AUTH/IDENT query software, hacking hackers and probably morality
Hi,
Does anyone know of a package which will query an ident/auth server? I've only seen it built in to apps like sendmail, but I need a command line program which is reasonably easy to use. The reason I'm after this is that my internet gateway at work obviously has some happless script munkey trying to get in with various random(ish) usernames through SSH. I found them on my logwatch, they're here... sshd: Authentication Failures: root (ws246.internetdsl.tpnet.pl): 59 Time(s) unknown (ws246.internetdsl.tpnet.pl): 42 Time(s) adm (ws246.internetdsl.tpnet.pl): 2 Time(s) apache (ws246.internetdsl.tpnet.pl): 1 Time(s) mysql (ws246.internetdsl.tpnet.pl): 1 Time(s) nobody (ws246.internetdsl.tpnet.pl): 1 Time(s) operator (ws246.internetdsl.tpnet.pl): 1 Time(s) Invalid Users: Unknown Account: 42 Time(s) There are more, it's annoying, so I did this: nmap -T 5 -O -P0 80.55.200.246 and got this: Interesting ports on ws246.internetdsl.tpnet.pl (80.55.200.246): (The 1653 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http 113/tcp open auth 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 593/tcp filtered http-rpc-epmap 667/tcp filtered unknown 668/tcp filtered unknown Device type: general purpose Running: Linux 2.4.X OS details: Linux 2.4.27 with grsec Uptime 20.631 days (since Wed Feb 16 07:39:22 2005) Nmap finished: 1 IP address (1 host up) scanned in 79.327 seconds Do you think that it's right for me to counter hack? I think I like it :) Tom |
You can probably just query it with netcat or telnet, either are about as simple as you can get.
For what it's worth, most of the machines I've seen attempting these ssh "bruteforce" attacks were themselves compromised using that very same exploit, with the owner likely unaware that anything is going on. So "counter-hacking" may just succeed in hosing some random persons system. Personally I'd recommend sending an email to the ISP of the user or to the abuse@ address. Also take a look at "SSH Login Attempts" thread at the top of the forum, where a number of solutions have been posted for dealing with these types of cracking attempts |
Telnet
I tried telnet (obviously on 113) and did not get any information back at all - it kicks me off after a few chars and a CR.
|
Take a look at the ident protocol RFC to see the syntax and how it works. It uses standard ASCII characters, so both telnet and netcat will work. What exactly are you trying to accomplish by interrogating the ident daemon on the server?
|
sshd:
Authentication Failures: root (ws246.internetdsl.tpnet.pl): 59 Time(s) unknown (ws246.internetdsl.tpnet.pl): 42 Time(s) adm (ws246.internetdsl.tpnet.pl): 2 Time(s) apache (ws246.internetdsl.tpnet.pl): 1 Time(s) mysql (ws246.internetdsl.tpnet.pl): 1 Time(s) nobody (ws246.internetdsl.tpnet.pl): 1 Time(s) operator (ws246.internetdsl.tpnet.pl): 1 Time(s) Invalid Users: Unknown Account: 42 Time(s) what firewall are you using that generates this logs please ? thank you |
All times are GMT -5. The time now is 06:33 AM. |