On Sat, 2004-07-17 at 13:05, Thomas Sapp wrote: > Ok, upon a little further investigation, ripe.net is not the right way > to go. Instead take a look at this info: > > % This is the RIPE Whois server. > % The objects are in RPSL format. > % > % Rights restricted by copyright. > % See http://www.ripe.net/ripencc/pub-services/db/copyright.html > inetnum: 130.120.0.0 - 130.120.255.255 > netname: UNITOUL > descr: Centre Interuniversitaire de Calcul de Toulouse > descr: CICT, 118, Route de Narbonne, 31062 Toulouse CEDEX, France > country: FR > admin-c: DI10-RIPE > tech-c: DI10-RIPE > remarks: REMIP > status: ASSIGNED PA > mnt-by: RIPE-NCC-LOCKED-MNT > remarks: Maintainer RIPE-NCC-NONE-MNT removed and object > remarks: LOCKED by the RIPE NCC due to > remarks: deprecation of the NONE authentication scheme. > remarks: Please visit the following URL to unlock this object > remarks: http://www.ripe.net/db/none-deprecation-042004.html > changed: ripe-dbm@xxxxxxxx 19990706 > changed: ripe-dbm@xxxxxxxx 20000225 > changed: rensvp@xxxxxxxxxx 20020328 > changed: ripe-dbm@xxxxxxxx 20040430 > source: RIPE > route: 130.120.0.0/16 > descr: RENATER > descr: Universite Pierre et Marie Curie > descr: 4 place Jussieu 75252 PARIS CEDEX 05 > descr: FRANCE > origin: AS2200 > mnt-by: RENATER-MNT > changed: RenSVP@xxxxxxxxxx 19991008 > source: RIPE > person: Dominique Incerti > address: Centre Interuniversitaire de Calcul de Toulouse > address: 118, route de Narbonne > address: F-31062 Toulouse CEDEX, France > e-mail: incerti@xxxxxxx > phone: +33 5 61 36 60 12 > fax-no: +33 5 61 52 14 58 > nic-hdl: DI10-RIPE > mnt-by: RENATER-MNT > changed: rensvp@xxxxxxxxxx 19961125 > changed: rensvp@xxxxxxxxxx 20030326 > source: RIPE > > Which shows that the IP belongs to a french university called Centre Interuniversitaire de Calcul de Toulouse. You can attempt to locate their webiste and send an email with the log info to them at abuse@{their domain}. Again, this does not guarantee any response, especially from a foreign country. > ---- I would agree with this but considering: - ssh is open to the world, I would strongly look at things like disabling the ability of all users or virtually all users from accessing ssh from other than internal lans (man hosts.allow - man sshd.config) - If there is a user named 'test' I would probably delete that user. That being said, a user actually logging in with the account test, still hasn't done any damage (yet). - a good hacker would use another system to attack other systems to hide the originating ip address. - a good hacker would never make a feeble attempt such as the one you descibed - a good hacker would more than likely gain access and remove the log entries to cover his tracks. The 2 boxes that I have had hacked were done well and not easy to spot. - this message base is not going to provide nearly the breadth necessary to cover security issues. If you are responsible for security, you probably have to do a lot of reading (I would suggest Linux Hacking Exposed), as you will probably want to consider things like tripwire and not just iptables rulesets and logging. Craig
