LogWatch +++IMPORTANT+++

Where any Tech issues can be taken up and planned by our highly trained and unbelievably skilled computer geeks.
User avatar
Rhuac
Ass Jammer
Posts: 1029
Joined: Mon Feb 17, 2003 3:47 pm
Location: Austin, TX
Contact:

LogWatch +++IMPORTANT+++

Postby Rhuac » Sat Aug 14, 2004 12:06 pm

I was reading through my daily LogWatch email for my server and this caught my eye...

Code: Select all

--------------------- pam_unix Begin ------------------------

sshd:
   Authentication Failures:
      root (220.226.193.6 ): 3 Time(s)

 ---------------------- pam_unix End -------------------------


And also this caught my eye...

Code: Select all

--------------------- SSHD Begin ------------------------


Failed logins from these:
   root/password from 220.226.193.6: 3 Time(s)

**Unmatched Entries**
Illegal user test from 220.226.193.6
Illegal user guest from 220.226.193.6
Illegal user admin from 220.226.193.6
Illegal user admin from 220.226.193.6
Illegal user user from 220.226.193.6
Illegal user test from 220.226.193.6

 ---------------------- SSHD End -------------------------


I did a track on this ip and it's coming from Bombay India... there was no registrant information but there was network info...

Code: Select all

inetnum:      220.224.0.0 - 220.227.255.255
netname:      RelianceInfocom
descr:        Reliance Infocom Ltd.
country:      IN
admin-c:      JT125-AP
tech-c:       RS78-AP
status:       ALLOCATED PORTABLE
notify:       relianceip_admin@ril.com
changed:      hm-changed@apnic.net 20021216
mnt-by:       APNIC-HM
mnt-lower:    MAINT-IN-SN
changed:      hm-changed@apnic.net 20040301
source:       APNIC

route:        220.226.0.0/16
descr:        Reliance Infocom Ltd Internet Data Centre
origin:       AS18101
mnt-by:       MAINT-IN-SN
changed:      relianceip_admin@ril.com 20040608
source:       APNIC
country:      IN

person:       Jyotindra Thacker
nic-hdl:      JT125-AP
e-mail:       jt@ril.com
address:      3rd Floor, Maker Chambers IV,
address:      Nariman point, Mumbai-400021,
address:      Maharashtra,
address:      India
phone:        +91-2-230382765
fax-no:       +91-2-230382899
country:      IN
changed:      relianceip_admin@ril.com 20040105
mnt-by:       MAINT-IN-SN
source:       APNIC

person:       Rajendar Singh
nic-hdl:      RS78-AP
e-mail:       rajendar_singh@ril.com
address:      3rd Floor, Maker Chambers IV,
address:      Nariman point, Mumbai-400021,
address:      Maharashtra,
address:      India
phone:        +91-2-230382790
fax-no:       +91-2-230382799
country:      IN
changed:      relianceip_admin@ril.com 20040105
mnt-by:       MAINT-IN-SN
source:       APNIC


I'm wondering why they would attempt to secure shell into my pc... anyhow, anyone know what I should do? I went ahead and stopped ssh and I'll probably go ahead and block this ip with iptables before I start up ssh again.
Rhuac
Talks Like A Gentleman

User avatar
Pytt
Tripped Off the Short Bus
Posts: 581
Joined: Sun Aug 18, 2002 1:11 pm
Location: Hermosa Beach

Postby Pytt » Sat Aug 14, 2004 9:23 pm

Go back to Narnia.

Nerdssssss.

Nerds!! Nerds!! Nerds!!
Rolondo the Dog Faced Troll <merlin>
Pytt the Long Backed Dwarf <dark>
Rolondo Alazondo 4lyfe Ba-Giner
Snoopie 70 Gnome mage Dragonblight

User avatar
Nese
Keyboard Molesting Forum G33k
Posts: 125
Joined: Sun Sep 21, 2003 9:53 pm
Contact:

Postby Nese » Sat Aug 14, 2004 11:17 pm

Its just a random scan. Someone did an OS Fingerprint scan on that class B and is now trying to SSH into any machine that returned a *Nix OS. I wouldn't be too concerned. Just block the fucker in IP chains.
Mitzuki - 50 Savage - Merlin
Linia Bluebomber - 50 Runie - Merlin
Chirigami - 50 Thane - Merlin *mule*
Yushiro Gowa - 50 Champ - MLF *traded*
Nese Starrwind - 50 SB - Merlin *traded*

User avatar
Hall
The Bionic Puerto Rican
Posts: 1214
Joined: Sat Dec 28, 2002 11:46 am
Location: Harlem, New York

Postby Hall » Sun Aug 15, 2004 11:08 am

I used to remember IP tables and all that shit 2 years ago, now I cant even set up my network >_<
[glow=blue]
A WoW Nerd, A DaOC Reject
and a sociopath[/glow]

[glow=blue]"Fucking Doughnut!!!!!, Mock Me??,You Fried Cyclops"[/glow]

Candide
Tripped Off the Short Bus
Posts: 537
Joined: Thu Jan 09, 2003 9:07 am
Location: Jacksonville, FL

Postby Candide » Mon Aug 16, 2004 6:23 am

Honestly, if you have iptables/chains you should be blocking everything, and then opening up to specific ip's. Unless you have some need to let random IP's into your system on sshd.

Deny all, then open up from there. There are some really great premade rule sets for iptables and chains, make look to them for some ideas. I think the "best" public one was by trinityos, I think that is what they were called.
Venderic, Candide or Mercutio in games.

User avatar
Rhuac
Ass Jammer
Posts: 1029
Joined: Mon Feb 17, 2003 3:47 pm
Location: Austin, TX
Contact:

Postby Rhuac » Mon Aug 16, 2004 11:40 am

Thanks Candide, I'll do a search for trinityos iptables and see what I can find.
Rhuac

Talks Like A Gentleman

User avatar
Pytt
Tripped Off the Short Bus
Posts: 581
Joined: Sun Aug 18, 2002 1:11 pm
Location: Hermosa Beach

Postby Pytt » Mon Aug 16, 2004 12:49 pm

FOR NARNIA!!!

HIZAAHH!!!!
Rolondo the Dog Faced Troll <merlin>

Pytt the Long Backed Dwarf <dark>

Rolondo Alazondo 4lyfe Ba-Giner

Snoopie 70 Gnome mage Dragonblight


Return to “Tech. Monkey Board”

Who is online

Users browsing this forum: No registered users and 27 guests