BY: cronocloud DATE: 2006-Apr-30 18:20 SUBJECT: First outside hacking attempt on my PS2.I was away from home yesterday but had the laptop with me and had a net connection. I had preplanned and setup sshd beforehand. Before I left home, I opened up the necessary port on the router.
The remote connection with X forwarding worked okay, and came in handy
Back at home, I closed off the port, and checked the logs to see if anyone had tried to hack me.
Apr 29 19:08:35 midgar sshd[27467]: Could not reverse map address 222.198.150.16.
Apr 29 19:08:35 midgar sshd[27467]: Failed password for ROOT from 222.198.150.16 port 60824 ssh2
Apr 29 19:08:35 midgar sshd[27467]: Received disconnect from 222.198.150.16: 11: Bye Bye
Apr 29 19:08:41 midgar sshd[27468]: Could not reverse map address 222.198.150.16.
Apr 29 19:08:41 midgar sshd[27468]: Failed password for ROOT from 222.198.150.16 port 60853 ssh2
Apr 29 19:08:41 midgar sshd[27468]: Received disconnect from 222.198.150.16: 11: Bye Bye
Apr 29 19:08:44 midgar sshd[27469]: Could not reverse map address 222.198.150.16.
Apr 29 19:08:44 midgar sshd[27469]: Failed password for ROOT from 222.198.150.16 port 60909 ssh2
Apr 29 19:08:44 midgar sshd[27469]: Received disconnect from 222.198.150.16: 11: Bye Bye
Apr 29 19:08:46 midgar sshd[27470]: Could not reverse map address 222.198.150.16.
Apr 29 19:08:46 midgar sshd[27470]: Failed password for ROOT from 222.198.150.16 port 60931 ssh2
Apr 29 19:08:46 midgar sshd[27470]: Received disconnect from 222.198.150.16: 11: Bye Bye
Apr 29 19:08:49 midgar sshd[27471]: Could not reverse map address 222.198.150.16.
Apr 29 19:08:49 midgar sshd[27471]: Failed password for ROOT from 222.198.150.16 port 60954 ssh2
Apr 29 19:08:49 midgar sshd[27471]: Received disconnect from 222.198.150.16: 11: Bye Bye
Apr 29 19:08:51 midgar sshd[27472]: Could not reverse map address 222.198.150.16.
Apr 29 19:08:51 midgar sshd[27472]: Failed password for ROOT from 222.198.150.16 port 60979 ssh2
Apr 29 19:08:53 midgar sshd[27472]: Received disconnect from 222.198.150.16: 11: Bye Bye
Apr 29 19:08:55 midgar sshd[27473]: Could not reverse map address 222.198.150.16.
Apr 29 19:08:55 midgar sshd[27473]: Failed password for ROOT from 222.198.150.16 port 32774 ssh2
Apr 29 19:08:55 midgar sshd[27473]: Received disconnect from 222.198.150.16: 11: Bye Bye
Apr 29 19:08:57 midgar sshd[27474]: Could not reverse map address 222.198.150.16.
Apr 29 19:08:57 midgar sshd[27474]: Failed password for ROOT from 222.198.150.16 port 32798 ssh2
Apr 29 19:08:58 midgar sshd[27474]: Received disconnect from 222.198.150.16: 11: Bye Bye
I was surpised at the root login attempts, because root logins via SSH are disabled by default. I also have password authentication turned off, so even if root login was on or they guessed username it still wouldn't work. If I'd have known the IP I was going to have I would have restricted sshd access to that.
Apparently the attacking IP is at a University in China.
inetnum: 222.198.128.0 - 222.198.159.255
netname: CQU-CN
descr: ~{VXGl4sQ'~}
descr: Chongqing University
descr: Chongqing, Chongqing 400044, China
country: CN
remarks: conn-id CD000300
admin-c: KW5-AP
tech-c: LY76-AP
tech-c: CER-AP
remarks: origin AS4538
changed: hostmaster@net.edu.cn 20041105
mnt-by: MAINT-CERNET-AP
status: ASSIGNED NON-PORTABLE
source: APNIC
role: CERNET Helpdesk
address: Room 224, Main Building
address: Tsinghua University
address: Beijing 100084, China
country: CN
phone: +86-10-6278-4049
fax-no: +86-10-6278-5933
e-mail: cernet-helpdesk-ip@net.edu.cn />
trouble: abuse@net.edu.cn />
admin-c: XL1-CN
tech-c: SZ2-AP
nic-hdl: CER-AP
remarks: Point of Contact for admin-c
mnt-by: MAINT-CERNET-AP
changed: cernet-helpdesk-ip@net.edu.cn 20010903
source: APNIC
person: Kang Wang
address: Network Center
address: Chongqing University
address: Chongqing, Chongqing 400044, China
nic-hdl: KW5-AP
e-mail: wangk@cqu.edu.cn />
phone: +86-23-65103121
fax-no: +86-23-65111500
changed: hostmaster@net.edu.cn 20041105
mnt-by: MAINT-CERNET-AP
source: APNIC
person: Ling Yu
address: Network Center
address: Chongqing University
address: Chongqing, Chongqing 400044, China
nic-hdl: LY76-AP
e-mail: yulin@cqu.edu.cn />
phone: +86-23-65103121
fax-no: +86-23-65111500
changed: hostmaster@net.edu.cn 20041105
mnt-by: MAINT-CERNET-AP
source: APNIC
I haven't decided whether to e-mail their abuse address about the atempts or not.
|