Busted this guy using xtraceroute and contacted his ISP :D.

here is the log info
Aug 22 12:43:14 www sshd[9319]: Illegal user test from ::ffff:66.235.194.109
Aug 22 12:43:24 www sshd(pam_unix)[9319]: check pass; user unknown
Aug 22 12:43:24 www sshd(pam_unix)[9319]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=66.235.194.109
Aug 22 12:43:27 www sshd[9319]: Failed password for illegal user test from ::ffff:66.235.194.109 port 44665 ssh2
Aug 22 12:43:40 www sshd[9326]: Illegal user test from ::ffff:66.235.194.109
Aug 22 12:43:50 www sshd(pam_unix)[9326]: check pass; user unknown
Aug 22 12:43:50 www sshd(pam_unix)[9326]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=66.235.194.109
Aug 22 12:43:52 www sshd[9326]: Failed password for illegal user test from ::ffff:66.235.194.109 port 47153 ssh2

He quit after 2 attempts but I got enough info to shut him down.

Any idea where he was from?

http://www.ipowerweb.com/

The headquarters is in Santa Monica. Just to let people know they are busted, I will do a flood ping to their IP. It will make their firewall (if they have one) go nuts. I then simply send the firewall log and traceroute info to the ISP. It sometimes works, depending on the ISP. Some care, most couldn't give a ....

hlrguy

linux:/root # traceroute 66.235.194.109
traceroute to 66.235.194.109 (66.235.194.109), 30 hops max, 40 byte packets
1 ip-64-185-176-1.pool0.dsl0.gvtc.com (64.185.176.1) 64.608 ms 63.887 ms 62.278 ms
2 fe8_1_1.gw0.blvrtx.gvtc.com (64.238.141.29) 60.654 ms 59.328 ms 60.954 ms
3 gvtc.com.ip.att.net (12.124.221.157) 63.788 ms 65.612 ms 66.763 ms
4 gbr1-p50.auttx.ip.att.net (12.123.133.6) 70.670 ms 71.415 ms 73.089 ms
5 tbr2-p012301.dlstx.ip.att.net (12.122.10.109) 74.321 ms 95.641 ms 94.69 1 ms
6 gar1-p370.dlrtx.ip.att.net (12.123.196.97) 93.082 ms 91.609 ms 99.571 m s
7 12.119.136.30 66.804 ms 67.697 ms 85.108 ms
8 so-3-3-0.mpr1.iah1.us.above.net (64.125.29.21) 85.858 ms 84.647 ms 83.1 70 ms
9 so-4-1-0.mpr2.lax9.us.above.net (64.125.29.101) 103.585 ms 111.762 ms 1 10.103 ms
10 216.200.249.141.available.ipowerweb.com (216.200.249.141) 109.121 ms 110. 661 ms 128.192 ms
11 ds194-109.ipowerweb.com (66.235.194.109) 127.112 ms 125.767 ms 124.816 ms

Los Angles area. His ISP said they will shut him down. He has Dedicated hosting with them. Also contacted the FBI but Our Gov. has better things to do than combat cyber crime.

Good job, at least he will have to move everything now. Maybe the hassle will be a deterrent next time. One can only hope.

Got another from Washington State Uni. this Morning. There Security Dept. was very nice also. :D

What the heck are you hosting? Downloads of Doom3? :)

Just a small p4 box with web only right now www.usa-family.com but I check the logs every 2-4 hours to make sure everything is kosher:D

So far this is what I got from the first attempt. These People suck.

Recently you requested personal assistance from our on-line support
center. Below is a summary of your request and our response.

We will assume your issue has been resolved if we do not hear from you
within 72 hours.
Thank you for allowing us to be of service to you.

You may update this question by replying to this message. Because your
reply will be automatically processed, you MUST enter your reply in
the space below. Text entered into any other part of this message will
be discarded. In order to be able to update the question, be sure to
click Reply in your email client first.
[===> Please enter your reply below this line <===]

[===> Please enter your reply above this line <===]

Subject
---------------------------------------------------------------
Illegal intrusion attempt


Discussion Thread
---------------------------------------------------------------
Response (Tong Wong) - 08/23/2004 03:08 PM
Dear Customer,

Thank you for contacting iPowerWeb Technical Support.

Many times, if you have asked us for any help, many of us techs here would try to login to your system. Sometimes the client would change the password from what we have one file. So we would try a couple of time.


If it's not us, then you might have been targeted by someone. We can't block ssh access so you will have to make sure your password is very hard to crack.

Customer - 08/22/2004 01:42 PM
The below log is from My server at www.usa-family.com. The individual
attempted twice to ssh into the system and take it over. Please
investigate and take appropriate disciplinary actions and respond to me
with the actions taken.

Aug 22 12:43:14 www sshd[9319]: Illegal user test from ::ffff:66.235.194.109
Aug 22 12:43:24 www sshd(pam_unix)[9319]: check pass; user unknown
Aug 22 12:43:24 www sshd(pam_unix)[9319]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=66.235.194.109
Aug 22 12:43:27 www sshd[9319]: Failed password for illegal user test from ::ffff:66.235.194.109 port 44665 ssh2
Aug 22 12:43:40 www sshd[9326]: Illegal user test from ::ffff:66.235.194.109
Aug 22 12:43:50 www sshd(pam_unix)[9326]: check pass; user unknown
Aug 22 12:43:50 www sshd(pam_unix)[9326]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=66.235.194.109
Aug 22 12:43:52 www sshd[9326]: Failed password for illegal user test from ::ffff:66.235.194.109 port 47153 ssh2


Question Reference #040822-000929
---------------------------------------------------------------
Contact Information:
Date Created: 08/22/2004 01:42 PM
Last Updated: 08/23/2004 03:08 PM
Status: 5-Waiting
Question Type:
Verification:

Domain Name
---------------------------------------------------------------




Regards,


iPowerWeb Sales Team
"100% Customer Service! - 100% of the Time!"

P.S. Please visit our new Knowledge Center located at http://helpcenter.ipowerweb.com.



update new email just now
Response - 08/23/2004 06:35 PM
Dear Customer,

Thank you for contacting iPowerWeb Technical Support.

We have suspended this server and doing further investigating.

I'm kind of suprised you even got a response back from them for something like this. Really this is the kind of thing you need to expect to have happen when a computer is plugged into the internet. Most companies just don't care about things like this because it is so commonplace on the net. Also they don't have the man power to fallow though with every reported port scan, failed login attempt, three year old code red / Nimda garbage etc. Like "Tong Wong" said "make sure your password is very hard to crack".

If I tried reporting this kind of stuff everytime I saw It....

[Wed Aug 25 00:27:56 2004] [error] [client 66.57.253.21] File does not exist: /var/www/scripts/root.exe
[Wed Aug 25 00:27:56 2004] [error] [client 66.57.253.21] File does not exist: /var/www/MSADC/root.exe
[Wed Aug 25 00:27:56 2004] [error] [client 66.57.253.21] File does not exist: /var/www/c/winnt/system32/cmd.exe
[Wed Aug 25 00:27:56 2004] [error] [client 66.57.253.21] File does not exist: /var/www/d/winnt/system32/cmd.exe
[Wed Aug 25 00:27:56 2004] [error] [client 66.57.253.21] File does not exist: /var/www/scripts/..%5c../winnt/system32/cmd.exe
[Wed Aug 25 00:27:56 2004] [error] [client 66.57.253.21] File does not exist: /var/www/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Wed Aug 25 00:27:57 2004] [error] [client 66.57.253.21] File does not exist: /var/www/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Wed Aug 25 00:27:57 2004] [error] [client 66.57.253.21] File does not exist: /var/www/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe
[Wed Aug 25 00:27:57 2004] [error] [client 66.57.253.21] File does not exist: /var/www/scripts/..Á../winnt/system32/cmd.exe
[Wed Aug 25 00:27:57 2004] [error] [client 66.57.253.21] File does not exist: /var/www/scripts/..À¯../winnt/system32/cmd.exe
[Wed Aug 25 00:27:57 2004] [error] [client 66.57.253.21] File does not exist: /var/www/scripts/..Á../winnt/system32/cmd.exe
[Wed Aug 25 00:27:58 2004] [error] [client 66.57.253.21] File does not exist: /var/www/scripts/..%5c../winnt/system32/cmd.exe
[Wed Aug 25 00:27:58 2004] [error] [client 66.57.253.21] File does not exist: /var/www/scripts/..%2f../winnt/system32/cmd.exe


I wouldn't have enough time to actually get any work done.

If I tried reporting this kind of stuff everytime I saw It....
I wouldn't have enough time to actually get any work done.

True but this is my job and the few seconds that it takes to pull the link cable should be worth it to them to help kill this sort of thing. also the Wash. U ip address was dead 20 min after contacting them. So it must be worth it to them also.

I think what he is saying is that most large shops simply dont have the time to go through this stuff. We actually simply disregard scans like this as there are so many it would take a small team just to report everyeone, with the right enviro. they wont be able to get in anyway.

You are right in that they don't actively search out this kind of thing, however, most have an acceptable use policy, and when they get complaints from people about their customers breaking that policy, they likely have a legal obligation to at least check it out.

http://www.ipowerweb.com/company/legal/legal_usage.html

f. Utilize the Services to gain unauthorized access to the computer networks of IPOWERWEB or any other person;

hlrguy

where are those logs at? Still learning Linux and I am just starting to get into reading logs and such

on mine it is /var/log/auth

hey hlrguy

check this out got two more working on getting them shut down also
here is the info
Aug 24 18:44:55 www sshd[1953]: Illegal user test from ::ffff:69.199.247.212
Aug 24 18:44:55 www sshd(pam_unix)[1953]: check pass; user unknown
Aug 24 18:44:55 www sshd(pam_unix)[1953]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=cpe00600816294e-cm000a7365522e.cpe.net.cable.rogers.com

Aug 25 03:07:04 www sshd(pam_unix)[8152]: check pass; user unknown
Aug 25 03:07:04 www sshd(pam_unix)[8152]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=eshopatlantis.com
Aug 25 03:07:06 www sshd[8152]: Failed password for illegal user admin from ::ffff:209.235.23.215 port 4346 ssh2
Aug 25 03:07:07 www sshd[8155]: Illegal user user from ::ffff:209.235.23.215

Buy the way how do you
flood ping to their IP

Thanks
Brian

Flood Ping

ping -f <ipaddress>

hlrguy

thanks

Originally posted by hlrguy
Flood Ping

ping -f <ipaddress>

hlrguy

hehehe.... Here's an idea for a script called cmd.exe! :D

could you do that...have a prog on your pc called cmd.exe and when it executes have it tell there computer to run a ping on them and then have your computer run a ping on them for a specified time...I know how to make ping go for a specific time but Im wondering if you could bog down their connection by using their PC and your PC to ping them with hi packets.... if so that would be really nifty :)

hehehe.... Instruct their computer to deltree -y c:\ and watch the fun as they get the term window that they were hoping for, only to be able to sit back and watch thier computer self destruct! MWAHAHAHA!!!!!!!!

how do you know if you are being hacked?

How do you know he didn't just mistype the IP address while trying to access another server? Stuff like that happens, IMHO, two failed SSH login attempts for a user 'test' are hardly worth reporting to the FBI

Err... guys... this isn't people hacking.

There's what appears to be a new SSH worm about - possibly on RedHat 7.2 installs and it's filling up server logs for a _lot_ of people. If I remember right, there's two different 2.4 series kernel versions on the machines that are exploited.

Usually attempts at guest, test or root accounts. Keep your system updated and deny their hosts if you're concerned.

If you bother informing people about it, don't take the angle that they're hackers... they're people who haven't updated their systems, that's all. Flood ping them... sheesh.

This is about it, see towards the top here (http://isc.sans.org//diary.php?date=2004-07-23).

This (http://www.sans.org/top20/#u8) is possibly it too, but the advice applies regardless.

Originally posted by cs02rm0
Flood ping them... sheesh.

I don't have a server, and can agree that one failed attempt to login isn't reason to raise the roof, and I expect the ISP will ask them why they were attempting to get in. At the very least, the person who's server itself is hacked or infected will know that it is happening. I figured that someone's server got cracked, then the cracker is using that server to launch new attacks. In either case, notifying the ISP is not out of the ordinary and may actually be helping.

That said, I have a plain old PC on the internet, and when I see a systematic scan of my system, port 20, port 21, port 22, port 23, etc every second or so from the same IP, I certainly flood ping them. Know what? In virtually every case, the scan stops within a few seconds. And a flood ping is NOT a DOS reverse attack. It is simply knocking on the door urgently, and with a frequency high enough to set off Zone Alarm, etc.

hlrguy

Of course, but it's not exactly sociable.

If they have an open system online and don't keep it updated, they're not going to notice ICMP traffic. And that's even assumming that the originating IP is genuine.