[Zeffie-Users] (raq4) hack attempt

Arthur Sherman cobalt-list at compros.co.il
Thu Apr 21 19:00:35 EDT 2005 

 

> -----Original Message-----
> From: Davis [mailto:davis at maxximum.dns2go.com] 
> Sent: Thursday, April 21, 2005 7:20 PM
> To: Arthur Sherman; 'Zeffie.net Users List'
> Subject: Re: [Zeffie-Users] (raq4) hack attempt
> 
> Actually, I don't have a firewall on the Raq 4R. On the Raq 
> 550, I have a firewall.
> 
> I use 2 firewalls in Bastion. One with IPCOP (www.ipcop.org) 
> and Symantec Security Gateway 320 box
> 
> and on  php sites, I use protector
> 
> Got hacked before, so now I am going paranoid and I am 
> protect everything with firewall, IDS, IPS.. log analysis...ect
> 
> d
> 
> 
> ----- Original Message -----
> From: "Arthur Sherman" <cobalt-list at compros.co.il>
> To: "'Davis'" <davis at maxximum.dns2go.com>; "'Zeffie.net Users List'" 
> <Zeffie-Users at zeffie.net>
> Sent: Thursday, April 21, 2005 6:43 PM
> Subject: RE: [Zeffie-Users] (raq4) hack attempt
> 
> 
> > What kind of a firewall do you implement on your system?
> >
> > Assuming my native RaQ4r running on
> > http://cdr.raq4less.com/RaQ4r-040317.iso, what would you use?
> >
> > Best,
> >
> > --
> > Arthur Sherman
> >
> > ComPros Team
> > +972-52-4689432
> >
> >
> >
> >> -----Original Message-----
> >> From: Zeffie-Users-bounces at zeffie.net
> >> [mailto:Zeffie-Users-bounces at zeffie.net] On Behalf Of Davis
> >> Sent: Thursday, April 21, 2005 7:40 AM
> >> To: Zeffie.net Users List
> >> Subject: Re: [Zeffie-Users] (raq4) hack attempt
> >>
> >> I already blocked this script kidie... actually I blocked the
> >> whole range on the firewall :
> >>
> >> Looking up 221.242.57.202...
> >> Using whois server whois.arin.net.
> >>
> >> OrgName:    Asia Pacific Network Information Centre
> >> OrgID:      APNIC
> >> Address:    PO Box 2131
> >> City:       Milton
> >> StateProv:  QLD
> >> PostalCode: 4064
> >> Country:    AU
> >>
> >> ReferralServer: whois://whois.apnic.net
> >>
> >> NetRange:   221.0.0.0 - 221.255.255.255
> >>
> >>
> >> ----- Original Message -----
> >> From: "Arthur Sherman" <cobalt-list at compros.co.il>
> >> To: "'Cobalt Users'" <cobalt-users at lists.qbalt.com>; "Zeffie-Users"
> >> <Zeffie-Users at zeffie.net>
> >> Sent: Thursday, April 21, 2005 5:01 AM
> >> Subject: [Zeffie-Users] (raq4) hack attempt
> >>
> >>
> >> >
> >> > Hi,
> >> >
> >> > How are you doing?
> >> >
> >> >
> >> > I have mentioned this in auth log:
> >> >
> >> > ---start---
> >> > [root spamassassin]# tail -n 50 /var/log/auth
> >> > Apr 20 20:14:05 baby sshd[18765]: error: Could not get
> >> shadow information
> >> > for NOUSER
> >> > Apr 20 20:14:05 baby sshd[18765]: Failed password for
> >> illegal user backup
> >> > from 221.242.57.202 port 55826 ssh2
> >> > Apr 20 20:14:08 baby sshd[18767]: Illegal user server from
> >> 221.242.57.202
> >> > Apr 20 20:14:08 baby sshd[18767]: error: Could not get
> >> shadow information
> >> > for NOUSER
> >> > Apr 20 20:14:08 baby sshd[18767]: Failed password for
> >> illegal user server
> >> > from 221.242.57.202 port 55901 ssh2
> >> > Apr 20 20:14:11 baby sshd[18769]: Illegal user adam from
> >> 221.242.57.202
> >> > Apr 20 20:14:11 baby sshd[18769]: error: Could not get
> >> shadow information
> >> > for NOUSER
> >> > Apr 20 20:14:11 baby sshd[18769]: Failed password for
> >> illegal user adam
> >> > from
> >> > 221.242.57.202 port 55966 ssh2
> >> > Apr 20 20:14:15 baby sshd[18771]: Illegal user alan from
> >> 221.242.57.202
> >> > Apr 20 20:14:15 baby sshd[18771]: error: Could not get
> >> shadow information
> >> > for NOUSER
> >> > Apr 20 20:14:15 baby sshd[18771]: Failed password for
> >> illegal user alan
> >> > from
> >> > 221.242.57.202 port 56060 ssh2
> >> > Apr 20 20:14:18 baby sshd[18773]: Illegal user frank from
> >> 221.242.57.202
> >> > Apr 20 20:14:18 baby sshd[18773]: error: Could not get
> >> shadow information
> >> > for NOUSER
> >> > Apr 20 20:14:18 baby sshd[18773]: Failed password for
> >> illegal user frank
> >> > from 221.242.57.202 port 56142 ssh2
> >> > Apr 20 20:14:21 baby sshd[18777]: Illegal user george from
> >> 221.242.57.202
> >> > Apr 20 20:14:21 baby sshd[18777]: error: Could not get
> >> shadow information
> >> > for NOUSER
> >> > Apr 20 20:14:21 baby sshd[18777]: Failed password for
> >> illegal user george
> >> > from 221.242.57.202 port 56211 ssh2
> >> > ---end---
> >> >
> >> > Some potz from Japan is probing my server.
> >> > How could I make my server block for a hour/day that IP?
> >> >
> >> > Best,
> >> >
> >> > --
> >> > Arthur Sherman
> >> >
> >> > ComPros Team
> >> > +972-52-4689432
> >> >


I am looking for an on-the-host solution, something open-source, that I
could install/manage myself.

Best,

--
Arthur Sherman

ComPros Team
+972-52-4689432

More information about the Zeffie-Users mailing list