Februari 2010
Vervelende script kiddies en hoe ermee om te gaan
Enkele dagen geleden stuurde logcheck mij volgend mailtje:
't Is te zeggen, logcheck stuurt mij zo regelmatig een mailtje. Normaal moet ik daar niets voor doen, want even later kreeg ik van denyhosts de volgende mail:
Uitzonderlijk wou ik het niet laten liggen, dus heb ik volgende mail opgesteld:
Enkele uren later volgde dit antwoord:
Awaal nem! Good riddance. :-)
Heeft er trouwens iemand suggesties om dit te automatiseren? Of is het de moeite niet?
Return-Path: <logcheck@amedee.be> X-Original-To: logcheck Delivered-To: logcheck@amedee.be Received: by intrepid.amedee.be (Postfix, from userid 112) id CD18E5A094; Thu, 4 Feb 2010 15:02:03 +0100 (CET) To: logcheck@amedee.be Subject: localhost 2010-02-04 15:02 System Events Message-Id: <20100204140203.CD18E5A094@intrepid.amedee.be> Date: Thu, 4 Feb 2010 15:02:03 +0100 (CET) From: logcheck@amedee.be (logcheck system account) System Events =-=-=-=-=-=-= Feb 4 15:00:17 localhost sshd[22196]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.240.227.14 user=root Feb 4 15:00:19 localhost sshd[22196]: Failed password for root from 117.240.227.14 port 50469 ssh2 Feb 4 15:00:23 localhost sshd[22198]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.240.227.14 user=root Feb 4 15:00:24 localhost sshd[22198]: Failed password for root from 117.240.227.14 port 50730 ssh2 Feb 4 15:00:27 localhost sshd[22200]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.240.227.14 user=root Feb 4 15:00:29 localhost sshd[22200]: Failed password for root from 117.240.227.14 port 51022 ssh2 Feb 4 15:00:32 localhost sshd[22202]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.240.227.14 user=root Feb 4 15:00:34 localhost sshd[22202]: Failed password for root from 117.240.227.14 port 51278 ssh2 Feb 4 15:00:37 localhost sshd[22204]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.240.227.14 user=root Feb 4 15:00:39 localhost sshd[22204]: Failed password for root from 117.240.227.14 port 51563 ssh2
Return-Path: <nobody@localhost> X-Original-To: root@localhost Delivered-To: root@localhost Received: from localhost.localdomain (localhost [127.0.0.1]) by intrepid.amedee.be (Postfix) with ESMTP id 550C25A093 for <root@localhost>; Thu, 4 Feb 2010 15:00:37 +0100 (CET) From: DenyHosts <nobody@localhost> To: root@localhost Subject: DenyHosts Report Date: Thu, 04 Feb 2010 15:00:37 +0100 Message-Id: <20100204140037.550C25A093@intrepid.amedee.be> Added the following hosts to /etc/hosts.deny: 117.240.227.14 (unknown) ----------------------------------------------------------------------
Received: from 188.40.34.110 (proxying for 127.0.0.1)
(SquirrelMail authenticated user amedee)
by amedee.be with HTTP;
Thu, 4 Feb 2010 16:18:29 +0100 (CET)
Message-ID: <88e710867a3f8a73d3efa3f6216db7ce.squirrel@amedee.be>
Date: Thu, 4 Feb 2010 16:18:29 +0100 (CET)
Subject: [Fwd: localhost 2010-02-04 15:02 System Events]
From: "Amedee Van Gasse" <amedee@vangasse.eu>
To: dnw_jtotech@bsnl.in,
dnwplg@sancharnet.in,
hm-changed@apnic.net,
hostmaster@sancharnet.in,
ip.admin@vsnl.co.in,
ip.nnoc@relianceada.com,
lokesh.aksh@gmail.com,
nib_jaipur@sancharnet.in,
vivekprabhakar64@gmail.com,
dns@jomax.net,
info@zenzeo.com
User-Agent: SquirrelMail/1.4.15
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-XheaderVersion: 1.1
X-UserAgent:
Hello,
Please stop with your cracking attempts. It is annoying.
Thank you.
Amedee.
----------
Added the following hosts to /etc/hosts.deny:
117.240.227.14 (unknown)
----------
$ whois 117.240.227.14
% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 117.240.227.0 - 117.240.227.127
netname: Aksh
descr: Aksh Optifiber
descr: aksh optifiber
descr: epip sitapura
descr:
admin-c: LK105-AP
tech-c: LK126-AP
country: IN
admin-c: NIJ2-AP
admin-c: NC83-AP
tech-c: CDN1-AP
mnt-by: MAINT-IN-DOT
status: ASSIGNED NON-PORTABLE
changed: dnw_jtotech@bsnl.in 20100106
source: APNIC
route: 117.240.224.0/20
descr: BSNL Internet
country: IN
origin: AS9829
mnt-lower: MAINT-IN-DOT
mnt-routes: MAINT-IN-DOT
mnt-by: MAINT-IN-AS9829
changed: dnw_jtotech@bsnl.in 20070914
source: APNIC
route: 117.240.192.0/18
descr: BSNL Internet
country: IN
origin: AS9829
mnt-lower: MAINT-IN-DOT
mnt-routes: MAINT-IN-DOT
mnt-by: MAINT-IN-AS9829
changed: dnw_jtotech@bsnl.in 20071207
source: APNIC
route: 117.240.0.0/16
descr: BSNL Internet
country: IN
origin: AS9829
mnt-lower: MAINT-IN-DOT
mnt-routes: MAINT-IN-DOT
mnt-by: MAINT-IN-AS9829
changed: dnw_jtotech@bsnl.in 20071207
source: APNIC
role: NS Cell
address: Internet Cell
address: Bharat Sanchar Nigam Limited
address: 8th Floor,148-B Statesman House
address: Barakhamba Road, New Delhi - 110 001
country: IN
phone: +91-11-23734057
phone: +91-11-23710183
fax-no: +91-11-23734052
e-mail: hostmaster@sancharnet.in
admin-c: CGMD1-AP
tech-c: DT197-AP
nic-hdl: NC83-AP
mnt-by: MAINT-IN-DOT
changed: dnwplg@sancharnet.in 20030120
changed: hm-changed@apnic.net 20071227
source: APNIC
role: CGM Data Networks
address: CTS Compound
address: Netaji Nagar
address: New Delhi- 110 023
country: IN
phone: +91-11-24106782
phone: +91-11-24102119
fax-no: +91-11-26116783
fax-no: +91-11-26887888
e-mail: dnwplg@sancharnet.in
e-mail: hostmaster@sancharnet.in
admin-c: CGMD1-AP
tech-c: DT197-AP
tech-c: BH155-AP
nic-hdl: CDN1-AP
mnt-by: MAINT-IN-DOT
changed: dnwplg@sancharnet.in 20030120
changed: hm-changed@apnic.net 20071227
source: APNIC
person: Lokesh Khandelwal
nic-hdl: LK105-AP
address: aksh optifiber
address: epip sitapura
address:
phone: +91-141-2770738
fax-no: +91-141-2770738
country: IN
e-mail: lokesh.aksh@gmail.com
mnt-by: MAINT-IN-PER-DOT
changed: dnw_jtotech@bsnl.in 20100106
source: APNIC
person: Node Incharge JAIPUR
nic-hdl: NIJ2-AP
address: NIB JAIPUR
address: O/O PGMTD Jaipur
phone: +91-141-2361234
fax-no: +91-141-2370040
country: IN
e-mail: nib_jaipur@sancharnet.in
mnt-by: MAINT-IN-PER-DOT
changed: dnwplg@sancharnet.in 20030716
source: APNIC
person: Lokesh Khandelwal
nic-hdl: LK126-AP
address: aksh optifiber
address: epip sitapura
address:
phone: +91-141-2770738
fax-no: +91-141-2770738
country: IN
e-mail: lokesh.aksh@gmail.com
mnt-by: MAINT-IN-PER-DOT
changed: dnw_jtotech@bsnl.in 20100106
source: APNIC
route: 117.192.0.0/10
descr: BSNL-VSNL Route Object
origin: AS4755
mnt-by: MAINT-VSNL-IN
changed: ip.admin@vsnl.co.in 20070917
source: RADB
route: 117.192.0.0/10
descr: Reliance customer-BSNL
origin: AS9829
mnt-by: MAINT-AS18101
changed: ip.nnoc@relianceada.com 20071207 #06:04:30(UTC)
source: RADB
----------
$ nmap -A -T4 117.240.227.14
Starting Nmap 4.62 ( http://nmap.org ) at 2010-02-04 15:44 CET
Interesting ports on 117.240.227.14:
Not shown: 1700 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
25/tcp open smtp qmail smtpd
80/tcp open http Apache httpd 2.0.52 ((Red Hat))
106/tcp open tcpwrapped
110/tcp open pop3 qmail pop3d
111/tcp open rpcbind
113/tcp open ident authd
143/tcp open imap Courier Imapd (released 2005)
443/tcp open ssl/http Apache httpd 2.0.52 ((Red Hat))
866/tcp filtered unknown
993/tcp open ssl/imap Courier Imapd (released 2005)
1827/tcp filtered pcm
3306/tcp open mysql MySQL 4.1.12
5900/tcp open vnc VNC (protocol 3.7)
10000/tcp open http Webmin httpd
Service Info: Host: mail.zonzeo.com; OS: Unix
Service detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 76.613 seconds
----------
$ nslookup mail.zonzeo.com
Server: 213.133.98.98
Address: 213.133.98.98#53
Non-authoritative answer:
Name: mail.zonzeo.com
Address: 117.240.227.14
----------
$ whois zonzeo.com
Whois Server Version 2.0
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Domain Name: ZONZEO.COM
Registrar: GODADDY.COM, INC.
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS25.DOMAINCONTROL.COM
Name Server: NS26.DOMAINCONTROL.COM
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 12-jan-2010
Creation Date: 04-mar-2009
Expiration Date: 04-mar-2019
>>> Last update of whois database: Thu, 04 Feb 2010 15:05:31 UTC <<<
NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the
expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.
TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to
ensure
operational stability. VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.
The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.The data contained in GoDaddy.com, Inc.'s WhoIs database,
while believed by the company to be reliable, is provided "as is"
with no guarantee or warranties regarding its accuracy. This
information is provided for the sole purpose of assisting you
in obtaining information about domain name registration records.
Any use of this data for any other purpose is expressly forbidden without
the prior written
permission of GoDaddy.com, Inc. By submitting an inquiry,
you agree to these terms of usage and limitations of warranty. In
particular,
you agree not to use this data to allow, enable, or otherwise make possible,
dissemination or collection of this data, in part or in its entirety, for any
purpose, such as the transmission of unsolicited advertising and
and solicitations of any kind, including spam. You further agree
not to use this data to enable high volume, automated or robotic electronic
processes designed to collect or compile this data for any purpose,
including mining this data for your own personal or commercial purposes.
Please note: the registrant of the domain name is specified
in the "registrant" field. In most cases, GoDaddy.com, Inc.
is not the registrant of domain names listed in this database.
Registrant:
new era mart pvt ltd
s no 54 goverdhan colony
new sanganer road,sodala
jaipur, Rajasthan 302019
India
Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: ZONZEO.COM
Created on: 04-Mar-09
Expires on: 04-Mar-19
Last Updated on: 12-Jan-10
Administrative Contact:
prabhakar, vivek vivekprabhakar64@gmail.com
new era mart pvt ltd
s no 54 goverdhan colony
new sanganer road,sodala
jaipur, Rajasthan 302019
India
+91.9351006001 Fax --
Technical Contact:
prabhakar, vivek vivekprabhakar64@gmail.com
new era mart pvt ltd
s no 54 goverdhan colony
new sanganer road,sodala
jaipur, Rajasthan 302019
India
+91.9351006001 Fax --
Domain servers in listed order:
NS25.DOMAINCONTROL.COM
NS26.DOMAINCONTROL.COM
---------------------------- Original Message ----------------------------
Subject: localhost 2010-02-04 15:02 System Events
From: "logcheck system account" <logcheck@amedee.be>
Date: Thu, February 4, 2010 15:02
To: logcheck@amedee.be
--------------------------------------------------------------------------
System Events
=-=-=-=-=-=-=
Feb 4 15:00:17 localhost sshd[22196]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.240.227.14
user=root
Feb 4 15:00:19 localhost sshd[22196]: Failed password for root from
117.240.227.14 port 50469 ssh2
Feb 4 15:00:23 localhost sshd[22198]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.240.227.14
user=root
Feb 4 15:00:24 localhost sshd[22198]: Failed password for root from
117.240.227.14 port 50730 ssh2
Feb 4 15:00:27 localhost sshd[22200]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.240.227.14
user=root
Feb 4 15:00:29 localhost sshd[22200]: Failed password for root from
117.240.227.14 port 51022 ssh2
Feb 4 15:00:32 localhost sshd[22202]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.240.227.14
user=root
Feb 4 15:00:34 localhost sshd[22202]: Failed password for root from
117.240.227.14 port 51278 ssh2
Feb 4 15:00:37 localhost sshd[22204]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.240.227.14
user=root
Feb 4 15:00:39 localhost sshd[22204]: Failed password for root from
117.240.227.14 port 51563 ssh2Return-Path: <lokesh.aksh@gmail.com> X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on intrepid.amedee.be X-Spam-Level: *** X-Spam-Status: No, score=3.3 required=5.0 tests=RCVD_IN_BL_SPAMCOP_NET, RCVD_IN_SORBS_WEB,SPF_PASS autolearn=no version=3.2.5 X-Original-To: amedee@vangasse.eu Delivered-To: amedee@amedee.be X-policyd-weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 CL_IP_EQ_HELO_IP=-2 (check from: .gmail. - helo: .mail-yx0-f196.google. - helo-domain: .google.) FROM/MX_MATCHES_HELO(DOMAIN)=-2 IN_PM_RFCI=0.1; rate: -8.4 Received: from mail-yx0-f196.google.com (mail-yx0-f196.google.com [209.85.210.196]) by intrepid.amedee.be (Postfix) with ESMTP id 7E5D75A094 for <amedee@vangasse.eu>; Fri, 5 Feb 2010 10:37:17 +0100 (CET) Received: by yxe34 with SMTP id 34so4200638yxe.16 for <amedee@vangasse.eu>; Fri, 05 Feb 2010 01:37:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:references :in-reply-to:subject:date:message-id:mime-version:content-type :content-transfer-encoding:x-mailer:thread-index:content-language; bh=HceH/rOcmc5gBg6nW0mcaDclFGaU4v6cD6wxeG5W3EE=; b=N24nABkmOQi4I3sdgnUCMlhkFwA4TTbDqHeloMWDh9r/t/SuPoXlutRmyQURw0GexI BGvkIS6NL4AVO1VWKb2OKPdtC12NQh8nrQxtU9vf2f6zn5yintjZrZ3+hyhjhezd2O2U sFYRCwNhuaRGrLl//8uiZMMSaA6hsse/7icmg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:references:in-reply-to:subject:date:message-id:mime-version :content-type:content-transfer-encoding:x-mailer:thread-index :content-language; b=Z7LUjh2oVWMqCFUCmi5X3rFObDC4yKm35n1x3PR0rJ23Bv9rEw6qXwbymmwdgx4R2P tIw/kOZ8bLQpUyMLa+f+WJNOEnA8k50kB++lZKnmlE6F7Kgxliv0NEhyGVh1Tkm2EsAW WJYM4ws2BVnKUWr/CT6u2kDGRJVgWrf+LOuqQ= Received: by 10.101.197.6 with SMTP id z6mr3329320anp.102.1265362636468; Fri, 05 Feb 2010 01:37:16 -0800 (PST) Received: from LokeshKhandelwa ([117.240.252.11]) by mx.google.com with ESMTPS id 22sm370991yxe.57.2010.02.05.01.37.10 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 05 Feb 2010 01:37:15 -0800 (PST) From: "Lokesh" <lokesh.aksh@gmail.com> To: "'Amedee Van Gasse'" <amedee@vangasse.eu>, <dnw_jtotech@bsnl.in>, <dnwplg@sancharnet.in>, <hm-changed@apnic.net>, <hostmaster@sancharnet.in>, <ip.admin@vsnl.co.in>, <ip.nnoc@relianceada.com>, <nib_jaipur@sancharnet.in>, <vivekprabhakar64@gmail.com>, <dns@jomax.net>, <info@zenzeo.com> References: <88e710867a3f8a73d3efa3f6216db7ce.squirrel@amedee.be> In-Reply-To: <88e710867a3f8a73d3efa3f6216db7ce.squirrel@amedee.be> Subject: RE: [Fwd: localhost 2010-02-04 15:02 System Events] Date: Fri, 5 Feb 2010 15:07:13 +0530 Message-ID: <4b6be6cb.1602be0a.6714.2a5b@mx.google.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcqlrVD6A6v7/4JpTkqWzOHoYHvkMwAmXJcg Content-Language: en-us Hope problem is now resolved. With regards Lokesh
