|
-
 Busted an Attempted Hack
Busted this guy using xtraceroute and contacted his ISP  .
here is the log info
Aug 22 12:43:14 www sshd[9319]: Illegal user test from ::ffff:66.235.194.109
Aug 22 12:43:24 www sshd(pam_unix)[9319]: check pass; user unknown
Aug 22 12:43:24 www sshd(pam_unix)[9319]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=66.235.194.109
Aug 22 12:43:27 www sshd[9319]: Failed password for illegal user test from ::ffff:66.235.194.109 port 44665 ssh2
Aug 22 12:43:40 www sshd[9326]: Illegal user test from ::ffff:66.235.194.109
Aug 22 12:43:50 www sshd(pam_unix)[9326]: check pass; user unknown
Aug 22 12:43:50 www sshd(pam_unix)[9326]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=66.235.194.109
Aug 22 12:43:52 www sshd[9326]: Failed password for illegal user test from ::ffff:66.235.194.109 port 47153 ssh2
He quit after 2 attempts but I got enough info to shut him down.
Linux reg. User # 298337
-
Any idea where he was from?
__________________________________________________ _______________________________________
Bigboogie on boogienights.net:
Ammo case
Asus 8N32 SLI MB
AMD Athlon x2 3800+
2 GB Patriot Signature 400 DDR
160 GB Hitachi 7200 IDE
2 x-250 Seagate SATA2
EVGA Nvidia 7900GT
Dell 2007WFP
Logitech 5.1 speakers
Logitech MX1000 mouse
Dell USB keyboard
NEC 3500 DVD-RW
Benq 1655 DVD-RW
(God bless tax refunds)
-
http://www.ipowerweb.com/
The headquarters is in Santa Monica. Just to let people know they are busted, I will do a flood ping to their IP. It will make their firewall (if they have one) go nuts. I then simply send the firewall log and traceroute info to the ISP. It sometimes works, depending on the ISP. Some care, most couldn't give a ....
hlrguy
linux:/root # traceroute 66.235.194.109
traceroute to 66.235.194.109 (66.235.194.109), 30 hops max, 40 byte packets
1 ip-64-185-176-1.pool0.dsl0.gvtc.com (64.185.176.1) 64.608 ms 63.887 ms 62.278 ms
2 fe8_1_1.gw0.blvrtx.gvtc.com (64.238.141.29) 60.654 ms 59.328 ms 60.954 ms
3 gvtc.com.ip.att.net (12.124.221.157) 63.788 ms 65.612 ms 66.763 ms
4 gbr1-p50.auttx.ip.att.net (12.123.133.6) 70.670 ms 71.415 ms 73.089 ms
5 tbr2-p012301.dlstx.ip.att.net (12.122.10.109) 74.321 ms 95.641 ms 94.69 1 ms
6 gar1-p370.dlrtx.ip.att.net (12.123.196.97) 93.082 ms 91.609 ms 99.571 m s
7 12.119.136.30 66.804 ms 67.697 ms 85.108 ms
8 so-3-3-0.mpr1.iah1.us.above.net (64.125.29.21) 85.858 ms 84.647 ms 83.1 70 ms
9 so-4-1-0.mpr2.lax9.us.above.net (64.125.29.101) 103.585 ms 111.762 ms 1 10.103 ms
10 216.200.249.141.available.ipowerweb.com (216.200.249.141) 109.121 ms 110. 661 ms 128.192 ms
11 ds194-109.ipowerweb.com (66.235.194.109) 127.112 ms 125.767 ms 124.816 ms
-
Los Angles area. His ISP said they will shut him down. He has Dedicated hosting with them. Also contacted the FBI but Our Gov. has better things to do than combat cyber crime.
Linux reg. User # 298337
-
Good job, at least he will have to move everything now. Maybe the hassle will be a deterrent next time. One can only hope.
__________________________________________________ _______________________________________
Bigboogie on boogienights.net:
Ammo case
Asus 8N32 SLI MB
AMD Athlon x2 3800+
2 GB Patriot Signature 400 DDR
160 GB Hitachi 7200 IDE
2 x-250 Seagate SATA2
EVGA Nvidia 7900GT
Dell 2007WFP
Logitech 5.1 speakers
Logitech MX1000 mouse
Dell USB keyboard
NEC 3500 DVD-RW
Benq 1655 DVD-RW
(God bless tax refunds)
-
Got another from Washington State Uni. this Morning. There Security Dept. was very nice also.
Linux reg. User # 298337
-
What the heck are you hosting? Downloads of Doom3? 
__________________________________________________ _______________________________________
Bigboogie on boogienights.net:
Ammo case
Asus 8N32 SLI MB
AMD Athlon x2 3800+
2 GB Patriot Signature 400 DDR
160 GB Hitachi 7200 IDE
2 x-250 Seagate SATA2
EVGA Nvidia 7900GT
Dell 2007WFP
Logitech 5.1 speakers
Logitech MX1000 mouse
Dell USB keyboard
NEC 3500 DVD-RW
Benq 1655 DVD-RW
(God bless tax refunds)
-
Just a small p4 box with web only right now www.usa-family.com but I check the logs every 2-4 hours to make sure everything is kosher
Linux reg. User # 298337
-
So far this is what I got from the first attempt. These People suck.
Recently you requested personal assistance from our on-line support
center. Below is a summary of your request and our response.
We will assume your issue has been resolved if we do not hear from you
within 72 hours.
Thank you for allowing us to be of service to you.
You may update this question by replying to this message. Because your
reply will be automatically processed, you MUST enter your reply in
the space below. Text entered into any other part of this message will
be discarded. In order to be able to update the question, be sure to
click Reply in your email client first.
[===> Please enter your reply below this line <===]
[===> Please enter your reply above this line <===]
Subject
---------------------------------------------------------------
Illegal intrusion attempt
Discussion Thread
---------------------------------------------------------------
Response (Tong Wong) - 08/23/2004 03:08 PM
Dear Customer,
Thank you for contacting iPowerWeb Technical Support.
Many times, if you have asked us for any help, many of us techs here would try to login to your system. Sometimes the client would change the password from what we have one file. So we would try a couple of time.
If it's not us, then you might have been targeted by someone. We can't block ssh access so you will have to make sure your password is very hard to crack.
Customer - 08/22/2004 01:42 PM
The below log is from My server at www.usa-family.com. The individual
attempted twice to ssh into the system and take it over. Please
investigate and take appropriate disciplinary actions and respond to me
with the actions taken.
Aug 22 12:43:14 www sshd[9319]: Illegal user test from ::ffff:66.235.194.109
Aug 22 12:43:24 www sshd(pam_unix)[9319]: check pass; user unknown
Aug 22 12:43:24 www sshd(pam_unix)[9319]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=66.235.194.109
Aug 22 12:43:27 www sshd[9319]: Failed password for illegal user test from ::ffff:66.235.194.109 port 44665 ssh2
Aug 22 12:43:40 www sshd[9326]: Illegal user test from ::ffff:66.235.194.109
Aug 22 12:43:50 www sshd(pam_unix)[9326]: check pass; user unknown
Aug 22 12:43:50 www sshd(pam_unix)[9326]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=66.235.194.109
Aug 22 12:43:52 www sshd[9326]: Failed password for illegal user test from ::ffff:66.235.194.109 port 47153 ssh2
Question Reference #040822-000929
---------------------------------------------------------------
Contact Information:
Date Created: 08/22/2004 01:42 PM
Last Updated: 08/23/2004 03:08 PM
Status: 5-Waiting
Question Type:
Verification:
Domain Name
---------------------------------------------------------------
Regards,
iPowerWeb Sales Team
"100% Customer Service! - 100% of the Time!"
P.S. Please visit our new Knowledge Center located at http://helpcenter.ipowerweb.com.
update new email just now
Response - 08/23/2004 06:35 PM
Dear Customer,
Thank you for contacting iPowerWeb Technical Support.
We have suspended this server and doing further investigating.
Last edited by bsm2001; 08-23-2004 at 09:39 PM.
Linux reg. User # 298337
-
I'm kind of suprised you even got a response back from them for something like this. Really this is the kind of thing you need to expect to have happen when a computer is plugged into the internet. Most companies just don't care about things like this because it is so commonplace on the net. Also they don't have the man power to fallow though with every reported port scan, failed login attempt, three year old code red / Nimda garbage etc. Like "Tong Wong" said "make sure your password is very hard to crack".
If I tried reporting this kind of stuff everytime I saw It....
[Wed Aug 25 00:27:56 2004] [error] [client 66.57.253.21] File does not exist: /var/www/scripts/root.exe
[Wed Aug 25 00:27:56 2004] [error] [client 66.57.253.21] File does not exist: /var/www/MSADC/root.exe
[Wed Aug 25 00:27:56 2004] [error] [client 66.57.253.21] File does not exist: /var/www/c/winnt/system32/cmd.exe
[Wed Aug 25 00:27:56 2004] [error] [client 66.57.253.21] File does not exist: /var/www/d/winnt/system32/cmd.exe
[Wed Aug 25 00:27:56 2004] [error] [client 66.57.253.21] File does not exist: /var/www/scripts/..%5c../winnt/system32/cmd.exe
[Wed Aug 25 00:27:56 2004] [error] [client 66.57.253.21] File does not exist: /var/www/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Wed Aug 25 00:27:57 2004] [error] [client 66.57.253.21] File does not exist: /var/www/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Wed Aug 25 00:27:57 2004] [error] [client 66.57.253.21] File does not exist: /var/www/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe
[Wed Aug 25 00:27:57 2004] [error] [client 66.57.253.21] File does not exist: /var/www/scripts/..Á../winnt/system32/cmd.exe
[Wed Aug 25 00:27:57 2004] [error] [client 66.57.253.21] File does not exist: /var/www/scripts/..À¯../winnt/system32/cmd.exe
[Wed Aug 25 00:27:57 2004] [error] [client 66.57.253.21] File does not exist: /var/www/scripts/..Á../winnt/system32/cmd.exe
[Wed Aug 25 00:27:58 2004] [error] [client 66.57.253.21] File does not exist: /var/www/scripts/..%5c../winnt/system32/cmd.exe
[Wed Aug 25 00:27:58 2004] [error] [client 66.57.253.21] File does not exist: /var/www/scripts/..%2f../winnt/system32/cmd.exe
I wouldn't have enough time to actually get any work done.
Join #justlinux on irc.freenode.net
-
If I tried reporting this kind of stuff everytime I saw It....
I wouldn't have enough time to actually get any work done.
True but this is my job and the few seconds that it takes to pull the link cable should be worth it to them to help kill this sort of thing. also the Wash. U ip address was dead 20 min after contacting them. So it must be worth it to them also.
Linux reg. User # 298337
-
I think what he is saying is that most large shops simply dont have the time to go through this stuff. We actually simply disregard scans like this as there are so many it would take a small team just to report everyeone, with the right enviro. they wont be able to get in anyway.
JC
-
You are right in that they don't actively search out this kind of thing, however, most have an acceptable use policy, and when they get complaints from people about their customers breaking that policy, they likely have a legal obligation to at least check it out.
http://www.ipowerweb.com/company/legal/legal_usage.html
f. Utilize the Services to gain unauthorized access to the computer networks of IPOWERWEB or any other person;
hlrguy
-
where are those logs at? Still learning Linux and I am just starting to get into reading logs and such
Never argue with an idiot. They will just bring you down to their level and beat you with experience!
Ubuntu 2.6.10 (Yay upgrade)
1.2GHz Athlon XP
1 GIG RAM
ATI Radeon 9000
60Gig main with Ubuntu
20Gig Share Drive
-
on mine it is /var/log/auth
hey hlrguy
check this out got two more working on getting them shut down also
here is the info
Aug 24 18:44:55 www sshd[1953]: Illegal user test from ::ffff:69.199.247.212
Aug 24 18:44:55 www sshd(pam_unix)[1953]: check pass; user unknown
Aug 24 18:44:55 www sshd(pam_unix)[1953]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=cpe00600816294e-cm000a7365522e.cpe.net.cable.rogers.com
Aug 25 03:07:04 www sshd(pam_unix)[8152]: check pass; user unknown
Aug 25 03:07:04 www sshd(pam_unix)[8152]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=eshopatlantis.com
Aug 25 03:07:06 www sshd[8152]: Failed password for illegal user admin from ::ffff:209.235.23.215 port 4346 ssh2
Aug 25 03:07:07 www sshd[8155]: Illegal user user from ::ffff:209.235.23.215
Buy the way how do you
Thanks
Brian
Linux reg. User # 298337
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
