hi, ich kuck grad mal so die Logs nach und was erblicken meine getr�bten Augen?
--------------------- SSHD Begin ------------------------
Users logging in through sshd:
********:
p508179FB.dip.t-dialin.net (80.129.121.251): 2 times
**Unmatched Entries**
Illegal user test from ::ffff:221.166.169.102
User guest not allowed because shell /dev/null is not executable
Illegal user user from ::ffff:221.166.169.102
Illegal user test from ::ffff:221.166.169.102
Illegal user ihybridi from ::ffff:61.100.191.232
Illegal user donchaz0 from ::ffff:61.100.191.232
Illegal user tomcat from ::ffff:61.100.191.232
Illegal user tomcat4 from ::ffff:61.100.191.232
User mailman not allowed because account is locked
Illegal user chaz09200 from ::ffff:61.100.191.232
Illegal user donchaz09200 from ::ffff:61.100.191.232
Illegal user tmp from ::ffff:61.100.191.232
Illegal user postgres from ::ffff:61.100.191.232
Illegal user postgres from ::ffff:61.100.191.232
Illegal user postgres from ::ffff:61.100.191.232
Illegal user postgres from ::ffff:61.100.191.232
Illegal user oracle from ::ffff:61.100.191.232
Illegal user oracle from ::ffff:61.100.191.232
Illegal user oracle from ::ffff:61.100.191.232
Illegal user oracle from ::ffff:61.100.191.232
Illegal user postgres from ::ffff:61.100.191.232
Illegal user oracle from ::ffff:61.100.191.232
Illegal user test from ::ffff:61.100.191.232
Illegal user tmp from ::ffff:61.100.191.232
Illegal user fran from ::ffff:61.100.191.232
Illegal user crazy from ::ffff:61.100.191.232
Illegal user pierre from ::ffff:61.100.191.232
Illegal user james from ::ffff:61.100.191.232
[...]
-------------------------------------------------
davon habe ich in den letzten 5 Tagen eine ganze Menge, nur dieser
"Angriff" war schon recht ausschweifend. Diese Liste umfasst sicher so
um die 100-120 Eintr�gen, dieser Art.
Also dachte ich mir mal, kucken mir mal, wer hinter der IP steckt. Erst
vermutete ich einen Dial UP PC, aber:
whois 61.100.191.232
% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 61.96.0.0 - 61.111.255.255
netname: KRNIC-KR
descr: KRNIC
descr: Korea Network Information Center
country: KR
admin-c: HM127-AP
tech-c: HM127-AP
remarks: ******************************************
remarks: KRNIC is the National Internet Registry
remarks: in Korea under APNIC. If you would like to
remarks: find assignment information in detail
remarks: please refer to the KRNIC Whois DB
remarks: http://whois.nic.or.kr/english/index.html
remarks: ******************************************
mnt-by: APNIC-HM
mnt-lower: MNT-KRNIC-AP
changed: [EMAIL PROTECTED] 20010321
changed: [EMAIL PROTECTED] 20010606
status: ALLOCATED PORTABLE
source: APNIC
person: Host Master
address: 11F, KTF B/D, 1321-11, Seocho2-Dong, Seocho-Gu,
address: Seoul, Korea, 137-857
country: KR
phone: +82-2-2186-4500
fax-no: +82-2-2186-4496
e-mail: [EMAIL PROTECTED]
nic-hdl: HM127-AP
mnt-by: MNT-KRNIC-AP
changed: [EMAIL PROTECTED] 20020507
source: APNIC
#######################################################
nmap -sS -O -v 61.100.191.232
Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at 2004-08-31 22:50
CEST
Host 61.100.191.232 appears to be up ... good.
Initiating SYN Stealth Scan against 61.100.191.232 at 22:50
Adding open port 23/tcp
Adding open port 21/tcp
Adding open port 25/tcp
Adding open port 22/tcp
Adding open port 143/tcp
Adding open port 111/tcp
Adding open port 22305/tcp
Adding open port 6000/tcp
Adding open port 110/tcp
Adding open port 995/tcp
The SYN Stealth Scan took 61 seconds to scan 1660 ports.
For OSScan assuming that port 21 is open and port 1 is closed and
neither are firewalled
Interesting ports on 61.100.191.232:
(The 1646 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
110/tcp open pop3
111/tcp open rpcbind
135/tcp filtered msrpc
143/tcp open imap
995/tcp open pop3s
1434/tcp filtered ms-sql-m
4444/tcp filtered krb524
5000/tcp filtered UPnP
6000/tcp open X11
22305/tcp open wnn6_Kr
Device type: general purpose
Running: Linux 2.4.X
OS details: Linux 2.4.6 - 2.4.21
Uptime 85.580 days (since Mon Jun 7 08:56:17 2004)
TCP Sequence Prediction: Class=random positive increments
Difficulty=4122234 (Good luck!)
IPID Sequence Generation: All zeros
Nmap run completed -- 1 IP address (1 host up) scanned in 74.920 seconds
#######################################################
Krass, oder? Ich meine, dieser User Logins st�ren mich nicht weiter, da
nur Keys genommen werden und Passw�rter ausgeschaltet wurden, aber
pervers ist das schon.
Ich gehe mal davon aus, das die Maschine gekapert worden ist (bestimmt
mit hilfe von Sendmail: glorysky.net ESMTP Sendmail 8.11.6/8.11.6 ;-)
..) von daher habe ich mal eine Mail an den Admin gesendet, mal kucken,
was passiert.
Alle IPs, von denen Versuche ausgingen, waren aus China oder Korea.
spannend, oder?
cu denny
--
cu denny
NEW(!) Gnupg key can be found under pgp.mit.edu, key ID 0xAB7D3FE0
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
