I am not the paranoid type, but I caught someone trying to hack into my computer this afternoon. That blows my mind! Especially after reading the article on the BBC about
China hacking the Dalai Llama's network.
Anyway, I was cruising the 'net, looking for information regarding the War in Iraq for my Mom, when I got a kernel fault, which is weird, because my Fedora 10 install is pretty stable. It made me wonder, so I looked into the several sysadmin logs that Linux writes, and saw that, for about an hour, someone was trying to log into my computer with various usernames, including "root", which is the superuser, or all-powerful user. (When logged in as "root", a person can do anything to the computer, unlike when logged in as a regular user)
Mar 29 04:33:39 localhost sshd[7653]: Did not receive identification string from 93.100.242.3
Mar 29 04:42:31 localhost unix_chkpwd[7656]:
password check failed for user (root)Mar 29 04:42:31 localhost sshd[7654]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=93.100.242.3 user=root
Mar 29 04:42:33 localhost sshd[7654]:
Failed password for root from 93.100.242.3 port 52449 ssh2
Mar 29 04:42:33 localhost sshd[7655]:
Received disconnect from 93.100.242.3: 11: Bye ByeHe tried logging in as root 12 times. Then he tried to log in with other usernames, interspersed with more tries as "root". Here's a sample of the log file:
Mar 29 04:43:00 localhost unix_chkpwd[7687]: password check failed for user (
root)
Mar 29 04:43:03 localhost unix_chkpwd[7690]: password check failed for user (
root)
Mar 29 04:43:05 localhost sshd[7691]: Invalid user
admin from 93.100.242.3
Mar 29 04:43:05 localhost sshd[7688]: Failed password for
root from 93.100.242.3 port
59174 ssh2
Mar 29 04:43:07 localhost sshd[7691]: Failed password for invalid user
admin from 93.100.242.3 port
59546 ssh2
Mar 29 04:43:07 localhost unix_chkpwd[7695]: password check failed for user (
root)
Mar 29 04:43:09 localhost sshd[7696]: Invalid user
miquelfi from 93.100.242.3
Mar 29 04:43:09 localhost sshd[7693]: Failed password for
root from 93.100.242.3 port
59997 ssh2
Mar 29 04:43:11 localhost unix_chkpwd[7700]: password check failed for user (
root)
Mar 29 04:43:11 localhost sshd[7696]: Failed password for invalid user
miquelfi from 93.100.242.3 port
60401 ssh2
Mar 29 04:43:13 localhost sshd[7698]: Failed password for
root from 93.100.242.3 port
60823 ssh2
Mar 29 04:43:13 localhost unix_chkpwd[7704]: password check failed for user (
root)
Mar 29 04:43:15 localhost sshd[7703]: Invalid user
fax from 93.100.242.3
Mar 29 04:43:15 localhost sshd[7701]: Failed password for
root from 93.100.242.3 port
33103 ssh2
Mar 29 04:43:15 localhost unix_chkpwd[7708]: password check failed for user (
root)
Mar 29 04:43:17 localhost sshd[7703]: Failed password for invalid user
fax from 93.100.242.3 port
33508 ssh2
Mar 29 04:43:17 localhost unix_chkpwd[7711]: password check failed for user (
root)
Mar 29 04:43:17 localhost sshd[7706]: Failed password for
root from 93.100.242.3 port
33609 ssh2
Mar 29 04:43:19 localhost sshd[7709]: Failed password for
root from 93.100.242.3 port
33946 ssh2
Mar 29 04:43:19 localhost sshd[7712]: Invalid user
pgsl from 93.100.242.3
Mar 29 04:43:19 localhost unix_chkpwd[7716]: password check failed for user (
root)
Mar 29 04:43:20 localhost sshd[7712]: Failed password for invalid user
pgsl from 93.100.242.3 port
34365 ssh2
Mar 29 04:43:21 localhost sshd[7714]: Failed password for
root from 93.100.242.3 port
34440 ssh2
Mar 29 04:43:21 localhost sshd[7717]: Invalid user
admin from 93.100.242.3
Mar 29 04:43:22 localhost sshd[7719]: Invalid user
postgres from 93.100.242.3
Mar 29 04:43:23 localhost unix_chkpwd[7723]: password check failed for user (
root)
Mar 29 04:43:24 localhost sshd[7717]: Failed password for invalid user
admin from 93.100.242.3 port 34817 ssh2
Mar 29 04:43:24 localhost sshd[7719]: Failed password for invalid user
postgres from 93.100.242.3 port 35137 ssh2
Mar 29 04:43:25 localhost sshd[7721]: Failed password for
root from 93.100.242.3 port
35251 ssh2
Mar 29 04:43:26 localhost unix_chkpwd[7730]: password check failed for user (
root)
Mar 29 04:43:27 localhost sshd[7726]: Invalid user
postgres from 93.100.242.3
Mar 29 04:43:27 localhost unix_chkpwd[7731]: password check failed for user (
root)
Mar 29 04:43:28 localhost sshd[7724]: Failed password for
root from 93.100.242.3 port
35927 ssh2
Mar 29 04:43:29 localhost sshd[7728]: Failed password for
root from 93.100.242.3 port
36219 ssh2
Mar 29 04:43:30 localhost unix_chkpwd[7738]: password check failed for user (
root)
Mar 29 04:43:31 localhost unix_chkpwd[7739]: password check failed for user (
root)
That's 30 SECONDS of trying to get in!!You can see that he tried different
ports, different
usernames,
root, and different shells (ssh, and ssh2), and in combinations. For an hour. He may be trying to get in right now, while I'm writing this blog, though I did disable the secure shell program (ssh, ssh2). Secure shell is used to remotely operate a computer.
Just for kicks, I checked out his IP number: 93.100.242.3 and found this information with the "whois" command:
[Sun Mar 29 19:46:12 scarter@hawkeye ~]$ whois 93.100.242.3
[Querying whois.arin.net]
[Redirected to whois.ripe.net:43]
[Querying whois.ripe.net]
[whois.ripe.net]
% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% I'm taking this line out because it's a web address that could possibly install malware on your computer if you check it out.
% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '93.100.240.0 - 93.100.255.255'
inetnum: 93.100.240.0 - 93.100.255.255
netname: PULNET
descr: LLC "Pulnet" Network
country: RU
admin-c: AKA36-RIPE
tech-c: AKA36-RIPE
status: ASSIGNED PA
mnt-by: MNT-SKNT
source: RIPE # Filtered
person: Anton Korbin
address: 196240 Saint-Petersburg
address: Varshavskaya 79
phone: +7 812 325 23 25
e-mail: noc@pulnet.ru
nic-hdl: AKA36-RIPE
source: RIPE # Filtered
% Information related to '93.100.240.0/20AS35807'
route: 93.100.240.0/20
descr: LLC "Pulnet" Network
origin: AS35807
mnt-by: MNT-SKNT
source: RIPE # Filtered
% Information related to '93.100.0.0/16AS35807'
route: 93.100.0.0/16
descr: SkyNet Networks
origin: AS35807
mnt-by: MNT-SKNT
source: RIPE # Filtered
% Information related to '93.100.128.0/17AS35807'
route: 93.100.128.0/17
descr: SkyNet Networks
origin: AS35807
mnt-by: MNT-SKNT
source: RIPE # Filtered
% Information related to '93.100.192.0/18AS35807'
route: 93.100.192.0/18
descr: SkyNet Networks
origin: AS35807
mnt-by: MNT-SKNT
source: RIPE # Filtered
So that tells me the IP number is from Russia (country: RU). I don't know if this information is real.
Further along, he started using much different usernames:
Mar 29 05:30:53 localhost sshd[21721]: input_userauth_request: invalid user
mapviewMar 29 05:30:58 localhost sshd[21724]: pam_succeed_if(sshd:auth): error retrieving information about user
helpdeskMar 29 05:30:59 localhost sshd[21722]: Failed password for invalid user
chris from 93.100.242.3 port 35013 ssh2
Mar 29 05:31:02 localhost sshd[21728]: Invalid user
frank from 93.100.242.3
Mar 29 05:31:08 localhost sshd[21733]: input_userauth_request: invalid user
agenciaMar 29 05:33:38 localhost sshd[21808]: Failed password for invalid user
contabilidaand many, many more.
Then someone else got into the action:
Mar 29 17:43:15 localhost sshd[3113]: Failed password for
root from
173.45.67.210 port
54402 ssh2
Mar 29 17:43:25 localhost sshd[3126]: Failed password for
root from
173.45.67.210 port
55901 ssh2
et cetera, et cetera, et cetera...
whois for
173.45.67.210 gives the following information:
[Sun Mar 29 21:38:32 scarter@hawkeye ~]$ whois 173.45.67.210
[Querying whois.arin.net]
[whois.arin.net]
eNET Inc. ENET-XLHOST-2 (NET-173-45-64-0-1)
173.45.64.0 - 173.45.95.255
XLHost.com Inc XLHOST-MPATEL1-5073 (NET-173-45-67-208-1)
173.45.67.208 - 173.45.67.223
# ARIN WHOIS database, last updated 2009-03-29 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
This pretty much shocked the hell out of me. So far, I haven't seen any new syslog messages regarding the secure shell. (But it's shut down, remember?)
I called my friend, Jim up, who does system administration for a living. He told me this happens all the time. He was a bit concerned that they actually got to the open ports, that maybe my modem has been compromised also. He figures they are just looking for another bot for their botnet. You can tell that the log in attempts were run by a program.
Jim suggested I install
Wireshark, which is a packet sniffing program. It'll tell me where my incoming and outgoing packets are coming from, and going to. I'm downloading it now. I'll let it run overnight.
I don't have anything on this computer to worry about, and I plan to install Fedora 11 when it comes out in a couple of months, which would mean a hard disc wipe anyway. So in the mean time, I'll have fun snooping around.
I wonder how easy it would be to get into a Windows machine....
EDIT:
I just looked at the syslog for last week, and all I can say is "HOLY SHIT!!" For hours upon hours, nearly every day, there was someone from Poland trying to get into my computer:
[Sun Mar 29 22:20:13 scarter@hawkeye ~]$ whois
212.2.125.67[Querying whois.ripe.net]
[whois.ripe.net]
% This is the RIPE Whois query server #3.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html
% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '212.2.96.0 - 212.2.127.255'
inetnum: 212.2.96.0 - 212.2.127.255
org: ORG-PN5-RIPE
netname: PL-PLUSGSM-990819
descr: Polkomtel S.A.
country: PL
admin-c: PKL1-RIPE
tech-c: PKL1-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: POLKOMTEL-MNT
source: RIPE # Filtered
organisation: ORG-PN5-RIPE
org-name: Polkomtel S.A.
org-type: LIR
address: Polkomtel S.A.
Ireneusz Neska
ul. Postepu 3
02-676 Warsaw
POLAND
phone: +48 22 426 5709
fax-no: +48 22 426 0088
abuse-mailbox: abuse@polkomtel.com.pl
admin-c: AS114-RIPE
admin-c: IN3-RIPE
admin-c: KK1860-RIPE
admin-c: SO1236-RIPE
mnt-ref: POLKOMTEL-MNT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered
role: PlusGSM IP Team
address: Polkomtel S.A.
address: ul. Postepu 3
address: 02-676 Warszawa
address: Poland
phone: +48 22 4261599
phone: +48 601 131599
fax-no: +48 22 4260099
remarks: Plus (pl.plusgsm) registry administration
remarks: ---
remarks: Registry contact: registry@plus.pl
remarks: Spam and abuse reports: abuse@plus.pl
remarks: ---
abuse-mailbox: abuse@plus.pl
admin-c: IN3-RIPE
tech-c: KK1860-RIPE
tech-c: SO1236-RIPE
tech-c: DCH3-RIPE
nic-hdl: PKL1-RIPE
mnt-by: POLKOMTEL-MNT
source: RIPE # Filtered
% Information related to '212.2.96.0/19AS8374'
route: 212.2.96.0/19
descr: PlusGSM Net
descr: Warsaw, Poland
origin: AS8374
mnt-by: POLKOMTEL-MNT
source: RIPE # Filtered
David showed me around the house, but couldn't wait to show me his collection of "weapons". Let's see, there is a Dragon Spear, two Dark Elf weapons, a Wood Elf bow, one of each kind of Wizard's wands (one long, one short), a Dark Elf sword, and probably more that my 45-year old mind can't remember.
Every Dark-Elf should be well versed in all techniques of Dark-Elf weaponry. By the time my sensei had completed the lesson, I felt ready to do battle with any Orc I might come across, with a variety of weapons.
Kristen made us a delicious dinner, after which we went out back to relax. I'm sure in David's vivid imagination he's fighting a fire elemental to protect Queen Kristen and King Shane, while the dullard Prince Shawn looks idly on.
