[SLUG] Crack Attempts

From: steve szmidt (steve@szmidt.org)
Date: Fri Jul 15 2005 - 10:32:03 EDT


Hi,

I had an idea from the Son of a dog thread.

Basically there are people who run scripts to try to gain access to peoples
systems. You'll see a long list of names (in your log file) which they used
to try to get in. Often I don't even bother to do anything about it, but I
would be interested in pursuing a more coordinated attack.

The idea then is that when you see these attempts you reply to this thread
with a pasted copy of a few relevant lines from your log file, or screen.
Basically we are looking for their IP address and the time date stamp.

Once we start getting a few together we might see a pattern. I.e. the IP
address(es) he/they are using. (Which could turn out to be totally uselesss
if he's any good. But if you don't try...)

If the cracker is not too sophisticated we might be able to put the breakes on
some of his his activities.
Often times you're lucky and you get some idiot. Like the one who was bullying
a guy in a chat room to give out his IP so he could attempt to break into
that guys computer. He did not realize that the IP he got back from him, is
an internal address that all networked computers use (127.0.0.1) and so
erased his own harddrives thinking it was the other guys computer he was
erasing. All of a sudden he stopped chatting in the room - Priceless!

Just make sure you don't post any internal information like the name you used
to successfully login yourself. All we need is what Chuck posted:

Jul 1 21:54:28 fpac-dev sshd[12883]: Illegal user administrator from
219.198.120.65

[The above line says on July 1'st at 9:54pm the computer called fpac-dev got a
report from sshd that an illegal login attempt was made to root. Following it
down below we see that it came from 219.198.120.65. Which belongs to
somewhere in Asia-Pacific. I usually don't have much luck with people from
there.]

[The sshd reports the remote computer connection to belong to bbtec.net. Which
is in Japan and belongs to SoftbankBB Corp.]

Jul 1 21:54:28 fpac-dev sshd[12883]: (pam_unix) check pass; user unknown
Jul 1 21:54:28 fpac-dev sshd[12883]: (pam_unix) authentication
failure; logname= uid=0 euid=
0 tty=NODEVssh ruser= rhost=yahoobb219198120065.bbtec.net
Jul 1 21:54:29 fpac-dev sshd[12883]: Failed password for illegal user
administrator from 219.198.120.65 port 42123 ssh2
Jul 1 21:54:32 fpac-dev sshd[12885]: Illegal user info from 219.198.120.65
Jul 1 21:54:32 fpac-dev sshd[12885]: (pam_unix) check pass; user unknown
Jul 1 21:54:32 fpac-dev sshd[12885]: (pam_unix) authentication
failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=yahoobb219198120065.bbtec.net
Jul 1 21:54:34 fpac-dev sshd[12885]: Failed password for illegal user
info from 219.198.120.65 port 42426 ssh2

If you're not sure, and trust me, I'd be happy to receive a copy of it
directly to my email. So before posting, read through it and look for names
you use, and make sure it's not included by simply XXXX'ing it out.

The only thing is that unless the guy/gal is tracked to his own IP and even
then it might not do much. But, I've seen upset parents who found out what
their kid was doing, and so at least it was not without a price he did what
he was doing. There was some liability to him.

Actually a friend of mine tracked down a guy to UK, and his parents got very
upset when they found out. And confiscated his computer.

-- 

Steve Szmidt

"They that would give up essential liberty for temporary safety deserve neither liberty nor safety." Benjamin Franklin ----------------------------------------------------------------------- This list is provided as an unmoderated internet service by Networked Knowledge Systems (NKS). Views and opinions expressed in messages posted are those of the author and do not necessarily reflect the official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:44:21 EDT