Was I almost hacked?

enabled at linuxjunkies.com enabled at linuxjunkies.com
Wed Aug 11 02:31:00 CDT 2004 

What you see is him trying to connect to port 22 which is ssh, From
several different ports on his machine. This is normal and expected when
users connect via ssh to you multiple times.

Good luck hunting 'him, her, whatever' down the connection came from China
on a University Campus.

Andre

> I've had several similar events happen in the last week.  Must be some
> new script going around.
>
> -----Original Message-----
> From: owner-kclug at kclug.org [mailto:owner-kclug at kclug.org]On Behalf Of
> Greg Kedrovsky
> Sent: Tuesday, August 10, 2004 3:13 PM
> To: kclug
> Subject: Was I almost hacked?
>
>
> Ever since I moved up into the mountains, I lost my cable modem that I
> had down in "the city." That means my Freesco router (running IPChains)
> is down and out, and not in use. I haven't bothered to configure it for
> dial-up since I got a barebones machine (little Shuttle, pretty cool) to
> use with IPCop. Anyway...
>
> I connect via dial-up and have no firewall.
>
> I monitor my /var/log/messages with tail -f, so I can see what's going
> on in my system.
>
> While I was on-line receiving and sending mail, I saw a bunch of lines
> whiz by in my term window running tail. Here is what came through:
>
> pppd[6389]: Serial connection established.
> pppd[6389]: Using interface ppp0
> pppd[6389]: Connect: ppp0 <--> /dev/modem
> pppd[6389]: local  IP address 196.40.40.189
> pppd[6389]: remote IP address 196.40.40.1
> sshd[7012]: Illegal user test from 202.114.75.193
> sshd[7012]: Failed password for illegal user test from 202.114.75.193
> port 3595 ssh2 sshd[7014]: Illegal user guest from 202.114.75.193
> sshd[7014]: Failed password for illegal user guest from 202.114.75.193
> port 3675 ssh2 sshd[7034]: Illegal user admin from 202.114.75.193
> sshd[7034]: Failed password for illegal user admin from 202.114.75.193
> port 3791 ssh2 pppd[6389]: Terminating on signal 2.
> pppd[6389]: Connection terminated.
> pppd[6389]: Connect time 8.0 minutes.
> pppd[6389]: Sent 41718 bytes, received 298358 bytes.
> pppd[6389]: Exit.
>
> Sorry, looks like those lines are going to wrap on me, the lines in
> question.
>
> If I understand the messages right, a guy with IP 200.114.75.193 tried
> to hack into my system via 3 different ports (probably had some
> program trying commonly open ports?).
>
> Since he tried with 3 different usernames (test, guest, admin), I'm
> gathering he thought he was hacking a Winders machine. ?? Doesn't "root"
> in Winders use the username "admin"?
>
> Am I reading this correctly? I wonder how hard IPCop is gonna be to get
> running on dial-up, with Squid, dial on demand, etc. & et al.
>
> Maybe I should try hunting this little script kiddie maggot down, and
> doing him some bodily harm.
>
> -Greg
>
> --
> Mutt 1.4.1i on Slackware 9.1 Linux
> Tres Ríos & San Jose, Costa Rica
> Personal Site: www.greg-and-sue.com
> Church Site: www.iglesia-del-este.com
> Conexion Site: www.extreme-service.com
>
>  When I hear somebody sigh, "Life is hard," I am always
>  tempted to ask, "Compared to what?" - Syndey J. Harris
> erminated.
> pppd[6389]: Connect time 8.0 minutes.
> pppd[6389]: Sent 41718 bytes, received 298358 bytes.
> pppd[6389]: Exit.
>
> Sorry, looks like those lines are going to wrap on me, the lines in
> question.
>
> If I understand the messages right, a guy with IP 200.114.75.193 tried
> to hack into my system via 3 different ports (probably had some
> program trying commonly open ports?).
>
> Since he tried with 3 different usernames (test, guest, admin), I'm
> gathering he thought he was hacking a Winders machine. ?? Doesn't "root"
> in Winders use the username "admin"?
>
> Am I reading this correctly? I wonder how hard IPCop is gonna be to get
> running on dial-up, with Squid, dial on demand, etc. & et al.
>
> Maybe I should try hunting this little script kiddie maggot down, and
> doing him some bodily harm.
>
> -Greg
>
> --
> Mutt 1.4.1i on Slackware 9.1 Linux
> Tres Ríos & San Jose, Costa Rica
> Personal Site: www.greg-and-sue.com
> Church Site: www.iglesia-del-este.com
> Conexion Site: www.extreme-service.com
>
>  When I hear somebody sigh, "Life is hard," I am always
>  tempted to ask, "Compared to what?" - Syndey J. Harris

More information about the Kclug mailing list