[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Break-in attempts to Linux host



Hello all,

In the last days I have noticed break in attempts to our Linux host. It is
very annoying since this time it seems to be someone from Israel. About 6
months ago a hacker, broke into the same PC and deleted the entire system.

Recently I have learned that the police has the cooperation of the large
Israeli ISPs and can track down very easily Israeli users according to IP
and time information.

One way to handle these break-in attempts is to go to the police and press
criminal charges...They take very seriously these days such complaints.

Is there someone on the list experiencing similar attempts ?

Here are some log files entries that indicate the break in attempts:

Here he tries to use an exploit of previous versions of IMAP:

Sep 26 08:04:23 ns1 imapd[527]: AUTHENTICATE
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA failure host=[192.115.50.37]
Sep 26 08:04:23 ns1 imapd[527]: Connection reset by peer, while reading line
use
r=??? host=[192.115.50.37]
Sep 26 08:04:25 ns1 imapd[529]: AUTHENTICATE
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA failure host=[192.115.50.37]
Sep 26 08:04:25 ns1 imapd[528]: Connection reset by peer, while reading line
use
r=??? host=[192.115.50.37]

Well, this time he had no luck since I have a patched version of IMAP:

Sep 26 21:37:39 ns1 imapd[1662]: System break-in attempt,
host=[192.115.50.37]
Sep 26 21:37:39 ns1 imapd[1663]: System break-in attempt,
host=[192.115.50.37]

He also tried to break-in via ftp and rsh:

>From another Netvision's address there is indication for another attempt:

Sep 27 16:53:23 ns1 in.ftpd[15947]: connect from 194.90.255.10
Sep 27 16:53:23 ns1 in.ftpd[15948]: connect from 194.90.255.10
Sep 27 16:53:23 ns1 in.ftpd[15949]: connect from 194.90.255.10
Sep 27 16:53:43 ns1 in.timed[15961]: connect from 194.90.255.10
Sep 27 16:53:43 ns1 in.timed[15961]: error: cannot execute
/usr/sbin/in.timed: N
o such file or directory
Sep 27 16:53:43 ns1 in.timed[15962]: connect from 194.90.255.10
Sep 27 16:53:43 ns1 in.timed[15962]: error: cannot execute
/usr/sbin/in.timed: N
o such file or directory

Sep 27 17:05:56 ns1 rshd[16029]: Connection from 194.90.255.10 on illegal
port
Sep 27 17:05:57 ns1 rshd[16030]: Connection from 194.90.255.10 on illegal
port
Sep 27 17:05:57 ns1 rshd[16031]: Connection from 194.90.255.10 on illegal
port
Sep 27 17:05:57 ns1 rshd[16032]: Connection from 194.90.255.10 on illegal
port

-Oved


=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il