Just for the record, I have a packet inspecting NAT router which will
kill attempts at portscans and many other nefarious activities. The
computer is running MacOS X Server with its firewall running but it
does allow ssh connections, IMAP and http. So a hacking script which
just attempts ssh logins like this will get through.
This is an excerpt from the system log. As you can see the script
first looks for test/guest logins left by idiot administrators/service
engineers, then tries a couple of possible bugs before finally hacking
away at the root account trying to guess the non-existent password.
Sep 5 12:56:11 ernest1 xinetd[391]: START: ssh pid=7593
from=38.112.102.152
Sep 5 12:56:13 ernest1 sshd[7593]: Illegal user test from
38.112.102.152
Sep 5 12:56:13 ernest1 xinetd[391]: service ssh, IPV6_ADDRFORM
setsockopt() failed: Protocol not available (errno = 42)
Sep 5 12:56:13 ernest1 xinetd[391]: START: ssh pid=7595
from=38.112.102.152
Sep 5 12:56:16 ernest1 sshd[7595]: Illegal user guest from
38.112.102.152
Sep 5 12:56:16 ernest1 xinetd[391]: service ssh, IPV6_ADDRFORM
setsockopt() failed: Protocol not available (errno = 42)
Sep 5 12:56:16 ernest1 xinetd[391]: START: ssh pid=7597
from=38.112.102.152
Sep 5 12:56:18 ernest1 sshd[7597]: Illegal user admin from
38.112.102.152
Sep 5 12:56:19 ernest1 xinetd[391]: service ssh, IPV6_ADDRFORM
setsockopt() failed: Protocol not available (errno = 42)
Sep 5 12:56:19 ernest1 xinetd[391]: START: ssh pid=7599
from=38.112.102.152
Sep 5 12:56:21 ernest1 sshd[7599]: Illegal user admin from
38.112.102.152
Sep 5 12:56:22 ernest1 xinetd[391]: service ssh, IPV6_ADDRFORM
setsockopt() failed: Protocol not available (errno = 42)
Sep 5 12:56:22 ernest1 xinetd[391]: START: ssh pid=7601
from=38.112.102.152
Sep 5 12:56:24 ernest1 sshd[7601]: Illegal user user from
38.112.102.152
Sep 5 12:56:24 ernest1 xinetd[391]: service ssh, IPV6_ADDRFORM
setsockopt() failed: Protocol not available (errno = 42)
Sep 5 12:56:24 ernest1 xinetd[391]: START: ssh pid=7603
from=38.112.102.152
Sep 5 12:56:27 ernest1 sshd[7603]: Failed password for root from
38.112.102.152 port 50005 ssh2
Sep 5 12:56:27 ernest1 xinetd[391]: service ssh, IPV6_ADDRFORM
setsockopt() failed: Protocol not available (errno = 42)
Sep 5 12:56:27 ernest1 xinetd[391]: START: ssh pid=7605
from=38.112.102.152
Sep 5 12:56:30 ernest1 sshd[7605]: Failed password for root from
38.112.102.152 port 50094 ssh2
He went on for another hour and a half trying to guess the root login
password. Then I shut the sshd down to make him go
away.
Bill Northcott
On 15/09/2004, at 6:28 AM, Rich Cook wrote:
Hi,
I don't have any indications of such hacking activity, probably
because I use Mac OSX's built-in software firewall. I suppose it
would be obvious? What are the messages that make you think you're
being guessed at? Something like "attempt to log in as root failed
due to too many attempts?
Just curious about what's out there. Thanks.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Scitech mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/scitech/email@hidden
