[RLUG] Sunday afternoon fun

Ed Jaeger ed.jaeger at bgcorp.com
Mon Nov 6 06:30:45 PST 2006 

I get them all the time here at the office.  Pretty funny list of logins 
they try - must be a script someone put together.

Grant can tell you what he used, but I suspect

nmap -O 219.94.133.29

was it.

Jeff Shippen wrote:

> I used to get such automated attempts every now and then, UNTIL i 
> changed my ssh listening port number to something other than the default 
> (22).
> To change the default sshd port, edit this file on some (all?) distros: 
> /etc/ssh/sshd_config.  That's where it is on SUSE anyway.
> Add a line, "Port 22"  where you can replace 22 with any number.
> **
> Also, some may not know where to find such attempts.  Mine shows up in 
> /var/log/messages.
> 
> I'm curious, what is the exact command you used (well, the options and 
> such) with `nmap`?
> 
> Jeff
> 
> Grant Kelly wrote:
> 
>> I noticed someone from 219.94.133.29 scanning my ubuntu box today.
>> They were trying to login via SSH from a common list of names. Well, I
>> nmap'd em back, here's the results:
>>
>> Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2006-11-05 
>> 14:18 PST
>> Interesting ports on 219.94.133.29:
>> (The 1656 ports scanned but not shown below are in state: closed)
>> PORT      STATE    SERVICE        VERSION
>> 21/tcp    open     ftp            vsftpd 2.0.4
>> 22/tcp    open     ssh            OpenSSH 4.3 (protocol 1.99)
>> 23/tcp    open     telnet         Linux telnetd
>> 25/tcp    open     smtp           qmail smtpd
>> 80/tcp    open     http           Apache httpd 2.2.2 ((Fedora))
>> 110/tcp   open     pop3           qmail pop3d
>> 111/tcp   open     rpcbind         2 (rpc #100000)
>> 135/tcp   filtered msrpc
>> 136/tcp   filtered profile
>> 137/tcp   filtered netbios-ns
>> 138/tcp   filtered netbios-dgm
>> 139/tcp   filtered netbios-ssn
>> 443/tcp   open     ssl/http       Apache httpd 2.2.2 ((Fedora))
>> 445/tcp   filtered microsoft-ds
>> 593/tcp   filtered http-rpc-epmap
>> 888/tcp   open     ssl/http       3ware 3DM2 Serial RAID http config 2.0
>> 10000/tcp open     http           Webmin httpd
>> 27374/tcp filtered subseven
>>
>> Service Info: Hosts: kuroha.net, medxis002.my.domain; OSs: Unix,
>> Linux; Device: storage-misc
>>
>> -------
>>
>> So if anyone wants to hack on some webmin, visit: 
>> https://219.94.133.29:10000/
>> or for some sort of RAID configuration utility, visit:
>> https://219.94.133.29:888/
>>
>>
>> Have fun,
>> Grant
>>
>> _______________________________________________
>> RLUG mailing list
>> RLUG at rlug.org
>> http://lists.rlug.org/mailman/listinfo/rlug
>>
> _______________________________________________
> RLUG mailing list
> RLUG at rlug.org
> http://lists.rlug.org/mailman/listinfo/rlug

-- 
Ed Jaeger

More information about the RLUG mailing list