Board index Linux Networking

Could someone please tell me if this is this an attempted crack ?

Could someone please tell me if this is this an attempted crack ?

Post by Lee Mitchel » Wed, 24 Nov 1999 04:00:00



I recently became suspicious when my daily news download (using leafnode)
took much longer then usual. After some investigating, i found that leafnode
was downloading news from a number of alt.binaries.wares etc groups. I have
never accessed any of these groups so looked in the various log files and
found the following entries in /var/log/messages

Nov 22 18:12:39 file identd[20473]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63924, 80
Nov 22 18:12:39 file identd[20473]: Returned: 63924 , 80 : NO-USER
Nov 22 18:12:47 file identd[20475]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63925, 80
Nov 22 18:12:47 file identd[20475]: Returned: 63925 , 80 : NO-USER
Nov 22 18:12:53 file identd[20476]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63926, 80
Nov 22 18:12:53 file identd[20476]: Returned: 63926 , 80 : NO-USER
Nov 22 18:12:54 file identd[20477]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63928, 80
Nov 22 18:12:54 file identd[20477]: Returned: 63928 , 80 : NO-USER
Nov 22 18:12:55 file identd[20478]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63927, 80
Nov 22 18:12:55 file identd[20478]: Returned: 63927 , 80 : NO-USER
Nov 22 18:12:59 file identd[20479]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63930, 80
Nov 22 18:12:59 file identd[20479]: Returned: 63930 , 80 : NO-USER
Nov 22 18:13:02 file identd[20480]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63929, 80
Nov 22 18:13:02 file identd[20480]: Returned: 63929 , 80 : NO-USER
Nov 22 18:13:03 file identd[20481]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63931, 80
Nov 22 18:13:03 file identd[20481]: Returned: 63931 , 80 : NO-USER
Nov 22 18:13:04 file identd[20482]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63933, 80
Nov 22 18:13:04 file identd[20482]: Returned: 63933 , 80 : NO-USER
Nov 22 18:13:08 file identd[20484]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63934, 80
Nov 22 18:13:08 file identd[20484]: Returned: 63934 , 80 : NO-USER
Nov 22 18:13:12 file identd[20485]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63936, 80
Nov 22 18:13:12 file identd[20485]: Returned: 63936 , 80 : NO-USER
Nov 22 18:13:13 file identd[20486]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63937, 80
Nov 22 18:13:13 file identd[20486]: Returned: 63937 , 80 : NO-USER
Nov 22 18:13:14 file identd[20487]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63932, 80
Nov 22 18:13:14 file identd[20487]: Returned: 63932 , 80 : NO-USER
Nov 22 18:13:18 file identd[20488]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63935, 80
Nov 22 18:13:18 file identd[20488]: Returned: 63935 , 80 : NO-USER
Nov 22 18:13:19 file identd[20489]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63939, 80
Nov 22 18:13:19 file identd[20489]: Returned: 63939 , 80 : NO-USER
Nov 22 18:13:22 file identd[20490]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63940, 80
Nov 22 18:13:22 file identd[20490]: Returned: 63940 , 80 : NO-USER
Nov 22 18:13:26 file identd[20491]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63941, 80
Nov 22 18:13:26 file identd[20491]: Returned: 63941 , 80 : NO-USER
Nov 22 18:13:27 file identd[20492]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63942, 80
Nov 22 18:13:27 file identd[20492]: Returned: 63942 , 80 : NO-USER
Nov 22 18:13:31 file identd[20493]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63943, 80
Nov 22 18:13:31 file identd[20493]: Returned: 63943 , 80 : NO-USER
Nov 22 18:13:32 file identd[20494]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63944, 80
Nov 22 18:13:32 file identd[20494]: Returned: 63944 , 80 : NO-USER
Nov 22 18:13:33 file identd[20495]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63946, 80
Nov 22 18:13:33 file identd[20495]: Returned: 63946 , 80 : NO-USER
Nov 22 18:13:34 file identd[20496]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63947, 80
Nov 22 18:13:34 file identd[20496]: Returned: 63947 , 80 : NO-USER
Nov 22 18:13:35 file identd[20497]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63945, 80
Nov 22 18:13:35 file identd[20497]: Returned: 63945 , 80 : NO-USER
Nov 22 18:13:36 file identd[20498]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63949, 80
Nov 22 18:13:37 file identd[20498]: Returned: 63949 , 80 : NO-USER
Nov 22 18:13:38 file identd[20499]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63938, 80
Nov 22 18:13:38 file identd[20499]: Returned: 63938 , 80 : NO-USER
Nov 22 18:13:39 file identd[20500]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63957, 80
Nov 22 18:13:39 file identd[20500]: Returned: 63957 , 80 : NO-USER
Nov 22 18:13:43 file identd[20501]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63962, 80
Nov 22 18:13:43 file identd[20501]: Returned: 63962 , 80 : NO-USER
Nov 22 18:13:44 file identd[20502]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63969, 80
Nov 22 18:13:44 file identd[20502]: Returned: 63969 , 80 : NO-USER
Nov 22 18:13:45 file identd[20503]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63972, 80
Nov 22 18:13:45 file identd[20503]: Returned: 63972 , 80 : NO-USER
Nov 22 18:13:46 file identd[20504]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63973, 80
Nov 22 18:13:46 file identd[20504]: Returned: 63973 , 80 : NO-USER
Nov 22 18:13:50 file identd[20506]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63970, 80
Nov 22 18:13:50 file identd[20506]: Returned: 63970 , 80 : NO-USER
Nov 22 18:13:51 file identd[20507]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63972, 80
Nov 22 18:13:52 file identd[20507]: Returned: 63972 , 80 : NO-USER
Nov 22 18:13:53 file identd[20508]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63971, 80
Nov 22 18:13:53 file identd[20508]: Returned: 63971 , 80 : NO-USER
Nov 22 18:14:06 file identd[20509]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63974, 80
Nov 22 18:14:06 file identd[20509]: Returned: 63974 , 80 : NO-USER
Nov 22 18:14:08 file identd[20511]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63975, 80
Nov 22 18:14:08 file identd[20511]: Returned: 63975 , 80 : NO-USER
Nov 22 18:14:09 file identd[20512]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63976, 80
Nov 22 18:14:09 file identd[20512]: Returned: 63976 , 80 : NO-USER
Nov 22 18:14:13 file identd[20513]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63977, 80
Nov 22 18:14:13 file identd[20513]: Returned: 63977 , 80 : NO-USER
Nov 22 18:14:14 file identd[20514]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63978, 80
Nov 22 18:14:14 file identd[20514]: Returned: 63978 , 80 : NO-USER
Nov 22 18:14:15 file identd[20515]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63979, 80
Nov 22 18:14:15 file identd[20515]: Returned: 63979 , 80 : NO-USER
Nov 22 18:14:16 file identd[20516]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63980, 80
Nov 22 18:14:16 file identd[20516]: Returned: 63980 , 80 : NO-USER
Nov 22 18:14:24 file identd[20517]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63981, 80
Nov 22 18:14:24 file identd[20517]: Returned: 63981 , 80 : NO-USER
Nov 22 18:14:25 file identd[20518]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63982, 80
Nov 22 18:14:25 file identd[20518]: Returned: 63982 , 80 : NO-USER
Nov 22 18:14:30 file identd[20519]: from: 143.205.64.58
 ftpsrv.sci.uni-klu.ac.at ) for: 63983, 80

and then...

Nov 22 21:05:26 file identd[21183]: from: 216.46.38.113 ( gdev.net ) for:
64333, 21
Nov 22 21:05:26 file identd[21183]: Returned: 64333 , 21 : NO-USER
Nov 22 21:06:49 file identd[21186]: from: 216.46.38.113 ( gdev.net ) for:
64351, 21
Nov 22 21:06:49 file identd[21186]: Returned: 64351 , 21 : NO-USER
Nov 22 21:08:31 file identd[21191]: from: 216.46.38.113 ( gdev.net ) for:
64375, 21
Nov 22 21:08:31 file identd[21191]: Returned: 64375 , 21 : NO-USER

etc...

I also found an entry in /var/log/secure with an entry for leafnode from an
external ip address.

Is this what you get when a portscanner is run on my system ?

Sorry for the complete lack of knowlege, I am trying :-)

I traced two of the ip addresses to german sites, one of which (as can be
seen in the above logs) is a university. Can anyone suggest remedial action.

The logs were taken from a Redhat 5.2 system with all the updates installed,
and running kernel 2.2.12

Thanks in advance...

--
Lee Mitchell
www.spamtastic.demon.co.uk

 
 
 
Top

Could someone please tell me if this is this an attempted crack ?

Post by John Hardi » Wed, 24 Nov 1999 04:00:00



Quote:>I recently became suspicious when my daily news download (using leafnode)
>took much longer then usual. After some investigating, i found that
leafnode
>was downloading news from a number of alt.binaries.wares etc groups. I
have
>never accessed any of these groups so looked in the various log files and
>found the following entries in /var/log/messages

>Nov 22 18:12:39 file identd[20473]: from: 143.205.64.58
> ftpsrv.sci.uni-klu.ac.at ) for: 63924, 80

identd entries don't indicate a crack attempt.

I submitted some patches to add group filtering to leafnode. Check the
leafnode man page for "groupfilter". If the patches haven't made it into
the standard distribution I could post them, or a .src.rpm, on my FTP site.

For now, go into /var/spool/news/interesting.groups and delete any groups
you don't want to download, and delete (for example)
/var/spool/news/alt/binaries/wares.
This, however, is not a permanent solution.

You might also want to make sure you have ipchains filters that prevent
users outside your local network from using you as a public Usenet host
without your consent...

--

 pgpk -a finger://gonzo.wolfenet.com/jhardin
 768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Our sense is that most of the viewers with money or an education have
 cable, VCRs, laserdisks, and they watch those instead of the networks.
 Our programming more and more will have to turn to those who don't
 have any real education or money for other programming options."
                                 -- anonymous Network Suit, to JMS

 
 
 
Top

Could someone please tell me if this is this an attempted crack ?

Post by mirce » Wed, 24 Nov 1999 04:00:00





> >I recently became suspicious when my daily news download (using leafnode)
> >took much longer then usual. After some investigating, i found that
> leafnode
> >was downloading news from a number of alt.binaries.wares etc groups. I
> have
> >never accessed any of these groups so looked in the various log files and
> >found the following entries in /var/log/messages

> >Nov 22 18:12:39 file identd[20473]: from: 143.205.64.58
> > ftpsrv.sci.uni-klu.ac.at ) for: 63924, 80

> identd entries don't indicate a crack attempt.

If, however, you're still concerned about port scans, download and
install scanlogd, a small daemon that logs all portscans to syslog:
http://www.openwall.com/scanlogd/

MST
.

 
 
 
Top

Could someone please tell me if this is this an attempted crack ?

Post by John Hardi » Wed, 24 Nov 1999 04:00:00




>> identd entries don't indicate a crack attempt.

>If, however, you're still concerned about port scans, download and
>install scanlogd, a small daemon that logs all portscans to syslog:
>http://www.openwall.com/scanlogd/

True. You might also be interested in PortSentry (see freshmeat, I don't
have a URL handy) which will block the scanning host in addition to logging
the scan.

--

 pgpk -a finger://gonzo.wolfenet.com/jhardin
 768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Our sense is that most of the viewers with money or an education have
 cable, VCRs, laserdisks, and they watch those instead of the networks.
 Our programming more and more will have to turn to those who don't
 have any real education or money for other programming options."
                                 -- anonymous Network Suit, to JMS

 
 
 
Top

1. Am I cracking by someone?

Hi:

I met a strange thing.  I'm using a Ultra30 with Solaris2.6 as my
workstation.
I have Solaris Document Server installed on this station , and I can
access
document by browser at localhost:8888

Yesterday when I work on the box, suddently it becomes impossible to
access any site from the netscape, including localhost:8888 and
localhost:80(apache).

I check the system with 'top', it shows that the program dwhttp
(document server)
use up 91% CPU. I remove the network cable , but the percentage is still

very large , in deed it decreased very slowly to 81%.

It's until I went to localhost:8888 and restarted the document server
that it came
back to itself.

I want to know wether I was cracked by anbody and how I can fix this
problem?

James Shen

2. ttymon fails to drop DTR?

3. can someone tell me what I am missing here?

4. RotateLogs question please

5. I find PCI video grabber(or video capture card) supporting Linux

6. Welcome to comp.unix.programmer (v1.21)

7. please read this packet log: Crack attempt?

8. Can someone review my attempts please - to create a boot floppy to do FTP install

9. Can Someone please tell me if this video card will work?

10. Could someone please tell me the differences between Unix and Linux ???

11. Can someone please tell me how to add a backdrop?


All times are UTC
Board index