User access script

mrhyde · 04-16-2004, 03:54 AM

I manage a Linux based ssh VPN with 2 servers running RHL9 ( soon RHEL 3 ). Both machines are fully patched with the latest rpm's from Red Hat. Some moran has attemped to access one of the machines using some kind of script, but has failed. Anybody know what script would produce this type of log?

Apr 15 15:58:51 zeta sshd[2795]: Did not receive identification string from 210.219.250.124
Apr 15 16:35:08 zeta sshd[2830]: Illegal user alias from 210.219.250.124
Apr 15 16:35:11 zeta sshd[2832]: Illegal user info from 210.219.250.124
Apr 15 16:35:14 zeta sshd[2834]: Illegal user backup from 210.219.250.124
Apr 15 16:35:21 zeta sshd[2836]: Illegal user admin from 210.219.250.124
Apr 15 16:35:24 zeta sshd[2838]: Illegal user test from 210.219.250.124
Apr 15 16:35:28 zeta sshd[2840]: Illegal user test1 from 210.219.250.124
Apr 15 16:35:35 zeta sshd[2842]: Illegal user test2 from 210.219.250.124
Apr 15 16:35:38 zeta sshd[2844]: Illegal user test from 210.219.250.124
Apr 15 16:35:42 zeta sshd[2846]: Illegal user support from 210.219.250.124
Apr 15 16:35:45 zeta sshd[2848]: Illegal user postgres from 210.219.250.124
Apr 15 16:35:54 zeta sshd[2850]: Illegal user contact from 210.219.250.124
Apr 15 16:36:08 zeta sshd[2852]: Failed password for daemon from 210.219.250.124 port 53513 ssh2
Apr 15 16:36:13 zeta sshd[2854]: Failed password for adm from 210.219.250.124 port 53886 ssh2
Apr 15 16:36:16 zeta sshd[2856]: Illegal user info from 210.219.250.124
Apr 15 16:36:20 zeta sshd[2858]: Illegal user backup from 210.219.250.124
Apr 15 16:36:23 zeta sshd[2860]: Illegal user dump from 210.219.250.124
Apr 15 16:36:26 zeta sshd[2862]: Illegal user dump from 210.219.250.124
Apr 15 16:36:40 zeta sshd[2864]: Failed password for ftp from 210.219.250.124 port 54756 ssh2
Apr 15 16:36:46 zeta sshd[2866]: Failed password for ftp from 210.219.250.124 port 55335 ssh2
Apr 15 16:36:49 zeta sshd[2868]: Illegal user mysql from 210.219.250.124
Apr 15 16:36:53 zeta sshd[2870]: Illegal user postgres from 210.219.250.124
Apr 15 16:36:59 zeta sshd[2872]: Illegal user test from 210.219.250.124
Apr 15 16:37:06 zeta sshd[2874]: Illegal user mysql from 210.219.250.124
Apr 15 16:37:12 zeta sshd[2876]: Illegal user oracle from 210.219.250.124
Apr 15 16:37:17 zeta sshd[2878]: Illegal user oracle from 210.219.250.124
Apr 15 16:37:21 zeta sshd[2880]: Illegal user webmaster from 210.219.250.124
Apr 15 16:37:29 zeta sshd[2882]: Illegal user webmaster from 210.219.250.124
Apr 15 16:37:33 zeta sshd[2884]: Illegal user master from 210.219.250.124
Apr 15 16:37:36 zeta sshd[2886]: Illegal user master from 210.219.250.124
Apr 15 16:37:39 zeta sshd[2888]: Illegal user manager from 210.219.250.124
Apr 15 16:37:43 zeta sshd[2890]: Illegal user manager from 210.219.250.124
Apr 15 16:37:46 zeta sshd[2892]: Illegal user user from 210.219.250.124
Apr 15 16:38:04 zeta sshd[2894]: Illegal user user from 210.219.250.124
Apr 15 16:38:08 zeta sshd[2896]: Illegal user login from 210.219.250.124
Apr 15 16:38:12 zeta sshd[2898]: Illegal user login from 210.219.250.124
Apr 15 16:38:17 zeta sshd[2900]: Illegal user help from 210.219.250.124
Apr 15 16:38:20 zeta sshd[2902]: Illegal user help from 210.219.250.124
Apr 15 16:38:23 zeta sshd[2904]: Illegal user guest from 210.219.250.124
Apr 15 16:38:31 zeta sshd[2906]: Illegal user guest from 210.219.250.124
Apr 15 16:38:44 zeta sshd[2908]: Illegal user guest from 210.219.250.124
Apr 15 16:38:47 zeta sshd[2910]: Illegal user sysop from 210.219.250.124
Apr 15 16:38:53 zeta sshd[2912]: Illegal user sysop from 210.219.250.124
Apr 15 16:39:03 zeta sshd[2914]: Illegal user msql from 210.219.250.124
Apr 15 16:39:06 zeta sshd[2916]: Illegal user msql from 210.219.250.124
Apr 15 16:39:12 zeta sshd[2918]: Failed password for nobody from 210.219.250.124 port 33619 ssh2
Apr 15 16:39:24 zeta sshd[2920]: Failed password for lp from 210.219.250.124 port 33884 ssh2

jailbait · 04-16-2004, 11:09 AM

"Some moran has attemped to access one of the machines using some kind of script, but has failed. Anybody know what script would produce this type of log?"

Actually I think that the script worked as intended. The script has managed to determine some valid user names on your system because the error messages are different for invalid user names and valid user names with invalid passwords. Probably the next attack will be to try to find the password for one of the valid user names that the moron has collected.

___________________________________
Be prepared. Create a LifeBoat CD.
http://users.rcn.com/srstites/LifeBo...home.page.html

Steve Stites

mrhyde · 04-16-2004, 11:25 AM

Not it hasn't! all users are configured with "/sbin/nologin" ( no shell, no access! ) and tcpserver is set to deny "ALL: LOCAL" the moran will never get in, this is one of many failed attemps.

mrhyde · 04-16-2004, 11:49 AM

Here is more the firewall script is blocking the moran also! You are right though he did come the next day for another try!

Apr 15 16:36:06 zeta sshd(pam_unix)[2852]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=210.219.250.124 user=daemon
Apr 15 16:36:11 zeta sshd(pam_unix)[2854]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=210.219.250.124 user=adm
Apr 15 16:36:38 zeta sshd(pam_unix)[2864]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=210.219.250.124 user=ftp
Apr 15 16:36:44 zeta sshd(pam_unix)[2866]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=210.219.250.124 user=ftp
Apr 15 16:39:10 zeta sshd(pam_unix)[2918]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=210.219.250.124 user=nobody
Apr 15 16:39:21 zeta sshd(pam_unix)[2920]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=210.219.250.124 user=lp
Apr 16 09:17:56 zeta kernel: FW: Mangle-PREROUTING IN=eth0 OUT= MAC=00:10:a7:0c:16:e5:00:05:dd:22:fc:3c:08:00 SRC=210.219.250.124 DST=213.114.51.45 LEN=44 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=32770 DPT=61997 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Apr 16 09:18:02 zeta kernel: FW: Mangle-PREROUTING IN=eth0 OUT= MAC=00:10:a7:0c:16:e5:00:05:dd:22:fc:3c:08:00 SRC=210.219.250.124 DST=213.114.51.45 LEN=44 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=109 DPT=61997 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Apr 16 09:18:02 zeta kernel: FW: Mangle-PREROUTING IN=eth0 OUT= MAC=00:10:a7:0c:16:e5:00:05:dd:22:fc:3c:08:00 SRC=210.219.250.124 DST=213.114.51.45 LEN=44 TOS=0x10 PREC=0x40 TTL=48 ID=0 DF PROTO=TCP SPT=21 DPT=61997 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Apr 16 09:18:02 zeta kernel: FW: Mangle-PREROUTING IN=eth0 OUT= MAC=00:10:a7:0c:16:e5:00:05:dd:22:fc:3c:08:00 SRC=210.219.250.124 DST=213.114.51.45 LEN=44 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=873 DPT=61997 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Apr 16 09:18:02 zeta kernel: FW: Mangle-PREROUTING IN=eth0 OUT= MAC=00:10:a7:0c:16:e5:00:05:dd:22:fc:3c:08:00 SRC=210.219.250.124 DST=213.114.51.45 LEN=44 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=110 DPT=61997 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Apr 16 09:18:10 zeta kernel: FW: Mangle-PREROUTING IN=eth0 OUT= MAC=00:10:a7:0c:16:e5:00:05:dd:22:fc:3c:08:00 SRC=210.219.250.124 DST=213.114.51.45 LEN=44 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=993 DPT=61997 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Apr 16 09:18:17 zeta kernel: FW: Mangle-PREROUTING IN=eth0 OUT= MAC=00:10:a7:0c:16:e5:00:05:dd:22:fc:3c:08:00 SRC=210.219.250.124 DST=213.114.51.45 LEN=44 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=31337 DPT=61997 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Apr 16 09:18:18 zeta kernel: FW: Mangle-PREROUTING IN=eth0 OUT= MAC=00:10:a7:0c:16:e5:00:05:dd:22:fc:3c:08:00 SRC=210.219.250.124 DST=213.114.51.45 LEN=44 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=143 DPT=61997 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Apr 16 09:18:20 zeta kernel: FW: Mangle-PREROUTING IN=eth0 OUT= MAC=00:10:a7:0c:16:e5:00:05:dd:22:fc:3c:08:00 SRC=210.219.250.124 DST=213.114.51.45 LEN=44 TOS=0x10 PREC=0x40 TTL=48 ID=0 DF PROTO=TCP SPT=23 DPT=61997 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Apr 16 09:18:21 zeta kernel: FW: Mangle-PREROUTING IN=eth0 OUT= MAC=00:10:a7:0c:16:e5:00:05:dd:22:fc:3c:08:00 SRC=210.219.250.124 DST=213.114.51.45 LEN=44 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=32770 DPT=61997 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Apr 16 09:18:24 zeta kernel: FW: Mangle-PREROUTING IN=eth0 OUT= MAC=00:10:a7:0c:16:e5:00:05:dd:22:fc:3c:08:00 SRC=210.219.250.124 DST=213.114.51.45 LEN=44 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=1521 DPT=61997 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Apr 16 09:18:26 zeta kernel: FW: Mangle-PREROUTING IN=eth0 OUT= MAC=00:10:a7:0c:16:e5:00:05:dd:22:fc:3c:08:00 SRC=210.219.250.124 DST=213.114.51.45 LEN=44 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=109 DPT=61997 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Apr 16 09:18:26 zeta kernel: FW: Mangle-PREROUTING IN=eth0 OUT= MAC=00:10:a7:0c:16:e5:00:05:dd:22:fc:3c:08:00 SRC=210.219.250.124 DST=213.114.51.45 LEN=44 TOS=0x10 PREC=0x40 TTL=48 ID=0 DF PROTO=TCP SPT=21 DPT=61997 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Apr 16 09:18:26 zeta kernel: FW: Mangle-PREROUTING IN=eth0 OUT= MAC=00:10:a7:0c:16:e5:00:05:dd:22:fc:3c:08:00 SRC=210.219.250.124 DST=213.114.51.45 LEN=44 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=873 DPT=61997 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Apr 16 09:18:26 zeta kernel: FW: Mangle-PREROUTING IN=eth0 OUT= MAC=00:10:a7:0c:16:e5:00:05:dd:22:fc:3c:08:00 SRC=210.219.250.124 DST=213.114.51.45 LEN=44 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=110 DPT=61997 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Apr 16 09:18:27 zeta kernel: FW: Mangle-PREROUTING IN=eth0 OUT= MAC=00:10:a7:0c:16:e5:00:05:dd:22:fc:3c:08:00 SRC=210.219.250.124 DST=213.114.51.45 LEN=44 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=995 DPT=61997 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Apr 16 09:18:34 zeta kernel: FW: Mangle-PREROUTING IN=eth0 OUT= MAC=00:10:a7:0c:16:e5:00:05:dd:22:fc:3c:08:00 SRC=210.219.250.124 DST=213.114.51.45 LEN=44 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=993 DPT=61997 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Apr 16 09:18:41 zeta kernel: FW: Mangle-PREROUTING IN=eth0 OUT= MAC=00:10:a7:0c:16:e5:00:05:dd:22:fc:3c:08:00 SRC=210.219.250.124 DST=213.114.51.45 LEN=44 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=31337 DPT=61997 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Apr 16 09:18:42 zeta kernel: FW: Mangle-PREROUTING IN=eth0 OUT= MAC=00:10:a7:0c:16:e5:00:05:dd:22:fc:3c:08:00 SRC=210.219.250.124 DST=213.114.51.45 LEN=44 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=143 DPT=61997 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Apr 16 09:18:44 zeta kernel: FW: Mangle-PREROUTING IN=eth0 OUT= MAC=00:10:a7:0c:16:e5:00:05:dd:22:fc:3c:08:00 SRC=210.219.250.124 DST=213.114.51.45 LEN=44 TOS=0x10 PREC=0x40 TTL=48 ID=0 DF PROTO=TCP SPT=23 DPT=61997 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Apr 16 09:18:48 zeta kernel: FW: Mangle-PREROUTING IN=eth0 OUT= MAC=00:10:a7:0c:16:e5:00:05:dd:22:fc:3c:08:00 SRC=210.219.250.124 DST=213.114.51.45 LEN=44 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=1521 DPT=61997 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Apr 16 09:18:51 zeta kernel: FW: Mangle-PREROUTING IN=eth0 OUT= MAC=00:10:a7:0c:16:e5:00:05:dd:22:fc:3c:08:00 SRC=210.219.250.124 DST=213.114.51.45 LEN=44 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=995 DPT=61997 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Apr 16 09:19:09 zeta kernel: FW: Mangle-PREROUTING IN=eth0 OUT= MAC=00:10:a7:0c:16:e5:00:05:dd:22:fc:3c:08:00 SRC=210.219.250.124 DST=213.114.51.45 LEN=44 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=32770 DPT=61997 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Apr 16 09:19:14 zeta kernel: FW: Mangle-PREROUTING IN=eth0 OUT= MAC=00:10:a7:0c:16:e5:00:05:dd:22:fc:3c:08:00 SRC=210.219.250.124 DST=213.114.51.45 LEN=44 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=109 DPT=61997 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Apr 16 09:19:14 zeta kernel: FW: Mangle-PREROUTING IN=eth0 OUT= MAC=00:10:a7:0c:16:e5:00:05:dd:22:fc:3c:08:00 SRC=210.219.250.124 DST=213.114.51.45 LEN=44 TOS=0x10 PREC=0x40 TTL=48 ID=0 DF PROTO=TCP SPT=21 DPT=61997 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Apr 16 09:19:14 zeta kernel: FW: Mangle-PREROUTING IN=eth0 OUT= MAC=00:10:a7:0c:16:e5:00:05:dd:22:fc:3c:08:00 SRC=210.219.250.124 DST=213.114.51.45 LEN=44 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=873 DPT=61997 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Apr 16 09:19:15 zeta kernel: FW: Mangle-PREROUTING IN=eth0 OUT= MAC=00:10:a7:0c:16:e5:00:05:dd:22:fc:3c:08:00 SRC=210.219.250.124 DST=213.114.51.45 LEN=44 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=110 DPT=61997 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Apr 16 09:19:22 zeta kernel: FW: Mangle-PREROUTING IN=eth0 OUT= MAC=00:10:a7:0c:16:e5:00:05:dd:22:fc:3c:08:00 SRC=210.219.250.124 DST=213.114.51.45 LEN=44 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=993 DPT=61997 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Apr 16 09:19:29 zeta kernel: FW: Mangle-PREROUTING IN=eth0 OUT= MAC=00:10:a7:0c:16:e5:00:05:dd:22:fc:3c:08:00 SRC=210.219.250.124 DST=213.114.51.45 LEN=44 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=31337 DPT=61997 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Apr 16 09:19:31 zeta kernel: FW: Mangle-PREROUTING IN=eth0 OUT= MAC=00:10:a7:0c:16:e5:00:05:dd:22:fc:3c:08:00 SRC=210.219.250.124 DST=213.114.51.45 LEN=44 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=143 DPT=61997 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Apr 16 09:19:32 zeta kernel: FW: Mangle-PREROUTING IN=eth0 OUT= MAC=00:10:a7:0c:16:e5:00:05:dd:22:fc:3c:08:00 SRC=210.219.250.124 DST=213.114.51.45 LEN=44 TOS=0x10 PREC=0x40 TTL=48 ID=0 DF PROTO=TCP SPT=23 DPT=61997 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Apr 16 09:19:37 zeta kernel: FW: Mangle-PREROUTING IN=eth0 OUT= MAC=00:10:a7:0c:16:e5:00:05:dd:22:fc:3c:08:00 SRC=210.219.250.124 DST=213.114.51.45 LEN=44 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=1521 DPT=61997 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Apr 16 09:19:39 zeta kernel: FW: Mangle-PREROUTING IN=eth0 OUT= MAC=00:10:a7:0c:16:e5:00:05:dd:22:fc:3c:08:00 SRC=210.219.250.124 DST=213.114.51.45 LEN=44 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=995 DPT=61997 WINDOW=5840 RES=0x00 ACK SYN URGP=0

jailbait · 04-16-2004, 01:07 PM

I think that you should chase this cracker down. You could start by contacting whoever owns 210.219.250.124 and asking their cooperation in tracking down whoever is attacking you. Once you establish the geographical area where the cracker is located you could ask the police there to investigate the cracker.

---------------------
Steve Stites

mrhyde · 04-16-2004, 02:12 PM

Hi Steve,
I tracked the host through apnic. The system is based in Korea. I have complained to both the apnic and the ISP who has been alocated this block of IP's, unfortunatley the ISP's do very little in these cases, most of the time when I contact the ISP's, their staff have little or no idea about what I am talking about. apnic are currently dealing with the case, I'll have to see what happens. I would say that the police wouldn't bother, unless it was a serious internet crime. I was hoping that somebody may know of a site where user access scripts may be downloaded, I would like to see how such a script may be written. Any ideas?

/Martin

jailbait · 04-16-2004, 04:53 PM

"I was hoping that somebody may know of a site where user access scripts may be downloaded, I would like to see how such a script may be written. Any ideas?"

I don't know where to find such a script but such a script would be easy to write. You would start with the commands to log onto the target site. Then you would add the commands to save the replies. Then you would put these commands within a loop which varies the user name and/or password.

I think that the first attack that you posted was made with a script that looped while changing the user names and checked the replies for either invalid user name or invalid password. The replies that indicated invalid password meant that the user name was valid. At least I think that was the intent of the program.

I think that the messages of type:

Apr 15 16:36:06 zeta sshd(pam_unix)[2852]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=210.219.250.124 user=daemon

show the same script being run again.

I do not understand the messages of type

Apr 16 09:17:56 zeta kernel: FW: Mangle-PREROUTING IN=eth0 OUT= MAC=00:10:a7:0c:16:e5:00:05:dd:22:fc:3c:08:00 SRC=210.219.250.124 DST=213.114.51.45 LEN=44 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=32770 DPT=61997 WINDOW=5840 RES=0x00 ACK SYN URGP=0

well enough to understand exactly what the script is attempting to do other than the script seems to be sending the same command over and over and varying only one parameter each time.

I agree that this guy is a moron. Over time he might find a combination of commands and passwords that match a valid access attempt to your system. But only a moron would assume that you would not notice the millions of authentication failures he has to generate
while searching for a way to break in.

The other thing that you could do is to block the block of ISP numbers that the Korean system is using. If this is somebody like a college student then he probably does not have the use of a lot of ISPs and blocking him may end the attack. If this is something like a spammer looking for potential zombies then blocking the Korean system will not slow down the attack very much.

___________________________________
Be prepared. Create a LifeBoat CD.
http://users.rcn.com/srstites/LifeBo...home.page.html

Steve Stites

mrhyde · 04-17-2004, 05:55 PM

I have configured iptables to block 210.0.0.0/8 range, it was doing the trick, but I have had complanints that certain sites in that range were unaccessable from inside the firewall, I now have it configured to block the 210.219.0.0/16 range, Korea only. They really are a rogue state.

jailbait · 04-17-2004, 06:22 PM

" I now have it configured to block the 210.219.0.0/16 range, Korea only."

It will be interesting to check the new addresses if he mounts another attack from you. If he attacks again from some place other than Korea then you could tell the Korean ISP that somebody managed to break into their machine and used it as a base for the first attacks on you. That might get the Koreans interested in finding this guy.

___________________________________
Be prepared. Create a LifeBoat CD.
http://users.rcn.com/srstites/LifeBo...home.page.html

Steve Stites

mrhyde · 04-18-2004, 02:52 AM

I have been watching the logs on the machine in question, I haven't manage to find any TCP SYN ACK patterns like the example I posted earlier. I would imagine that if the attack has originated from a customer of this ISP I would be able to grep the logs to find a host on the same network 210.219.0.0/16 but I have not. I will just have to be vigilant in analysing the logs on this machine.