Was I almost hacked?

jcrowe at cmuonline.net jcrowe at cmuonline.net
Tue Aug 10 19:23:52 CDT 2004 

Nope, it's a worm.

http://isc.sans.org/diary.php?date=2004-07-28

On Tue, Aug 10, 2004 at 02:12:36PM -0600, Greg Kedrovsky wrote:
> Ever since I moved up into the mountains, I lost my cable modem that I
> had down in "the city." That means my Freesco router (running IPChains)
> is down and out, and not in use. I haven't bothered to configure it for
> dial-up since I got a barebones machine (little Shuttle, pretty cool) to
> use with IPCop. Anyway... 
> 
> I connect via dial-up and have no firewall. 
> 
> I monitor my /var/log/messages with tail -f, so I can see what's going
> on in my system. 
> 
> While I was on-line receiving and sending mail, I saw a bunch of lines
> whiz by in my term window running tail. Here is what came through: 
> 
> pppd[6389]: Serial connection established.
> pppd[6389]: Using interface ppp0
> pppd[6389]: Connect: ppp0 <--> /dev/modem
> pppd[6389]: local  IP address 196.40.40.189
> pppd[6389]: remote IP address 196.40.40.1
> sshd[7012]: Illegal user test from 202.114.75.193
> sshd[7012]: Failed password for illegal user test from 202.114.75.193 port 3595 ssh2
> sshd[7014]: Illegal user guest from 202.114.75.193
> sshd[7014]: Failed password for illegal user guest from 202.114.75.193 port 3675 ssh2
> sshd[7034]: Illegal user admin from 202.114.75.193
> sshd[7034]: Failed password for illegal user admin from 202.114.75.193 port 3791 ssh2
> pppd[6389]: Terminating on signal 2.
> pppd[6389]: Connection terminated.
> pppd[6389]: Connect time 8.0 minutes.
> pppd[6389]: Sent 41718 bytes, received 298358 bytes.
> pppd[6389]: Exit.
> 
> Sorry, looks like those lines are going to wrap on me, the lines in
> question.
> 
> If I understand the messages right, a guy with IP 200.114.75.193 tried
> to hack into my system via 3 different ports (probably had some
> program trying commonly open ports?). 
> 
> Since he tried with 3 different usernames (test, guest, admin), I'm
> gathering he thought he was hacking a Winders machine. ?? Doesn't "root"
> in Winders use the username "admin"?
> 
> Am I reading this correctly? I wonder how hard IPCop is gonna be to get
> running on dial-up, with Squid, dial on demand, etc. & et al.  
> 
> Maybe I should try hunting this little script kiddie maggot down, and
> doing him some bodily harm.
> 
> -Greg
> 
> -- 
> Mutt 1.4.1i on Slackware 9.1 Linux
> Tres R?os & San Jose, Costa Rica
> Personal Site: www.greg-and-sue.com
> Church Site: www.iglesia-del-este.com
> Conexion Site: www.extreme-service.com
> 
>  When I hear somebody sigh, "Life is hard," I am always
>  tempted to ask, "Compared to what?" - Syndey J. Harris

More information about the Kclug mailing list