Someone is trying to hack into my computer!!

I am not the paranoid type, but I caught someone trying to hack into my computer this afternoon. That blows my mind! Especially after reading the article on the BBC about China hacking the Dalai Llama's network.

Anyway, I was cruising the 'net, looking for information regarding the War in Iraq for my Mom, when I got a kernel fault, which is weird, because my Fedora 10 install is pretty stable. It made me wonder, so I looked into the several sysadmin logs that Linux writes, and saw that, for about an hour, someone was trying to log into my computer with various usernames, including "root", which is the superuser, or all-powerful user. (When logged in as "root", a person can do anything to the computer, unlike when logged in as a regular user)

Mar 29 04:33:39 localhost sshd[7653]: Did not receive identification string from 93.100.242.3
Mar 29 04:42:31 localhost unix_chkpwd[7656]: password check failed for user (root)
Mar 29 04:42:31 localhost sshd[7654]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=93.100.242.3 user=root
Mar 29 04:42:33 localhost sshd[7654]: Failed password for root from 93.100.242.3 port 52449 ssh2
Mar 29 04:42:33 localhost sshd[7655]: Received disconnect from 93.100.242.3: 11: Bye Bye

He tried logging in as root 12 times. Then he tried to log in with other usernames, interspersed with more tries as "root". Here's a sample of the log file:

Mar 29 04:43:00 localhost unix_chkpwd[7687]: password check failed for user (root)
Mar 29 04:43:03 localhost unix_chkpwd[7690]: password check failed for user (root)
Mar 29 04:43:05 localhost sshd[7691]: Invalid user admin from 93.100.242.3
Mar 29 04:43:05 localhost sshd[7688]: Failed password for root from 93.100.242.3 port 59174 ssh2
Mar 29 04:43:07 localhost sshd[7691]: Failed password for invalid user admin from 93.100.242.3 port 59546 ssh2
Mar 29 04:43:07 localhost unix_chkpwd[7695]: password check failed for user (root)
Mar 29 04:43:09 localhost sshd[7696]: Invalid user miquelfi from 93.100.242.3
Mar 29 04:43:09 localhost sshd[7693]: Failed password for root from 93.100.242.3 port 59997 ssh2
Mar 29 04:43:11 localhost unix_chkpwd[7700]: password check failed for user (root)
Mar 29 04:43:11 localhost sshd[7696]: Failed password for invalid user miquelfi from 93.100.242.3 port 60401 ssh2
Mar 29 04:43:13 localhost sshd[7698]: Failed password for root from 93.100.242.3 port 60823 ssh2
Mar 29 04:43:13 localhost unix_chkpwd[7704]: password check failed for user (root)
Mar 29 04:43:15 localhost sshd[7703]: Invalid user fax from 93.100.242.3
Mar 29 04:43:15 localhost sshd[7701]: Failed password for root from 93.100.242.3 port 33103 ssh2
Mar 29 04:43:15 localhost unix_chkpwd[7708]: password check failed for user (root)
Mar 29 04:43:17 localhost sshd[7703]: Failed password for invalid user fax from 93.100.242.3 port 33508 ssh2
Mar 29 04:43:17 localhost unix_chkpwd[7711]: password check failed for user (root)
Mar 29 04:43:17 localhost sshd[7706]: Failed password for root from 93.100.242.3 port 33609 ssh2
Mar 29 04:43:19 localhost sshd[7709]: Failed password for root from 93.100.242.3 port 33946 ssh2
Mar 29 04:43:19 localhost sshd[7712]: Invalid user pgsl from 93.100.242.3
Mar 29 04:43:19 localhost unix_chkpwd[7716]: password check failed for user (root)
Mar 29 04:43:20 localhost sshd[7712]: Failed password for invalid user pgsl from 93.100.242.3 port 34365 ssh2
Mar 29 04:43:21 localhost sshd[7714]: Failed password for root from 93.100.242.3 port 34440 ssh2
Mar 29 04:43:21 localhost sshd[7717]: Invalid user admin from 93.100.242.3
Mar 29 04:43:22 localhost sshd[7719]: Invalid user postgres from 93.100.242.3
Mar 29 04:43:23 localhost unix_chkpwd[7723]: password check failed for user (root)
Mar 29 04:43:24 localhost sshd[7717]: Failed password for invalid user admin from 93.100.242.3 port 34817 ssh2
Mar 29 04:43:24 localhost sshd[7719]: Failed password for invalid user postgres from 93.100.242.3 port 35137 ssh2
Mar 29 04:43:25 localhost sshd[7721]: Failed password for root from 93.100.242.3 port 35251 ssh2
Mar 29 04:43:26 localhost unix_chkpwd[7730]: password check failed for user (root)
Mar 29 04:43:27 localhost sshd[7726]: Invalid user postgres from 93.100.242.3
Mar 29 04:43:27 localhost unix_chkpwd[7731]: password check failed for user (root)
Mar 29 04:43:28 localhost sshd[7724]: Failed password for root from 93.100.242.3 port 35927 ssh2
Mar 29 04:43:29 localhost sshd[7728]: Failed password for root from 93.100.242.3 port 36219 ssh2
Mar 29 04:43:30 localhost unix_chkpwd[7738]: password check failed for user (root)
Mar 29 04:43:31 localhost unix_chkpwd[7739]: password check failed for user (root)

That's 30 SECONDS of trying to get in!!

You can see that he tried different ports, different usernames, root, and different shells (ssh, and ssh2), and in combinations. For an hour. He may be trying to get in right now, while I'm writing this blog, though I did disable the secure shell program (ssh, ssh2). Secure shell is used to remotely operate a computer.

Just for kicks, I checked out his IP number: 93.100.242.3 and found this information with the "whois" command:

[Sun Mar 29 19:46:12 scarter@hawkeye ~]$ whois 93.100.242.3
[Querying whois.arin.net]
[Redirected to whois.ripe.net:43]
[Querying whois.ripe.net]
[whois.ripe.net]
% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% I'm taking this line out because it's a web address that could possibly install malware on your computer if you check it out.

% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '93.100.240.0 - 93.100.255.255'

inetnum: 93.100.240.0 - 93.100.255.255
netname: PULNET
descr: LLC "Pulnet" Network
country: RU
admin-c: AKA36-RIPE
tech-c: AKA36-RIPE
status: ASSIGNED PA
mnt-by: MNT-SKNT
source: RIPE # Filtered

person: Anton Korbin
address: 196240 Saint-Petersburg
address: Varshavskaya 79
phone: +7 812 325 23 25
e-mail: noc@pulnet.ru
nic-hdl: AKA36-RIPE
source: RIPE # Filtered

% Information related to '93.100.240.0/20AS35807'

route: 93.100.240.0/20
descr: LLC "Pulnet" Network
origin: AS35807
mnt-by: MNT-SKNT
source: RIPE # Filtered

% Information related to '93.100.0.0/16AS35807'

route: 93.100.0.0/16
descr: SkyNet Networks
origin: AS35807
mnt-by: MNT-SKNT
source: RIPE # Filtered

% Information related to '93.100.128.0/17AS35807'

route: 93.100.128.0/17
descr: SkyNet Networks
origin: AS35807
mnt-by: MNT-SKNT
source: RIPE # Filtered

% Information related to '93.100.192.0/18AS35807'

route: 93.100.192.0/18
descr: SkyNet Networks
origin: AS35807
mnt-by: MNT-SKNT
source: RIPE # Filtered

So that tells me the IP number is from Russia (country: RU). I don't know if this information is real.

Further along, he started using much different usernames:

Mar 29 05:30:53 localhost sshd[21721]: input_userauth_request: invalid user mapview
Mar 29 05:30:58 localhost sshd[21724]: pam_succeed_if(sshd:auth): error retrieving information about user helpdesk
Mar 29 05:30:59 localhost sshd[21722]: Failed password for invalid user chris from 93.100.242.3 port 35013 ssh2
Mar 29 05:31:02 localhost sshd[21728]: Invalid user frank from 93.100.242.3
Mar 29 05:31:08 localhost sshd[21733]: input_userauth_request: invalid user agencia
Mar 29 05:33:38 localhost sshd[21808]: Failed password for invalid user contabilida

and many, many more.

Then someone else got into the action:

Mar 29 17:43:15 localhost sshd[3113]: Failed password for root from 173.45.67.210 port 54402 ssh2
Mar 29 17:43:25 localhost sshd[3126]: Failed password for root from 173.45.67.210 port 55901 ssh2

et cetera, et cetera, et cetera...

whois for 173.45.67.210 gives the following information:

[Sun Mar 29 21:38:32 scarter@hawkeye ~]$ whois 173.45.67.210
[Querying whois.arin.net]
[whois.arin.net]
eNET Inc. ENET-XLHOST-2 (NET-173-45-64-0-1)
173.45.64.0 - 173.45.95.255
XLHost.com Inc XLHOST-MPATEL1-5073 (NET-173-45-67-208-1)
173.45.67.208 - 173.45.67.223

# ARIN WHOIS database, last updated 2009-03-29 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.


This pretty much shocked the hell out of me. So far, I haven't seen any new syslog messages regarding the secure shell. (But it's shut down, remember?)

I called my friend, Jim up, who does system administration for a living. He told me this happens all the time. He was a bit concerned that they actually got to the open ports, that maybe my modem has been compromised also. He figures they are just looking for another bot for their botnet. You can tell that the log in attempts were run by a program.

Jim suggested I install Wireshark, which is a packet sniffing program. It'll tell me where my incoming and outgoing packets are coming from, and going to. I'm downloading it now. I'll let it run overnight.

I don't have anything on this computer to worry about, and I plan to install Fedora 11 when it comes out in a couple of months, which would mean a hard disc wipe anyway. So in the mean time, I'll have fun snooping around.

I wonder how easy it would be to get into a Windows machine....

EDIT:

I just looked at the syslog for last week, and all I can say is "HOLY SHIT!!" For hours upon hours, nearly every day, there was someone from Poland trying to get into my computer:

[Sun Mar 29 22:20:13 scarter@hawkeye ~]$ whois 212.2.125.67
[Querying whois.ripe.net]
[whois.ripe.net]
% This is the RIPE Whois query server #3.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '212.2.96.0 - 212.2.127.255'

inetnum: 212.2.96.0 - 212.2.127.255
org: ORG-PN5-RIPE
netname: PL-PLUSGSM-990819
descr: Polkomtel S.A.
country: PL
admin-c: PKL1-RIPE
tech-c: PKL1-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: POLKOMTEL-MNT
source: RIPE # Filtered

organisation: ORG-PN5-RIPE
org-name: Polkomtel S.A.
org-type: LIR
address: Polkomtel S.A.
Ireneusz Neska
ul. Postepu 3
02-676 Warsaw
POLAND
phone: +48 22 426 5709
fax-no: +48 22 426 0088
abuse-mailbox: abuse@polkomtel.com.pl
admin-c: AS114-RIPE
admin-c: IN3-RIPE
admin-c: KK1860-RIPE
admin-c: SO1236-RIPE
mnt-ref: POLKOMTEL-MNT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered

role: PlusGSM IP Team
address: Polkomtel S.A.
address: ul. Postepu 3
address: 02-676 Warszawa
address: Poland
phone: +48 22 4261599
phone: +48 601 131599
fax-no: +48 22 4260099
remarks: Plus (pl.plusgsm) registry administration
remarks: ---
remarks: Registry contact: registry@plus.pl
remarks: Spam and abuse reports: abuse@plus.pl
remarks: ---
abuse-mailbox: abuse@plus.pl
admin-c: IN3-RIPE
tech-c: KK1860-RIPE
tech-c: SO1236-RIPE
tech-c: DCH3-RIPE
nic-hdl: PKL1-RIPE
mnt-by: POLKOMTEL-MNT
source: RIPE # Filtered

% Information related to '212.2.96.0/19AS8374'

route: 212.2.96.0/19
descr: PlusGSM Net
descr: Warsaw, Poland
origin: AS8374
mnt-by: POLKOMTEL-MNT
source: RIPE # Filtered

Quite busy today, on the computer

As you can see, I've changed the blog around a bit. While I was poking around the new features, I found this:


I'd hate to see the commercialization of personal blogs. If people start thinking they can make money with their blogs...where will it end? There are enough shock-jocks, amateur videographers, and second-rate newsmen out there already. It'll probably end up with 90% porno-blogs and 10% bum-fights.

This may shock you at first so steel yourself for the idea. Ready? We are going to start paying bloggers. Soon you will be blogging for dollars. That's right people, chocolate is to peanut butter like AdSense is to blogs. Or is it the other way around? Either way, we've got something big here folks.

You may have noticed that we recently removed our ads from Blogger powered blogs. We were making money from those ads but you weren't getting any of it. Now, we're inviting you to set up your own Bloggerized AdSense account so that you make the money. What's the catch? We're going to take some of the action. Based on what we have learned from AdSense so far, this will work out very nicely for both of us. Please note that this program is optional and that it is not required for you to have a Blogger powered blog-all bloggers are invited.

-- From Blogger's help site.


I spent most of the morning trying to figure out how to make the date and time show up on my console (text) screen, in Linux. I knew there was a way to have it displayed in the prompt, but rooting out the answer wasn't easy.

The standard prompt is the username@hostname followed by the current directory (~ represents the users home directory):
[scarter@hawkeye ~]$
My username is scarter.
My computer's name is hawkeye (as in E-2 Hawkeye, not the guy from M.A.S.H, or the scout from The Last of the Mohicans.

But how to insert the date and time?
It turns out to be pretty easy, once I knew what to do. If I edit the file /etc/bashrc, I can change the PS1 variable to display what I want. bashrc is a text file that contains rUN cONTROL information for the bash command interpreter. Hence, bashrc.

The part of the file that I needed to change is:
PS1="[\u@\h \W]\\$ "

\u the username of the current user
\h the hostname up to the first ‘.’
\W the basename of the current working directory, with $HOME
abbreviated with a tilde
\$ if the effective UID is 0, a #, otherwise a $
(that means for user "root", you get a pound sign, for any other user, you get a dollar sign)

and at the same spot I found those definitions, I found these:

\d the date in "Weekday Month Date" format (e.g., "Tue May 26")

\t the current time in 24-hour HH:MM:SS format

So, all I had to do was add those two commands:
PS1="[\d \t \u@\h \W]\\$ "

and I got the prompt that I wanted
[Sat Mar 28 13:27:43 scarter@hawkeye ~]$

Now I've got music

Today I installed Rhythmbox and Gstreamer for mp3 support. This is a bit different from the standard Fedora installation because part of it is proprietary. That means the owners of the various types of audio compression formats (.mp3/ .wav/ . avi, etc.) own property rights associated with their work, probably a patent. It's not illegal to use the software, but I don't understand the esoteric legal ramifications. (I try to use the word "esoteric" as often as possible.)

There is a free audio codec which loses no quality during compression. It's called FLAC. I can use that when I rip the CD's that I own. There is also the ogg-vorbis compression codec out there, but I need to read up on these a bit more before I choose a personal favorite. Though I like to say "ogg-vorbis" It sounds very intimidating: "Commander, bring me the ogg-vorbis! It shall assist me in prying the secrets from this rebel spy."


The first song I played?

Video Killed the Radio Star by Buggles from Age Of Plastic

Of course.

Pidgin

Pidgin is the Internet Messaging software that I'm using on my linux box. It works under Windows, and supports all of the IM protocols, so you need only run one program to talk to various people under different systems, such as AIM, and Yahoo.

I used to run Gaim, but that was way back during the Fedora Core 4 years. Pidgin is the upgrade.

W² showed some interest in Linux, so I'll post about interesting features that I find. For instance, here is an article that points out just how evil Microsoft's EULA is.

As an unknown feature, since I joined google chat, when people I know who have gmail accounts log in, they show up on my IM screen. That seems a bit presumptuous to me because I may not like them! Furthermore, They may not like me either!

DOOM up and running!

Today I fixed the sound problem. It took a LOT of hunting around to find that one little soft-switch that needed to be turned off, but in the meantime, I got a nice refresher on the system. Of course the only reason I was worried about the sound was so that I could play DOOM again! Hey Jim, remember this?

I actually got to bring out my old Ultimate Doom CD because while the game software (Vavoom) is free, being a port (Computer Science. To modify (software) for use on a different machine or platform) of the original program, the wadfiles are still protected by copyright.

One new feature I've found to be very helpful is the Tomboy Notes program. As I went through each possibility that came to mind, eliminating them one by one, I'd keep a note about it. This kept me from repeating mistakes, and helped me keep focused on the next possible problem.

Network problem not-so-solved!

My network problem being "solved" was more luck than skill. In fact, it isn't really, properly solved. I'm still not sure, but it seems that while I was fiddling about with the inner networkings, I caused a kernel fault that subsequently allowed me to connect to the Internet. I've been able to duplicate this fault enough times to upgrade the system, and download the Install CD's via BitTorrent. I'm still trying to figure out the actual problem, and it's solution.

In the meantime, I'm having lots of fun poking around the new OS. It really rocks! I've got a weather report that updates every 15 minutes right on my top Panel. There's an applet that will chart stocks. Right now, I'm downloading the Open Source files to play DOOM! DOOM, man! Fucking DOOM!!!! That's just so cool, that if you don't know what I'm talking about, you don't know what you missed about 16 years ago.

Upgrading to Fedora 10 is a combination of Retro and Neo that's awe-inspiring. New stuff: It's got a built-in firewall and SeLinux for security. I can encrypt my HD. Firefox has a plethora of new features, and I've only been playing with this for a couple of hours. Yet, I can still read the comforting words of Wanda the Fish telling me that "Today is Prickle-Prickle, the 6th day of Discord in the YOLD 3175." It brings back memories of all-nighters trying to get the damn 386 motherboard to run Slackware 1.9, and the first time Jim and I wired our two computers together via the serial port and looked at each other on our respective screens, a second before he shot me dead.

Network problem solved!

I'm currently typing this post from FC10 live CD (x86_64). It took a lot of hunting, but I plowed ahead with my usual brute force methodology. That means I tried every permutation and combination of configuration changes until I stumbled upon the right one. I had already disabled the firewall, and set SeLinux to Permissive, but I still couldn't get out. I finally found another configuration tool that allowed me to start/stop and enable/disable different processes, called the Service Configuration tool. Turns out the iptables firewall was the problem. Now I'm not sure how to fix it properly yet. I'm sure I'll have to enter a record to allow my computer to talk to the modem or something, but for now, it's disabled, and I'm up and running again. Once I figure out how to make that work, I can move ahead.

Next step is to install FC10 to the hard drive. That'll require a bit of thought first, because I want to set up the /home directory on a separate hard drive, so that next time I upgrade, I can wipe hda to install FC11, but keep hdb intact, preserving all my data (pictures, music, movie clips).

I may not be as smart as I once was, but I'm twice as stubborn!

Oh yeah, I'm taking copious notes.

I must be getting dumber as I get older

I used to know computers inside and out. I could program in assembler language in high school. I would order individual pieces, like the motherboard, drives, video card, networking card, etc and put them together to build the ultimate gaming machine. Now, I'm a computer idiot.

This weekend, I decided to upgrade from Fedora Core 4 to Fedora 9. I did all the important backup work, then started with my Fedora 9 LIVE CD. That seemed to work, so I installed it. Unfortunately, for some reason I can't access the internet. After hours of trying, I finally pulled out this old PCLinuxOS CD I had that I've used before as a Live CD. It does enable me to log on, but I can't download the files I need to reinstall Fedora 9, or 10, for that matter. Even this program unexpectedly crashes often. Gah, I'd hate to have to install WinXP on this computer, just so I could download Fedora 10 for a new install....

OTOH, it was an awesome day today, and I got most of the outside yard work done.

Last week I did my sixth, and final lead wipe. Junior is handing me the molten lead, which I'll apply to the termination joint. We have to wear respirators that filter the fine lead particles that may be airborne. We also have to wear monitors that sample the air for lead contaminants.


It's a nice looking shape, now to smooth it out and put the final touches on it. This one was my best, by far. I was able to do it quickly, and confidently, finishing in 35 minutes. I was fast enough that Junior didn't have to work on this one.

W² was our Temperature Control Specialist (aka Ragboy). He kept the termination cool.



Junior did the last termination, which gave me a chance to use my BRAND NEW ladles! You can see the air sampling tube for the air monitor clearly here.


Ladle, ladle, ladle....making lead for Junior.

There's my last (I mean most recent) lead wipe! I look forward to doing those again, though it may be a year or more from now.

Here's the crew that worked on this job: Junior, me, Dennis (no nick-name yet) Bruiser, W Squared, and The Boss. Junior and I were the splicers. Dennis and W Squared were ragboys. Bruiser was our instructor, technical specialist, and main critic, and The Boss was the boss.

Tess is in the hospital

Tess is 92. She lives at the end of my street. I've been taking her up to Mitchell's for dinner every weekend for the last 6 months or so, to get her out of the house. We would start dinner with a bowl of popcorn, because she really enjoyed it. She would even bring a baggie with her, to take any left-over popcorn with her, "to feed the birds" she'd say with a wink. We have a lot of fun, and she always quizzes me about the women in (or not in) my life. "So how is Tina? You know she wants to get her hooks into you, don't you?", She warned. "You can't be so demanding with So-and-so. Give her room to breath, and let her come to you. Otherwise, you'll chase her away.", she prophesied. Sadly, I did, indeed, chase So-and-so away. "Shawn, you waited too long to find a woman! All the good ones are taken already." she told me once with stinging intuition. "If I was 50 years younger, I'd teach you to dance" She cracks me up more when she tries to hook me up with the barmaids. "What about that one? She's curvy, don't you think?, she said regarding one voluptuous server. She's a pisser.

We didn't go out last weekend because she's in the hospital. I found out from her neighbor, Lucy, that Tess had fallen into her bathtub Friday night, and couldn't get out. She spent the night in her tub! Luckily, Tess and Lucy have a code such that each morning, Tess would turn on the living-room light, just to let Lucy know that she's OK. Saturday morning, the light didn't go on, so Lucy called Tess' brother and he found her. They had to convince her to go to the hospital, but she finally did go. Lucy told me that they suspected a stroke, but weren't sure yet.

I visited her Sunday night. I brought some Mitchell's popcorn for her, which lit her face right up! She seemed fine, and alert, but it seemed that her brain skipped a beat every now and then. Like a needle on a record skipping over a few grooves in the song. The nurses couldn't tell me anything about her condition, since I wasn't family. Tina came with me, and Tess didn't recognize her. I asked her if she was taking any drugs, but she said that she wasn't aware of any. I had thought, from talking with her, that she was on morphine or something.

I hope she's able to get better. The funny thing is, she's told me that she's ready to go. Most of her family are gone, and most of her friends. She just feels that she's lived long enough, and wouldn't mind moving on. In any case, for now, I enjoy her company, and hope she gets well.

Wiping Lead!

I've been getting some practice wiping lead. Here I'm working on my fourth termination. I was still going too slow, though, and Junior would have to take over for the final stages. It was fun, and by this one I had lost my initial nervousness.


With each one I got better, and more confident. The fifth wipe has excellent shape. We were able to get two done in a day, but I still needed Junior to finish each one.