[lug] Attempted hack from 202.185.243.121
Paul Bille
Paul at ebille.cudenver.edu
Sun Apr 21 12:55:09 MDT 2002
Did anyone else detect an attempted hack from 202.185.243.121 Saturday
night / Sunday morning? I'm wondering if this is a generalized probe or
if it's a targeted attack?
I'll include some log files below. I traced it back to jaring.my in
Malaysia where the trail went cold. They were on another system back on
March 5 but I don't have the log files necessary to trace their
activity.
I reported the attack to abouse at jaring.my and the nccs-sf at fbi.gov
Pertinent log entries:
Apr 21 02:21:27 liz in.fingerd[20399]: connect from 202.185.243.121
Apr 21 02:47:11 liz in.fingerd[20414]: connect from 202.185.243.121
Apr 21 02:47:20 liz in.telnetd[20415]: connect from 202.185.243.121
Apr 21 02:47:34 liz login[20416]: FAILED LOGIN 1 FROM 202.185.243.121
FOR root, Authentication failure
Apr 21 02:47:41 liz login[20416]: FAILED LOGIN 2 FROM 202.185.243.121
FOR rpcuser, Authentication failure
Apr 21 02:47:49 liz login[20416]: FAILED LOGIN 3 FROM 202.185.243.121
FOR test, Authentication failure
]$ nslookup 202.185.243.121
Server: bille.cudenver.edu
*** bille.cudenver.edu can't find 202.185.243.121: Non-existent
host/domain
traceroute to 202.185.243.121 (202.185.243.121), 30 hops max, 38 byte
packets
8 gar2-p370.sffca.ip.att.net (12.123.13.153) 43.609 ms 43.266 ms
43.551 ms
9 t1a5.us-sfo.concert.net (12.124.35.14) 43.579 ms 65.963 ms 44.133
ms
10 t1a2-ge8-0-0.us-sfo.concert.net (166.49.228.40) 43.493 ms 43.383
ms 43.531 ms
11 166-49-254-138.concert.net (166.49.254.138) 414.061 ms 420.257 ms
423.923 ms
12 161.142.100.3 (161.142.100.3) 230.314 ms 229.878 ms 230.996 ms
13 s6.bng.jaring.my (161.142.0.102) 235.064 ms 233.702 ms 233.033 ms
14 e0.bng1.jaring.my (161.142.237.2) 233.769 ms 234.390 ms 233.713
ms
15 161.142.6.234 (161.142.6.234) 239.055 ms 238.599 ms 239.626 ms
16 * * *
Thanks,
--
Paul http://bille.cudenver.edu/author
More information about the LUG
mailing list