1. Home
  2. Electronics Design
  3. OT: hackers and compassion

OT: hackers and compassion

You know, the DCMA or whatever they call it in your place....

And then there is the bad hacker, and the small hacker, and the criminals...

Bit short on sleep, 2 oclock last night the 'hack' alarms went of, sirens, flashing lights, but as I was sort of asleep it took a while to turn on the other side, and read the remote display, to see what was happening. What was happening was an attempt to log into the servers using random passwords.

Have to get up, you know, deep sleep, maybe I should just leave it, maybe just unplug the whole thing... got up, once in the computer room turn on monitor, grab keyboard, now more awake, amazingly I typed the right commands: netstat tcp6 0 0 ip51cf87c4.direct-a:ssh ::ffff:201.70.76.:35703 ESTABLISHED tcp6 0 10 ip51cf87c4.direct:50719 ::ffff:201.70.76.4:auth ESTABLISHED tcp6 0 0 ip51cf87c4.direct-a:ssh ::ffff:201.70.76.:34809 TIME_WAIT tcp6 0 0 ip51cf87c4.direct:44236 ::ffff:201.70.76.4:auth TIME_WAIT

mm looks like somebody is trying to log in to the root account.

tail -f /var/log/auth.log Jun 10 01:33:03 grml sshd[24675]: Invalid user usa from 201.70.76.43 Jun 10 01:33:03 grml sshd[24675]: (pam_unix) check pass; user unknown Jun 10 01:33:03 grml sshd[24675]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=201.70.76.43 Jun 10 01:33:05 grml sshd[24675]: Failed password for invalid user usa from

201.70.76.43 port 33650 ssh2 Jun 10 01:33:08 grml sshd[24702]: Invalid user universal from 201.70.76.43 Jun 10 01:33:08 grml sshd[24702]: (pam_unix) check pass; user unknown Jun 10 01:33:08 grml sshd[24702]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=201.70.76.43 Jun 10 01:33:10 grml sshd[24702]: Failed password for invalid user universal from 201.70.76.43 port 33940 ssh2 Jun 10 01:33:14 grml sshd[24736]: Invalid user radio from 201.70.76.43 Jun 10 01:33:14 grml sshd[24736]: (pam_unix) check pass; user unknown Jun 10 01:33:14 grml sshd[24736]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=201.70.76.43 Jun 10 01:33:16 grml sshd[24736]: Failed password for invalid user radio from 201.70.76.43 port 34237 ssh2 Jun 10 01:33:19 grml sshd[24764]: Invalid user ronald from 201.70.76.43 Jun 10 01:33:19 grml sshd[24764]: (pam_unix) check pass; user unknown Jun 10 01:33:19 grml sshd[24764]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=201.70.76.43 Jun 10 01:33:20 grml sshd[24764]: Failed password for invalid user ronald from 201.70.76.43 port 34556 ssh2 Jun 10 01:33:24 grml sshd[24799]: Invalid user harry from 201.70.76.43 Jun 10 01:33:24 grml sshd[24799]: (pam_unix) check pass; user unknown Jun 10 01:33:24 grml sshd[24799]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=201.70.76.43 Jun 10 01:33:26 grml sshd[24799]: Failed password for invalid user harry from 201.70.76.43 port 34809 ssh2 Jun 10 01:33:30 grml sshd[24831]: Invalid user zoe from 201.70.76.43 Jun 10 01:33:30 grml sshd[24831]: (pam_unix) check pass; user unknown Jun 10 01:33:30 grml sshd[24831]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=201.70.76.43 Jun 10 01:33:31 grml sshd[24831]: Failed password for invalid user zoe from 201.70.76.43 port 35151 ssh2 Jun 10 01:33:34 grml sshd[24859]: Invalid user vivi from 201.70.76.43 Jun 10 01:33:34 grml sshd[24859]: (pam_unix) check pass; user unknown Jun 10 01:33:34 grml sshd[24859]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=201.70.76.43 Jun 10 01:33:36 grml sshd[24859]: Failed password for invalid user vivi from 201.70.76.43 port 35410 ssh2 Jun 10 01:33:39 grml sshd[24890]: Invalid user walter from 201.70.76.43 Jun 10 01:33:39 grml sshd[24890]: (pam_unix) check pass; user unknown Jun 10 01:33:39 grml sshd[24890]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=201.70.76.43 Jun 10 01:33:42 grml sshd[24890]: Failed password for invalid user walter from 201.70.76.43 port 35703 ssh2 Jun 10 01:33:45 grml sshd[24924]: Invalid user violeta from 201.70.76.43 Jun 10 01:33:45 grml sshd[24924]: (pam_unix) check pass; user unknown Jun 10 01:33:45 grml sshd[24924]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=201.70.76.43 Jun 10 01:33:47 grml sshd[24924]: Failed password for invalid user violeta from 201.70.76.43 port 36037 ssh2 Jun 10 01:33:50 grml sshd[24951]: Invalid user valentin from 201.70.76.43 Jun 10 01:33:50 grml sshd[24951]: (pam_unix) check pass; user unknown Jun 10 01:33:50 grml sshd[24951]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=201.70.76.43 etc...

so..... somebody IN THIS GROUP has read my posting about 'football on the eeePC', figures there must be some movies and stuff to get, tries to get to it.

ip_to_country -i 201.70.76.4 ip=201.70.76.4 (3376827396) "BR" "BRAZIL"

Yes those guys like football ;-) whois 201.70.76.43 inetnum: 201.70.76/24 nserver: ns.superivitoria.com.br

So, whoever you are, ONE email from me to superivitoria.com.br and you are spending perhaps 25 years in a Brazilian jail in the jungle with alligators ;-). I will not send it, you got blinded by the football, but do not try again. (In fact you cannot try again, as you are forever added to the ip filter, an some other counter measures have been added). But you can still view my site that you seem to like so much, but only via an anonymiser like

formatting link

Now I had 3 denial of sevice attacks (for which I did strike back) this week, and one password attack, internet is getting a dangerous place. And robbing me of my sleep, do not piss me off.

Reply to
Jan Panteltje
Loading thread data ...

And you think someone at supervitoria in Brazil would take notice? I was hacked in the UK by someone in the Uk and guess what....... nobody wanted to do diddly squat about it, and everyone hid behind the data protection act!

Reply to
TT_Man

uid=0 euid=0 tty=ssh ruser= rhost=201.70.76.43

201.70.76.43 port 33650 ssh2

uid=0 euid=0 tty=ssh ruser= rhost=201.70.76.43

from 201.70.76.43 port 33940 ssh2

uid=0 euid=0 tty=ssh ruser= rhost=201.70.76.43

201.70.76.43 port 34237 ssh2

uid=0 euid=0 tty=ssh ruser= rhost=201.70.76.43

201.70.76.43 port 34556 ssh2

uid=0 euid=0 tty=ssh ruser= rhost=201.70.76.43

201.70.76.43 port 34809 ssh2

uid=0 euid=0 tty=ssh ruser= rhost=201.70.76.43

201.70.76.43 port 35151 ssh2

uid=0 euid=0 tty=ssh ruser= rhost=201.70.76.43

201.70.76.43 port 35410 ssh2

uid=0 euid=0 tty=ssh ruser= rhost=201.70.76.43

201.70.76.43 port 35703 ssh2

uid=0 euid=0 tty=ssh ruser= rhost=201.70.76.43

from 201.70.76.43 port 36037 ssh2

uid=0 euid=0 tty=ssh ruser= rhost=201.70.76.43

eeePC', figures there must be some movies and stuff

alligators ;-).

I'd suggest blocking all known anonymisers

--
Dirk

http://www.transcendence.me.uk/ - Transcendence UK
Remote Viewing classes in London
Reply to
Dirk Bruere at NeoPax

On a sunny day (Tue, 10 Jun 2008 15:58:20 +0100) it happened Dirk Bruere at NeoPax wrote in :

Makes no sense, anonymisers are safe.

Reply to
Jan Panteltje

On a sunny day (Tue, 10 Jun 2008 15:56:34 +0100) it happened "TT_Man" wrote in :

Sure they will, I have very good experiences with ISPs (as I am one myself in a way). Just recently I had some things worked out with a US ISP (hosting provider). These people do _not_ like hacking on their networks, and are very helpfull. And I have had some cancel accounts too. That costs them money in a way, but probably less then if major damage by a wild hacker doing bad things to commercial sites resuls in huge damage claims. Anyway, without good communication between ISPs you cannot do much about a distributed denial of service attack for example.

But I guess if your complaint is: 'Somebody insulted me on Usenet', yes, then you get little reaction I suppose.

Reply to
Jan Panteltje

So nobody can run a password hack via an anonymiser?

--
Dirk

http://www.transcendence.me.uk/ - Transcendence UK
Remote Viewing classes in London
Reply to
Dirk Bruere at NeoPax

On a sunny day (Tue, 10 Jun 2008 16:50:53 +0100) it happened Dirk Bruere at NeoPax wrote in :

Normal web anonymisers allow only *http* access to port 80 and friends. Even if they did allow access to other ports they would be so dead slow and infested with adds that running such attacks would be impractical. And make no mistake, those anonymiser log _everything_. Give it a try,

formatting link
enter panteltje.com:80 or panteltje.com:82

you can either have http on port 80, or 82 (backup server, asks for login), nothing else. No way will it do ssh or - ahum - other things.

Reply to
Jan Panteltje

I had no WiFi equipment until I bought my Lenovo... half my neighbors were unsecured. You should have seen the looks on their faces when I told them ;-)

...Jim Thompson

--
| James E.Thompson, P.E.                           |    mens     |
| Analog Innovations, Inc.                         |     et      |
| Analog/Mixed-Signal ASIC\'s and Discrete Systems  |    manus    |
| Phoenix, Arizona  85048    Skype: Contacts Only  |             |
| Voice:(480)460-2350  Fax: Available upon request |  Brass Rat  |
| E-mail Icon at http://www.analog-innovations.com |    1962     |
             
         America: Land of the Free, Because of the Brave
Reply to
Jim Thompson

On this topic, a friend gave me an old WiFi hub. To see if it was working, I plugged it in and configured it as an open (unencrypted) AP. It works.

Then, I got thinking. I wonder how many hackers I can get to pound their head against this thing, so to speak, by just leaving it all alone, not connected to any networks or systems.

I've seen the activity lights wink a few times. Perhaps I should give it a more enticing name, like CitiBank, to see how many fish I can hook.

--
Paul Hovnanian	paul@hovnanian.com
-----------------------------------------------------------------------
Have gnu, will travel.
Reply to
Paul Hovnanian P.E.

Maybe you should check to see if any of them are running VNC with default password...

--
Dirk

http://www.transcendence.me.uk/ - Transcendence UK
Remote Viewing classes in London
Reply to
Dirk Bruere at NeoPax

My brother came to visit. He opened up his laptop on the lunch table: "I see you have wireless." "No, it's the neighbors." Neighbor kid (who was in our house at the time): "My mom thinks our wireless is slow so she always uses the neighbor's."

Reply to
Richard Henry

A few years ago, I did a number of monitor-only "wardrives" around my neighborhood, taking a census of the local access points.

Even after I wrote a "Hey, folks, this is a *bad* idea" blurb for the neighborhood-association newsletter, the rate of unsecured APs never dropped below 40%.

They probably aren't terribly interesting for "free access" wardrivers these days, as Google has provisioned our whole town with an 802.11 mesh network that's free to use. However, I still get the shivers when I think about the possibility of people having their home networks cracked wide open and raided.

--
Dave Platt                                    AE6EO
Friends of Jade Warrior home page:  http://www.radagast.org/jade-warrior
  I do _not_ wish to receive unsolicited commercial email, and I will
     boycott any company which has the gall to send me such ads!
Reply to
Dave Platt

Seems to me the method some ISPs used where after some many GB the speed just drops to, e.g., 128kbps is much more reasonable.

But I suppose that only contains cost but doesn't generate revenue...

Reply to
Joel Koltner

Joel Koltner wrote:

aka "The Old Business Model".

Bingo!

The lack of a page that a subscriber can access with a progress-bar-type display of his current stats would seem to be the big way-behind-the-curve part of this.

Reply to
JeffM

You do realize why ISP's are doing this. Most of the ones who've done it thus far are cable carriers. They're loosing business on two fronts, telecom and video since both are available on the net for cheap to nothing.

Reply to
T

Jeez, I'd never get any sleep if I lost it over ssh password probes. Last time I checked I was getting over a thousand a day, and that's just an uninteresting home cable network. Most from China, but many countries are represented.

I log them, but all the other kinds of attacks are simply black-holed. I only have a 15GB disk on my firewall box, logging all attacks would fill it in a few weeks.

Clifford Heath.

Reply to
Clifford Heath

On a sunny day (Wed, 11 Jun 2008 12:25:50 +1000) it happened Clifford Heath wrote in :

Well, problem is that *if* they guess the paswword right for root, then you lose perhaps days of work if not more, never mind all the illegal stuff, root kits, what not, that they will do. Yes those logfiles get rather long ;-)

Reply to
Jan Panteltje

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.