Re: MORE SSH Hacking: heads-up

[Res <res@xxxxxxxxxx>]

its korean

Most of us in *.au are seeing shitloads of it, not just ssh but telnet as 
well


On Fri, 30 Jul 2004, jludwig wrote:

> On Fri, 2004-07-30 at 05:45, Brian Fahrlander wrote:
> >     From last night's LogWatch:
> > --------------------------------------------------------------------------
> >
> > sshd:
> >    Invalid Users:
> >       Unknown Account: 7 Time(s)
> >    Unknown Entries:
> >       authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
> > rhost=johnstongrain.com  : 2 Time(s)
> >       authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
> > rhost=smms-mriley09d.chemistry.uq.edu.au  : 2 Time(s)
> >       authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
> > rhost=211.117.191.70  : 1 Time(s)
> >       authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
> > rhost=216.97.110.1  : 1 Time(s)
> >       authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
> > rhost=ccia-062-204-197-193.uned.es  : 1 Time(s)
> >
> > su:
> >    Sessions Opened:
> >       brian(uid=500) -> root: 1 Time(s)
> >
> > ------------------------------------------------------------------------
> >
> >     Ok, guys- what do we do with this?  Should we be writing down the
> > addresses from which these attempts were made? They're probably all
> > 'stooge' addresses, I know, but it might help authorities to know what
> > other machines have been compromised...
> >
> >     I'll go save the log somewhere...
> >
> > ------------------------------------------------------------------------
> Search results for: 211.117.191.70
>        OrgName:    Asia Pacific Network Information Centre
>        OrgID:      APNIC
>        Address:    PO Box 2131
>        City:       Milton
>        StateProv:  QLD
>        PostalCode: 4064
>        Country:    AU
>
>        ReferralServer: whois://whois.apnic.net
>
>        NetRange:   210.0.0.0 - 211.255.255.255
>        CIDR:       210.0.0.0/7
>        NetName:    APNIC-CIDR-BLK2
>        NetHandle:  NET-210-0-0-0-1
>        Parent:
>        NetType:    Allocated to APNIC
>        NameServer: NS1.APNIC.NET
>        NameServer: NS3.APNIC.NET
>        NameServer: NS4.APNIC.NET
>        NameServer: NS.RIPE.NET
>        NameServer: TINNIE.ARIN.NET
>        NameServer: DNS1.TELSTRA.NET
>        Comment:    This IP address range is not registered in the ARIN database.
>        Comment:    For details, refer to the APNIC Whois Database via
>        Comment:    WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
>        Comment:    ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
>        Comment:    for the Asia Pacific region. APNIC does not operate networks
>        Comment:    using this IP address range and is not able to investigate
>        Comment:    spam or abuse reports relating to these addresses. For more
>        Comment:    help, refer to http://www.apnic.net/info/faq/abuse
>        Comment:
>        RegDate:    1996-07-01
>        Updated:    2004-03-30
>
>        OrgTechHandle: AWC12-ARIN
>        OrgTechName:   APNIC Whois Contact
>        OrgTechPhone:  +61 7 3858 3100
>        OrgTechEmail:  search-apnic-not-arin@xxxxxxxxx
>
>        # ARIN WHOIS database, last updated 2004-07-29 19:10
>        # Enter ? for additional hints on searching ARIN's WHOIS database.
>
> --
> jludwig <wralphie@xxxxxxxxxxx>
>
>
> --
> fedora-list mailing list
> fedora-list@xxxxxxxxxx
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list

--
Regards,
Res