Moin, teilweise kapier ich das, teilweise w�sste ich gerne mehr �ber das wovon du redest. Vor allem wie du auf die schlussfolgerung kommst versteh ich net, es sei denn du meinst die recht vielen offenen ports... also falls jemand grad nix zu tun hat kann er/sie/es ja mal die mail erkl�rend kommentieren danke, gru� moritz
-----Urspr�ngliche Nachricht----- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Denny Schierz Gesendet: Dienstag, 31. August 2004 22:14 An: pug Betreff: [PUG] Spannende Logs hi, ich kuck grad mal so die Logs nach und was erblicken meine getr�bten Augen? --------------------- SSHD Begin ------------------------ Users logging in through sshd: ********: p508179FB.dip.t-dialin.net (80.129.121.251): 2 times **Unmatched Entries** Illegal user test from ::ffff:221.166.169.102 User guest not allowed because shell /dev/null is not executable Illegal user user from ::ffff:221.166.169.102 Illegal user test from ::ffff:221.166.169.102 Illegal user ihybridi from ::ffff:61.100.191.232 Illegal user donchaz0 from ::ffff:61.100.191.232 Illegal user tomcat from ::ffff:61.100.191.232 Illegal user tomcat4 from ::ffff:61.100.191.232 User mailman not allowed because account is locked Illegal user chaz09200 from ::ffff:61.100.191.232 Illegal user donchaz09200 from ::ffff:61.100.191.232 Illegal user tmp from ::ffff:61.100.191.232 Illegal user postgres from ::ffff:61.100.191.232 Illegal user postgres from ::ffff:61.100.191.232 Illegal user postgres from ::ffff:61.100.191.232 Illegal user postgres from ::ffff:61.100.191.232 Illegal user oracle from ::ffff:61.100.191.232 Illegal user oracle from ::ffff:61.100.191.232 Illegal user oracle from ::ffff:61.100.191.232 Illegal user oracle from ::ffff:61.100.191.232 Illegal user postgres from ::ffff:61.100.191.232 Illegal user oracle from ::ffff:61.100.191.232 Illegal user test from ::ffff:61.100.191.232 Illegal user tmp from ::ffff:61.100.191.232 Illegal user fran from ::ffff:61.100.191.232 Illegal user crazy from ::ffff:61.100.191.232 Illegal user pierre from ::ffff:61.100.191.232 Illegal user james from ::ffff:61.100.191.232 [...] ------------------------------------------------- davon habe ich in den letzten 5 Tagen eine ganze Menge, nur dieser "Angriff" war schon recht ausschweifend. Diese Liste umfasst sicher so um die 100-120 Eintr�gen, dieser Art. Also dachte ich mir mal, kucken mir mal, wer hinter der IP steckt. Erst vermutete ich einen Dial UP PC, aber: whois 61.100.191.232 % [whois.apnic.net node-1] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 61.96.0.0 - 61.111.255.255 netname: KRNIC-KR descr: KRNIC descr: Korea Network Information Center country: KR admin-c: HM127-AP tech-c: HM127-AP remarks: ****************************************** remarks: KRNIC is the National Internet Registry remarks: in Korea under APNIC. If you would like to remarks: find assignment information in detail remarks: please refer to the KRNIC Whois DB remarks: http://whois.nic.or.kr/english/index.html remarks: ****************************************** mnt-by: APNIC-HM mnt-lower: MNT-KRNIC-AP changed: [EMAIL PROTECTED] 20010321 changed: [EMAIL PROTECTED] 20010606 status: ALLOCATED PORTABLE source: APNIC person: Host Master address: 11F, KTF B/D, 1321-11, Seocho2-Dong, Seocho-Gu, address: Seoul, Korea, 137-857 country: KR phone: +82-2-2186-4500 fax-no: +82-2-2186-4496 e-mail: [EMAIL PROTECTED] nic-hdl: HM127-AP mnt-by: MNT-KRNIC-AP changed: [EMAIL PROTECTED] 20020507 source: APNIC ####################################################### nmap -sS -O -v 61.100.191.232 Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at 2004-08-31 22:50 CEST Host 61.100.191.232 appears to be up ... good. Initiating SYN Stealth Scan against 61.100.191.232 at 22:50 Adding open port 23/tcp Adding open port 21/tcp Adding open port 25/tcp Adding open port 22/tcp Adding open port 143/tcp Adding open port 111/tcp Adding open port 22305/tcp Adding open port 6000/tcp Adding open port 110/tcp Adding open port 995/tcp The SYN Stealth Scan took 61 seconds to scan 1660 ports. For OSScan assuming that port 21 is open and port 1 is closed and neither are firewalled Interesting ports on 61.100.191.232: (The 1646 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 110/tcp open pop3 111/tcp open rpcbind 135/tcp filtered msrpc 143/tcp open imap 995/tcp open pop3s 1434/tcp filtered ms-sql-m 4444/tcp filtered krb524 5000/tcp filtered UPnP 6000/tcp open X11 22305/tcp open wnn6_Kr Device type: general purpose Running: Linux 2.4.X OS details: Linux 2.4.6 - 2.4.21 Uptime 85.580 days (since Mon Jun 7 08:56:17 2004) TCP Sequence Prediction: Class=random positive increments Difficulty=4122234 (Good luck!) IPID Sequence Generation: All zeros Nmap run completed -- 1 IP address (1 host up) scanned in 74.920 seconds ####################################################### Krass, oder? Ich meine, dieser User Logins st�ren mich nicht weiter, da nur Keys genommen werden und Passw�rter ausgeschaltet wurden, aber pervers ist das schon. Ich gehe mal davon aus, das die Maschine gekapert worden ist (bestimmt mit hilfe von Sendmail: glorysky.net ESMTP Sendmail 8.11.6/8.11.6 ;-) ..) von daher habe ich mal eine Mail an den Admin gesendet, mal kucken, was passiert. Alle IPs, von denen Versuche ausgingen, waren aus China oder Korea. spannend, oder? cu denny -- cu denny NEW(!) Gnupg key can be found under pgp.mit.edu, key ID 0xAB7D3FE0 ---------------------------------------------------------------------------- PUG - Penguin User Group Wiesbaden - http://www.pug.org
