[RLUG] Sunday afternoon fun

Grant Kelly gkelly at gmail.com
Mon Nov 6 09:57:06 PST 2006 

I run on 22 because other outbound ports are blocked at my place of employment.

My attempts show up in /var/log/auth.log (in Ubuntu).

I believe the command I used was `nmap -A -T4 ip.add.re.ss` (it was an
example in the man page).

Once I noticed the attempts were happening, to block any traffic from
them to me, I added the ip address to /etc/hosts.deny, or:

`echo "ALL:ip.add.re.ss" >> /etc/hosts.deny`

and then reloaded inetd with: `pkill -1 inetd`.

I was kind of tempted to create a bunch of accounts using common names
and blank passwords and see what would happen if the attempt was
successful, but I didn't want to honeypot my main file server.

Grant



On 11/6/06, Ed Jaeger <ed.jaeger at bgcorp.com> wrote:
> I get them all the time here at the office.  Pretty funny list of logins
> they try - must be a script someone put together.
>
> Grant can tell you what he used, but I suspect
>
> nmap -O 219.94.133.29
>
> was it.
>
> Jeff Shippen wrote:
>
> > I used to get such automated attempts every now and then, UNTIL i
> > changed my ssh listening port number to something other than the default
> > (22).
> > To change the default sshd port, edit this file on some (all?) distros:
> > /etc/ssh/sshd_config.  That's where it is on SUSE anyway.
> > Add a line, "Port 22"  where you can replace 22 with any number.
> > **
> > Also, some may not know where to find such attempts.  Mine shows up in
> > /var/log/messages.
> >
> > I'm curious, what is the exact command you used (well, the options and
> > such) with `nmap`?
> >
> > Jeff
> >
> > Grant Kelly wrote:
> >
> >> I noticed someone from 219.94.133.29 scanning my ubuntu box today.
> >> They were trying to login via SSH from a common list of names. Well, I
> >> nmap'd em back, here's the results:
> >>
> >> Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2006-11-05
> >> 14:18 PST
> >> Interesting ports on 219.94.133.29:
> >> (The 1656 ports scanned but not shown below are in state: closed)
> >> PORT      STATE    SERVICE        VERSION
> >> 21/tcp    open     ftp            vsftpd 2.0.4
> >> 22/tcp    open     ssh            OpenSSH 4.3 (protocol 1.99)
> >> 23/tcp    open     telnet         Linux telnetd
> >> 25/tcp    open     smtp           qmail smtpd
> >> 80/tcp    open     http           Apache httpd 2.2.2 ((Fedora))
> >> 110/tcp   open     pop3           qmail pop3d
> >> 111/tcp   open     rpcbind         2 (rpc #100000)
> >> 135/tcp   filtered msrpc
> >> 136/tcp   filtered profile
> >> 137/tcp   filtered netbios-ns
> >> 138/tcp   filtered netbios-dgm
> >> 139/tcp   filtered netbios-ssn
> >> 443/tcp   open     ssl/http       Apache httpd 2.2.2 ((Fedora))
> >> 445/tcp   filtered microsoft-ds
> >> 593/tcp   filtered http-rpc-epmap
> >> 888/tcp   open     ssl/http       3ware 3DM2 Serial RAID http config 2.0
> >> 10000/tcp open     http           Webmin httpd
> >> 27374/tcp filtered subseven
> >>
> >> Service Info: Hosts: kuroha.net, medxis002.my.domain; OSs: Unix,
> >> Linux; Device: storage-misc
> >>
> >> -------
> >>
> >> So if anyone wants to hack on some webmin, visit:
> >> https://219.94.133.29:10000/
> >> or for some sort of RAID configuration utility, visit:
> >> https://219.94.133.29:888/
> >>
> >>
> >> Have fun,
> >> Grant
> >>
> >> _______________________________________________
> >> RLUG mailing list
> >> RLUG at rlug.org
> >> http://lists.rlug.org/mailman/listinfo/rlug
> >>
> > _______________________________________________
> > RLUG mailing list
> > RLUG at rlug.org
> > http://lists.rlug.org/mailman/listinfo/rlug
>
> --
> Ed Jaeger
>

More information about the RLUG mailing list