalibur@yahoo.com> writes:

>Apparently, _Gandalf Parker_, on 25/01/05 19:20,typed:
>> "H. S." <g_reate_xcalibur@yahoo.com> wrote in news:5KyJd.2901$Yg6.658300
>> @news20.bellglobal.com:
>>
>>
>>>Seems
>>>like somebody was trying the dictionary attack(?).
>>
>>
>> Not quite dictionary. They are running a "high probability" scan. Default
>> logins with default passwords. The named-account tries are probably
>> trying the same name again as a password, or mabey the "100 most commonly
>> used passwords" for each one.
>>
>> An awful lot of effort against one machine. Most of the drive-by probes
>> stop after the defaults. You piss someone off? Or have something running
>> which looks like it might have a large collection of personal info?

>No to the first one. Since I saw very similar logs at my friend's
>machine (running FC2, see my other post), I think it was some kind of a
>general script that was being used and not specifically just on my
>machine. However, I am interested in (pardon my ignorance in this field,
>it is not my speciality):
>1) knowing how somebody got my IP address. Well okay, my ADSL connection
>has been up for quite a few days. Since I am online, it shouldn't be
>quite difficult to get my IP. But if I were him/her, how would I find
>out an IP address to attack?

for ((i=0;i<256;i++)); do for ((j=0;j<256;j++));do for((k=0;k<256;k++));do
for ((l=0;l<256;l++)); do if ssh $i.$j.$k.$l ....
 
>2) how does one know if an sshd is running on port 22 of this IP
>address? I am dropping traffic on IDENT port 113 (helps?). Does one just
>try and see if a response can be obtained on port 22 without knowing
>what kind of OS is running (I imagine Windows machines usually do not
>have sshd running on them, linux ones usually do)?

sure. A script does not care if it fails 99% of the time.

>3) Those source IP addresses from where the login attempts seem to be
>originating, can they be trusted? I guess if one wanted a connection,
>s/he has to use the valid IP address at the scanning machine.

It is almost certainly a cracked box.

>Yes to the second. Well, this is the machine I do my research work when
>at home. That is why *only* ssh is allowed to it through the hardware
>router. And now even that ssh is limited to only from trusted IPs.

>Thanks for your explanation,
>->HS

>--
>Please remove the underscores ( the '_' symbols) from my email address
>to obtain the correct one. Apologies, but the fudging is to remove spam.



Relevant Pages

  • Re: SSH: only listens on loopback
    ... I would expect the sshd running on .19 to start listening to port 8080, ... forwarding it to the webserver on .200. ... > rich said: ...
    (Debian-User)
  • Re: Shutting down a machine that has GPU locked up?
    ... to shutdown properly, did not have sshd running on locked up box, ... and the firewall was blocking the port to access the machine via ssh. ... You are lucky it responded to the power switch. ... lead are elected by the least capable of producing, and where the members of society least likely to sustain themselves or succeed, are rewarded with goods and services paid for by the confiscated wealth of a diminishing number of producers. ...
    (comp.os.linux.misc)
  • Re: Zen internet shocker
    ... I commissioned a new adsl connection from them, ... I checked and double checked that they implemented no port ... *So can anyone recommend a business broadband provider that would rather ... All our business broadband services feature the ...
    (uk.telecom.broadband)
  • Re: Shutting down a machine that has GPU locked up?
    ... and I lost the ability to go to console, (Ctrl-Alt-F1, F2, etc.) ... to shutdown properly, did not have sshd running on locked up box, ... and the firewall was blocking the port to access the machine via ssh. ...
    (comp.os.linux.misc)
  • Re: Determining IP Address
    ... > I have a Demon ADSl account with a 'fixed' IP address. ... > My ADSL connection is via a Speedtouch 510, ... This function will allow you to route external (Internet) calls for services ... application vendor to find out which port settings you need. ...
    (uk.telecom.broadband)