On 7/15/05, steve szmidt <steve@szmidt.org> wrote:
> Hi,
>
> I had an idea from the Son of a dog thread.
>
> Basically there are people who run scripts to try to gain access to peoples
> systems. You'll see a long list of names (in your log file) which they used
> to try to get in. Often I don't even bother to do anything about it, but I
> would be interested in pursuing a more coordinated attack.
>
> The idea then is that when you see these attempts you reply to this thread
> with a pasted copy of a few relevant lines from your log file, or screen.
> Basically we are looking for their IP address and the time date stamp.
>
> Once we start getting a few together we might see a pattern. I.e. the IP
> address(es) he/they are using. (Which could turn out to be totally uselesss
> if he's any good. But if you don't try...)
>
> If the cracker is not too sophisticated we might be able to put the breakes on
> some of his his activities.
> Often times you're lucky and you get some idiot. Like the one who was bullying
> a guy in a chat room to give out his IP so he could attempt to break into
> that guys computer. He did not realize that the IP he got back from him, is
> an internal address that all networked computers use (127.0.0.1) and so
> erased his own harddrives thinking it was the other guys computer he was
> erasing. All of a sudden he stopped chatting in the room - Priceless!
>
> Just make sure you don't post any internal information like the name you used
> to successfully login yourself. All we need is what Chuck posted:
>
> Jul 1 21:54:28 fpac-dev sshd[12883]: Illegal user administrator from
> 219.198.120.65
>
> [The above line says on July 1'st at 9:54pm the computer called fpac-dev got a
> report from sshd that an illegal login attempt was made to root. Following it
> down below we see that it came from 219.198.120.65. Which belongs to
> somewhere in Asia-Pacific. I usually don't have much luck with people from
> there.]
>
> [The sshd reports the remote computer connection to belong to bbtec.net. Which
> is in Japan and belongs to SoftbankBB Corp.]
>
> Jul 1 21:54:28 fpac-dev sshd[12883]: (pam_unix) check pass; user unknown
> Jul 1 21:54:28 fpac-dev sshd[12883]: (pam_unix) authentication
> failure; logname= uid=0 euid=
> 0 tty=NODEVssh ruser= rhost=yahoobb219198120065.bbtec.net
> Jul 1 21:54:29 fpac-dev sshd[12883]: Failed password for illegal user
> administrator from 219.198.120.65 port 42123 ssh2
> Jul 1 21:54:32 fpac-dev sshd[12885]: Illegal user info from 219.198.120.65
> Jul 1 21:54:32 fpac-dev sshd[12885]: (pam_unix) check pass; user unknown
> Jul 1 21:54:32 fpac-dev sshd[12885]: (pam_unix) authentication
> failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
> rhost=yahoobb219198120065.bbtec.net
> Jul 1 21:54:34 fpac-dev sshd[12885]: Failed password for illegal user
> info from 219.198.120.65 port 42426 ssh2
>
> If you're not sure, and trust me, I'd be happy to receive a copy of it
> directly to my email. So before posting, read through it and look for names
> you use, and make sure it's not included by simply XXXX'ing it out.
>
> The only thing is that unless the guy/gal is tracked to his own IP and even
> then it might not do much. But, I've seen upset parents who found out what
> their kid was doing, and so at least it was not without a price he did what
> he was doing. There was some liability to him.
>
> Actually a friend of mine tracked down a guy to UK, and his parents got very
> upset when they found out. And confiscated his computer.
> --
Maybe I need to see if I can write something (learning exersize) that will
grep out the stuff we want and leave the good stuff, put it into a file and
ftp the file to some place where we can all use it without banging the
list with it.
Meantime I am going to go to very long and very ugly passwords in order
to make their life a bit more difficult.
These turkeys need to be hanged and quartered, but getting hands around
their misserable throat is the problem.
Yes the idiot that proceeded to wipe his system out with his loop back
address was indeed priceless, should happen to more...
-- Chuck Hast To paraphrase my flight instructor; "the only dumb question is the one you DID NOT ask resulting in my going out and having to identify your bits and pieces in the midst of torn and twisted metal."----------------------------------------------------------------------- This list is provided as an unmoderated internet service by Networked Knowledge Systems (NKS). Views and opinions expressed in messages posted are those of the author and do not necessarily reflect the official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:44:36 EDT