LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-08-2005, 06:45 PM   #1
tomjermy
LQ Newbie
 
Registered: Aug 2003
Posts: 6

Rep: Reputation: 0
AUTH/IDENT query software, hacking hackers and probably morality


Hi,

Does anyone know of a package which will query an ident/auth server? I've only seen it built in to apps like sendmail, but I need a command line program which is reasonably easy to use.

The reason I'm after this is that my internet gateway at work obviously has some happless script munkey trying to get in with various random(ish) usernames through SSH. I found them on my logwatch, they're here...

sshd:
Authentication Failures:
root (ws246.internetdsl.tpnet.pl): 59 Time(s)
unknown (ws246.internetdsl.tpnet.pl): 42 Time(s)
adm (ws246.internetdsl.tpnet.pl): 2 Time(s)
apache (ws246.internetdsl.tpnet.pl): 1 Time(s)
mysql (ws246.internetdsl.tpnet.pl): 1 Time(s)
nobody (ws246.internetdsl.tpnet.pl): 1 Time(s)
operator (ws246.internetdsl.tpnet.pl): 1 Time(s)
Invalid Users:
Unknown Account: 42 Time(s)

There are more, it's annoying, so I did this:

nmap -T 5 -O -P0 80.55.200.246
and got this:

Interesting ports on ws246.internetdsl.tpnet.pl (80.55.200.246):
(The 1653 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
113/tcp open auth
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
667/tcp filtered unknown
668/tcp filtered unknown
Device type: general purpose
Running: Linux 2.4.X
OS details: Linux 2.4.27 with grsec
Uptime 20.631 days (since Wed Feb 16 07:39:22 2005)

Nmap finished: 1 IP address (1 host up) scanned in 79.327 seconds

Do you think that it's right for me to counter hack? I think I like it

Tom
 
Old 03-08-2005, 07:46 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
You can probably just query it with netcat or telnet, either are about as simple as you can get.

For what it's worth, most of the machines I've seen attempting these ssh "bruteforce" attacks were themselves compromised using that very same exploit, with the owner likely unaware that anything is going on. So "counter-hacking" may just succeed in hosing some random persons system. Personally I'd recommend sending an email to the ISP of the user or to the abuse@ address. Also take a look at "SSH Login Attempts" thread at the top of the forum, where a number of solutions have been posted for dealing with these types of cracking attempts
 
Old 03-09-2005, 04:25 AM   #3
tomjermy
LQ Newbie
 
Registered: Aug 2003
Posts: 6

Original Poster
Rep: Reputation: 0
Telnet

I tried telnet (obviously on 113) and did not get any information back at all - it kicks me off after a few chars and a CR.
 
Old 03-09-2005, 08:54 AM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Take a look at the ident protocol RFC to see the syntax and how it works. It uses standard ASCII characters, so both telnet and netcat will work. What exactly are you trying to accomplish by interrogating the ident daemon on the server?
 
Old 05-14-2005, 07:44 PM   #5
katmai90210
Member
 
Registered: Nov 2003
Location: Romania
Distribution: Redhat Linux , Fedora & SuSe
Posts: 46

Rep: Reputation: 15
sshd:
Authentication Failures:
root (ws246.internetdsl.tpnet.pl): 59 Time(s)
unknown (ws246.internetdsl.tpnet.pl): 42 Time(s)
adm (ws246.internetdsl.tpnet.pl): 2 Time(s)
apache (ws246.internetdsl.tpnet.pl): 1 Time(s)
mysql (ws246.internetdsl.tpnet.pl): 1 Time(s)
nobody (ws246.internetdsl.tpnet.pl): 1 Time(s)
operator (ws246.internetdsl.tpnet.pl): 1 Time(s)
Invalid Users:
Unknown Account: 42 Time(s)

what firewall are you using that generates this logs please ? thank you
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
port 113 auth ident, not accepting connectiong green4u Linux - Security 1 07-18-2005 09:15 AM
better ident software? Smokey Linux - Software 1 09-12-2004 08:31 AM
Mysql Query Software yourcompadre Linux - Software 1 05-25-2004 09:44 AM
Hacking Exposed Wireless Hacking Chapter prompt Linux - Wireless Networking 0 05-08-2004 03:44 PM
POP3 Ident query jdwalke Linux - Software 1 12-08-2002 04:04 PM


All times are GMT -5. The time now is 08:52 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration