[lug] Attempted hack from 202.185.243.121

Daniel Webb webb at robust.colorado.edu
Sun Apr 21 19:50:35 MDT 2002 

I get stuff like this all day long (every few hours).  I don't have time
to deal with it anymore.  Luckily, since I switched from Redhat to Debian,
it is easier to keep up with security updates and I don't get hacked out
of the box anymore.


On Sun, 21 Apr 2002, Paul Bille wrote:

> Did anyone else detect an attempted hack from 202.185.243.121 Saturday
> night / Sunday morning?  I'm wondering if this is a generalized probe or
> if it's a targeted attack?
>
> I'll include some log files below.  I traced it back to jaring.my in
> Malaysia where the trail went cold.  They were on another system back on
> March 5 but I don't have the log files necessary to trace their
> activity.
>
> I reported the attack to abouse at jaring.my and the nccs-sf at fbi.gov
>
> Pertinent log entries:
>
> Apr 21 02:21:27 liz in.fingerd[20399]: connect from 202.185.243.121
> Apr 21 02:47:11 liz in.fingerd[20414]: connect from 202.185.243.121
> Apr 21 02:47:20 liz in.telnetd[20415]: connect from 202.185.243.121
>
> Apr 21 02:47:34 liz login[20416]: FAILED LOGIN 1 FROM 202.185.243.121
> FOR root, Authentication failure
> Apr 21 02:47:41 liz login[20416]: FAILED LOGIN 2 FROM 202.185.243.121
> FOR rpcuser, Authentication failure
> Apr 21 02:47:49 liz login[20416]: FAILED LOGIN 3 FROM 202.185.243.121
> FOR test, Authentication failure
>
> ]$ nslookup  202.185.243.121
> Server:  bille.cudenver.edu
> *** bille.cudenver.edu can't find 202.185.243.121: Non-existent
> host/domain
>
> traceroute to 202.185.243.121 (202.185.243.121), 30 hops max, 38 byte
> packets
>  8  gar2-p370.sffca.ip.att.net (12.123.13.153)  43.609 ms  43.266 ms
> 43.551 ms
>  9  t1a5.us-sfo.concert.net (12.124.35.14)  43.579 ms  65.963 ms  44.133
> ms
> 10  t1a2-ge8-0-0.us-sfo.concert.net (166.49.228.40)  43.493 ms  43.383
> ms  43.531 ms
> 11  166-49-254-138.concert.net (166.49.254.138)  414.061 ms  420.257 ms
> 423.923 ms
> 12  161.142.100.3 (161.142.100.3)  230.314 ms  229.878 ms  230.996 ms
> 13  s6.bng.jaring.my (161.142.0.102)  235.064 ms  233.702 ms  233.033 ms
>
> 14  e0.bng1.jaring.my (161.142.237.2)  233.769 ms  234.390 ms  233.713
> ms
> 15  161.142.6.234 (161.142.6.234)  239.055 ms  238.599 ms  239.626 ms
> 16  * * *
>
> Thanks,
> --
> Paul      http://bille.cudenver.edu/author
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>

More information about the LUG mailing list