LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-25-2004, 08:12 AM   #1
dexter_modem
Member
 
Registered: Oct 2002
Location: Chicago
Distribution: slackware > redhat
Posts: 69

Rep: Reputation: 15
something very crazy in my SSH Log!!


My System : Slackware 9.1

This morning In my logwatch email I got

--------------------- SSHD Begin ------------------------

Did not get an ident string from these:
www.pavonet.com (209.126.168.231)

---------------------- SSHD End -------------------------

I went to pavonet.com and there is just a phone number listed 1-866-761-4196, I did a whois and there wasn't any information, they claim the domain is free.

I checked my messages log and this is the line in there

Mar 24 22:50:45 bedroom sshd[25482]: Did not receive identification string from 209.126.168.231

I couldn't find where the www.pavonet.com data was?
cat /var/log/messages | grep www.pavonet.com returned nothing

Help, how did they get that in there. Should I call the number?

I'm scared
 
Old 03-25-2004, 02:03 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,390
Blog Entries: 55

Rep: Reputation: 3562Reputation: 3562Reputation: 3562Reputation: 3562Reputation: 3562Reputation: 3562Reputation: 3562Reputation: 3562Reputation: 3562Reputation: 3562Reputation: 3562
Did not get an ident string from these: www.pavonet.com (209.126.168.231)
AFAIK a session that's set up but not continued into authentication, IOW, a scan.
This host has been scanning at least 2000 hosts in the last few days for port TCP/22.


Help, how did they get that in there.
It's a message of the "informative" level, nothing more.


Should I call the number?
No. The proper route would be to file a complaint at abuse@cari.net, but usually this won't get you nowhere.


I'm scared
Don't be. Do this: if your version of OpenSSH is compiled with libwrap, restrict the hosts/ranges allowed to connect by adding them to /etc/hosts.allow and make sure /etc/hosts.deny contains one line "ALL: ALL". Then restrict the hosts/ranges allowed to connect by adding them to the firewall.
Add Snort. If they're scanning for some known exploit you should be alerted.
 
Old 03-25-2004, 04:04 PM   #3
dexter_modem
Member
 
Registered: Oct 2002
Location: Chicago
Distribution: slackware > redhat
Posts: 69

Original Poster
Rep: Reputation: 15
Thanks, I'll do that. What do you think that phone number is? I wanna call from a pay phone and be like.. AHHHHHHHHHHHHH
 
Old 03-26-2004, 11:39 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,390
Blog Entries: 55

Rep: Reputation: 3562Reputation: 3562Reputation: 3562Reputation: 3562Reputation: 3562Reputation: 3562Reputation: 3562Reputation: 3562Reputation: 3562Reputation: 3562Reputation: 3562
I'm sure you could find better and more enjoyable ways of spending your time and money...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh log? IchBin Linux - Newbie 9 08-25-2010 03:50 AM
ssh gone crazy please help jgruss Linux - General 3 07-31-2004 09:00 AM
ssh cant log on!! e1000 Linux - Networking 4 02-16-2004 01:59 PM
Check out this ssh problem. I'm not crazy, I promise mp3tricord Linux - Networking 3 10-06-2003 01:30 PM
SSH Log Crashed_Again Linux - Security 4 01-25-2003 09:56 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:56 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration