I've had several similar events happen in the last week. Must be some new script going around. -----Original Message----- From: owner-kclug@kclug.org [mailto:owner-kclug@kclug.org]On Behalf Of Greg Kedrovsky Sent: Tuesday, August 10, 2004 3:13 PM To: kclug Subject: Was I almost hacked? Ever since I moved up into the mountains, I lost my cable modem that I had down in "the city." That means my Freesco router (running IPChains) is down and out, and not in use. I haven't bothered to configure it for dial-up since I got a barebones machine (little Shuttle, pretty cool) to use with IPCop. Anyway... I connect via dial-up and have no firewall. I monitor my /var/log/messages with tail -f, so I can see what's going on in my system. While I was on-line receiving and sending mail, I saw a bunch of lines whiz by in my term window running tail. Here is what came through: pppd[6389]: Serial connection established. pppd[6389]: Using interface ppp0 pppd[6389]: Connect: ppp0 <--> /dev/modem pppd[6389]: local IP address 196.40.40.189 pppd[6389]: remote IP address 196.40.40.1 sshd[7012]: Illegal user test from 202.114.75.193 sshd[7012]: Failed password for illegal user test from 202.114.75.193 port 3595 ssh2 sshd[7014]: Illegal user guest from 202.114.75.193 sshd[7014]: Failed password for illegal user guest from 202.114.75.193 port 3675 ssh2 sshd[7034]: Illegal user admin from 202.114.75.193 sshd[7034]: Failed password for illegal user admin from 202.114.75.193 port 3791 ssh2 pppd[6389]: Terminating on signal 2. pppd[6389]: Connection terminated. pppd[6389]: Connect time 8.0 minutes. pppd[6389]: Sent 41718 bytes, received 298358 bytes. pppd[6389]: Exit. Sorry, looks like those lines are going to wrap on me, the lines in question. If I understand the messages right, a guy with IP 200.114.75.193 tried to hack into my system via 3 different ports (probably had some program trying commonly open ports?). Since he tried with 3 different usernames (test, guest, admin), I'm gathering he thought he was hacking a Winders machine. ?? Doesn't "root" in Winders use the username "admin"? Am I reading this correctly? I wonder how hard IPCop is gonna be to get running on dial-up, with Squid, dial on demand, etc. & et al. Maybe I should try hunting this little script kiddie maggot down, and doing him some bodily harm. -Greg -- Mutt 1.4.1i on Slackware 9.1 Linux Tres Ríos & San Jose, Costa Rica Personal Site: www.greg-and-sue.com Church Site: www.iglesia-del-este.com Conexion Site: www.extreme-service.com When I hear somebody sigh, "Life is hard," I am always tempted to ask, "Compared to what?" - Syndey J. Harris erminated. pppd[6389]: Connect time 8.0 minutes. pppd[6389]: Sent 41718 bytes, received 298358 bytes. pppd[6389]: Exit. Sorry, looks like those lines are going to wrap on me, the lines in question. If I understand the messages right, a guy with IP 200.114.75.193 tried to hack into my system via 3 different ports (probably had some program trying commonly open ports?). Since he tried with 3 different usernames (test, guest, admin), I'm gathering he thought he was hacking a Winders machine. ?? Doesn't "root" in Winders use the username "admin"? Am I reading this correctly? I wonder how hard IPCop is gonna be to get running on dial-up, with Squid, dial on demand, etc. & et al. Maybe I should try hunting this little script kiddie maggot down, and doing him some bodily harm. -Greg -- Mutt 1.4.1i on Slackware 9.1 Linux Tres Ríos & San Jose, Costa Rica Personal Site: www.greg-and-sue.com Church Site: www.iglesia-del-este.com Conexion Site: www.extreme-service.com When I hear somebody sigh, "Life is hard," I am always tempted to ask, "Compared to what?" - Syndey J. Harris