Failed logins from:
62.39.117.140 (140.117.39-62.rev.gaoland.net): 139 times
220.128.67.41: 9 times
Illegal users from:
62.39.117.140 (140.117.39-62.rev.gaoland.net): 229 times
220.128.67.41: 2 times
Received disconnect:
11: Bye Bye : 379 Time(s)
so it appears that someone was trying to break in to my machine.
I googled rev.gaoland.net (http://whois.domaintools.com/gaoland.net)
and it appears to be some kind of French ISP.
Is there some place to report this?
Steve
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
04-21-2010, 04:42 AM
Bruno Wolff III
Breakin attempts
On Wed, Apr 21, 2010 at 00:33:11 -0400,
Steve Blackwell <zephod@cfl.rr.com> wrote:
>
> I googled rev.gaoland.net (http://whois.domaintools.com/gaoland.net)
> and it appears to be some kind of French ISP.
> Is there some place to report this?
It's probably not worth your time.
If you really want to, you could try reporting the incident to the ISP's
abuse address.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
04-21-2010, 04:53 AM
Marvin Kosmal
Breakin attempts
On 4/20/10, Bruno Wolff III <bruno@wolff.to> wrote:
> On Wed, Apr 21, 2010 at 00:33:11 -0400,
> Steve Blackwell <zephod@cfl.rr.com> wrote:
>>
>> I googled rev.gaoland.net (http://whois.domaintools.com/gaoland.net)
>> and it appears to be some kind of French ISP.
>> Is there some place to report this?
>
> It's probably not worth your time.
>
> If you really want to, you could try reporting the incident to the ISP's
> abuse address.
> --
[mkosmal@Theranch ~]$ whois 62.39.117.140
[Querying whois.ripe.net]
[whois.ripe.net]
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '62.39.117.136 - 62.39.117.143'
inetnum: 62.39.117.136 - 62.39.117.143
netname: OLYMPIQUE-DE-MARSEILLE
descr: Internet Services
descr: Gaoland
country: FR
admin-c: HT28-RIPE
tech-c: HT28-RIPE
status: ASSIGNED PA
remarks: **********************************************
remarks: * For hacking, spamming or security problems *
remarks: * send email to abus@omfr.com *
remarks: **********************************************
mnt-by: LDCOM-MNT
source: RIPE # Filtered
Marvin
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
>I was looking at my logwatch mail and saw:
>
> Failed logins from:
> 62.39.117.140 (140.117.39-62.rev.gaoland.net): 139 times
> 220.128.67.41: 9 times
>
> Illegal users from:
> 62.39.117.140 (140.117.39-62.rev.gaoland.net): 229 times
> 220.128.67.41: 2 times
>
>
> Received disconnect:
> 11: Bye Bye : 379 Time(s)
>
> so it appears that someone was trying to break in to my machine.
>
> I googled rev.gaoland.net (http://whois.domaintools.com/gaoland.net)
> and it appears to be some kind of French ISP.
> Is there some place to report this?
Yes. You found it already. Look in the whois report.
It's useless though. All really good (and different) passwords for all
users, a clever trick with iptables to limit connections to one every
few minutes, or using an alternate port for "security through obscurity"
(not safe if the alternate port is discovered in a port scan), or a
private key login is what you need to make these attacks simple log
filler rather than an effective attack. Of course, combining methods
can work nicely. (I just have a perverse pleasure from both baiting the
barstads and tracking the nastiness on the net.)
This is the iptables trick. IPTABLES is filled with the path to
"iptables". Mind the wrap.
As it happens this allows ONE attempt every three minutes. I duplicate it
for any open ports like pop3s and imaps. (I could use -m multiport for it,
too, I suppose. I put different log prefixes on each just to keep track of
what is being attacked.) I figure at one attempt in every three plus
minutes the universe could grow cold before the password is discovered,
even with a distributed attempt that is not VERY well coordinated even for
a password as crude as ABCDHEFG.
{^_^}
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
04-21-2010, 06:07 AM
g
Breakin attempts
Steve Blackwell wrote:
<snip>
> so it appears that someone was trying to break in to my machine.
do you have 'ping reply' enabled on your cable modem?
if so, i would suggest that you disable it so you are not visible.
hth.
--
peace out.
tc,hago.
g
.
****
in a free world without fences, who needs gates.
**
help microsoft stamp out piracy - give linux to a friend today.
**
to mess up a linux box, you need to work at it.
to mess up an ms windows box, you just need to *look* at it.
**
learn linux:
'Rute User's Tutorial and Exposition' http://rute.2038bug.com/index.html
'The Linux Documentation Project' http://www.tldp.org/
'LDP HOWTO-index' http://www.tldp.org/HOWTO/HOWTO-INDEX/index.html
'HowtoForge' http://howtoforge.com/
****
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
04-21-2010, 10:29 AM
"Kevin H. Hobbs"
Breakin attempts
On 04/21/2010 02:07 AM, users-request@lists.fedoraproject.org wrote:
> Of course, combining methods
> can work nicely.
Don't forget about the denyhosts package which will watch
/var/log/secure for repeated failed login attempts and attempts for
accounts like root and add the host to /etc/hosts.deny.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
04-21-2010, 01:11 PM
Patrick O'Callaghan
Breakin attempts
On Wed, 2010-04-21 at 06:07 +0000, g wrote:
> Steve Blackwell wrote:
> <snip>
> > so it appears that someone was trying to break in to my machine.
>
> do you have 'ping reply' enabled on your cable modem?
>
> if so, i would suggest that you disable it so you are not visible.
It might help against naive attempts, but there are other ways of
checking visibility.
poc
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
04-21-2010, 01:58 PM
Steve Blackwell
Breakin attempts
On Wed, 21 Apr 2010 00:33:11 -0400
Steve Blackwell <zephod@cfl.rr.com> wrote:
> I was looking at my logwatch mail and saw:
>
> Failed logins from:
> 62.39.117.140 (140.117.39-62.rev.gaoland.net): 139 times
> 220.128.67.41: 9 times
>
> Illegal users from:
> 62.39.117.140 (140.117.39-62.rev.gaoland.net): 229 times
> 220.128.67.41: 2 times
>
>
> Received disconnect:
> 11: Bye Bye : 379 Time(s)
>
> so it appears that someone was trying to break in to my machine.
>
> I googled rev.gaoland.net (http://whois.domaintools.com/gaoland.net)
> and it appears to be some kind of French ISP.
> Is there some place to report this?
>
> Steve
rkhunter is reporting this:
---------------------- Start Rootkit Hunter Scan ----------------------
Warning: Suspicious file types found in /dev:
/dev/shm/mono-shared-500-shared_fileshare-steve.blackwell-Linux-i686-36-12-0:data
/dev/shm/mono-shared-500-shared_data-steve.blackwell-Linux-i686-312-12-0:data
/dev/shm/mono.2812: data
process 2812 is tomboy so that should be OK. What are the other 2?
Normal? OK to whitelist them?
Thanks,
Steve
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
04-21-2010, 03:34 PM
Marvin Kosmal
Breakin attempts
On 4/21/10, Kevin H. Hobbs <hobbsk@ohiou.edu> wrote:
> On 04/21/2010 02:07 AM, users-request@lists.fedoraproject.org wrote:
>> Of course, combining methods
>> can work nicely.
>
> Don't forget about the denyhosts package which will watch
> /var/log/secure for repeated failed login attempts and attempts for
> accounts like root and add the host to /etc/hosts.deny.
>
>
How can I tell if I have this package "denyhosts package" installed in F-12??
TIA
Marvin
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
04-21-2010, 03:39 PM
Ryan Pugatch
Breakin attempts
On 04/21/2010 11:34 AM, Marvin Kosmal wrote:
> How can I tell if I have this package "denyhosts package" installed in F-12??
>
> TIA
>
> Marvin
yum info denyhosts or rpm -q denyhosts
Ryan
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Breakin attempts
