Thread: SSH Hacker Activity!! AAHHH!!

  1. #1
    UT2004 Addict Kleid-0's Avatar
    Join Date
    Dec 2004
    Posts
    656

    SSH Hacker Activity!! AAHHH!!

    Look at this fool!:
    Code:
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
    tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN     -
    tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN     -
    tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN     -
    tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     -
    tcp        0      0 69.29.250.67:22         66.128.33.38:40417      TIME_WAIT  -
    tcp        0      0 69.29.250.67:22         66.128.33.38:40553      TIME_WAIT  -
    tcp        0      0 69.29.250.67:22         66.128.33.38:40872      TIME_WAIT  -
    tcp        0      0 69.29.250.67:22         66.128.33.38:40370      TIME_WAIT  -
    tcp        0      0 69.29.250.67:22         66.128.33.38:40689      TIME_WAIT  -
    tcp        0      0 69.29.250.67:22         66.128.33.38:40823      TIME_WAIT  -
    tcp        0      0 69.29.250.67:22         66.128.33.38:40506      TIME_WAIT  -
    tcp        0      0 69.29.250.67:22         66.128.33.38:40642      TIME_WAIT  -
    tcp        0      0 69.29.250.67:22         66.128.33.38:40779      TIME_WAIT  -
    tcp        0      0 69.29.250.67:22         66.128.33.38:40461      TIME_WAIT  -
    tcp        0      0 69.29.250.67:22         66.128.33.38:40592      TIME_WAIT  -
    tcp        1      1 69.29.250.67:22         66.128.33.38:40919      CLOSING    -
    tcp        0      0 69.29.250.67:22         66.128.33.38:40733      TIME_WAIT  -
    He was sending large amounts of data, it was way outta line. At first I was like, "Port 22, SSL, logging into my system...sending large amounts of data as quickly as possible...hmmm". Then I checked his website to check out his personality:
    Not Cool
    That isn't too cool, he's spanish too, that means if he takes over my system, then I won't be able to talk to him! "Hey buddy, try not to delete the pr0n files" ya know!?

    So has anyone else felt like they're being taken over by spanish hackers?

  2. #2
    UT2004 Addict Kleid-0's Avatar
    Join Date
    Dec 2004
    Posts
    656
    He's from the Caribean!!, search up: 66.128.33.38. Those Caribean hackers! Darn them! I think I should report that guy, whoever he was, I wonder if I sent an abuse email, and the administrator would even understand!

    "I RECEivED packets through SSL port 22, uuhh, could you call him up and tell him he's being a bad person!?" I can just see them, laughing at my face! :(

    EDIT---------------------

    HAHAHAHAHHAHA, THIS GUY IS AWESOME
    Code:
    Jan 16 20:43:42 Shiva sshd[32399]: Illegal user jordan from 66.128.33.38
    Jan 16 20:43:46 Shiva sshd[32401]: Illegal user michael from 66.128.33.38
    Jan 16 20:43:50 Shiva sshd[32403]: Illegal user nicole from 66.128.33.38
    Jan 16 20:43:54 Shiva sshd[32405]: Illegal user daniel from 66.128.33.38
    Jan 16 20:43:58 Shiva sshd[32407]: Illegal user andrew from 66.128.33.38
    Jan 16 20:44:03 Shiva sshd[32409]: Illegal user magic from 66.128.33.38
    Jan 16 20:44:07 Shiva sshd[32411]: Illegal user lion from 66.128.33.38
    Jan 16 20:44:11 Shiva sshd[32413]: Illegal user david from 66.128.33.38
    Jan 16 20:44:16 Shiva sshd[32415]: Illegal user jason from 66.128.33.38
    Jan 16 20:44:20 Shiva sshd[32417]: Illegal user carmen from 66.128.33.38
    Jan 16 20:44:24 Shiva sshd[32419]: Illegal user justin from 66.128.33.38
    Jan 16 20:44:29 Shiva sshd[32421]: Illegal user charlie from 66.128.33.38
    Jan 16 20:44:33 Shiva sshd[32423]: Illegal user steven from 66.128.33.38
    Jan 16 20:44:38 Shiva sshd[32425]: Illegal user brandon from 66.128.33.38
    Jan 16 20:44:42 Shiva sshd[32427]: Illegal user brian from 66.128.33.38
    Jan 16 20:44:47 Shiva sshd[32429]: Illegal user stephen from 66.128.33.38
    Jan 16 20:44:51 Shiva sshd[32431]: Illegal user william from 66.128.33.38
    Jan 16 20:44:56 Shiva sshd[32433]: Illegal user angel from 66.128.33.38
    Jan 16 20:45:00 Shiva sshd[32435]: Illegal user emily from 66.128.33.38
    Jan 16 20:45:05 Shiva sshd[32445]: Illegal user eric from 66.128.33.38
    Jan 16 20:45:09 Shiva sshd[32447]: Illegal user joe from 66.128.33.38
    Jan 16 20:45:14 Shiva sshd[32450]: Illegal user tom from 66.128.33.38
    Jan 16 20:45:18 Shiva sshd[32452]: Illegal user billy from 66.128.33.38
    Jan 16 20:45:23 Shiva sshd[32454]: Illegal user buddy from 66.128.33.38
    Jan 16 20:45:27 Shiva sshd[32457]: Illegal user jeremy from 66.128.33.38
    Jan 16 20:45:32 Shiva sshd[32460]: Illegal user vampire from 66.128.33.38
    Jan 16 20:45:36 Shiva sshd[32462]: Illegal user betty from 66.128.33.38
    Jan 16 20:45:41 Shiva sshd[32465]: Illegal user max from 66.128.33.38
    Jan 16 20:45:46 Shiva sshd[32467]: Illegal user nicholas from 66.128.33.38
    Jan 16 20:45:50 Shiva sshd[32469]: Illegal user robin from 66.128.33.38
    Jan 16 20:45:55 Shiva sshd[32471]: Illegal user johnny from 66.128.33.38
    Jan 16 20:46:00 Shiva sshd[32473]: Illegal user lucy from 66.128.33.38
    Jan 16 20:46:04 Shiva sshd[32475]: Illegal user maria from 66.128.33.38
    Jan 16 20:46:09 Shiva sshd[32477]: Illegal user rose from 66.128.33.38
    Jan 16 20:46:19 Shiva sshd[32481]: Illegal user god from 66.128.33.38
    Jan 16 20:46:24 Shiva sshd[32483]: Illegal user barbara from 66.128.33.38
    Jan 16 20:46:28 Shiva sshd[32486]: Illegal user larisa from 66.128.33.38
    Jan 16 20:46:33 Shiva sshd[32489]: Illegal user jane from 66.128.33.38
    Jan 16 20:46:38 Shiva sshd[32491]: Illegal user dog from 66.128.33.38
    Jan 16 20:46:43 Shiva sshd[32493]: Illegal user sparc from 66.128.33.38
    Jan 16 20:46:47 Shiva sshd[32495]: Illegal user credit from 66.128.33.38
    Jan 16 20:46:52 Shiva sshd[32497]: Illegal user info from 66.128.33.38
    Jan 16 20:46:57 Shiva sshd[32499]: Illegal user manager from 66.128.33.38
    Jan 16 20:47:02 Shiva sshd[32507]: Illegal user horse from 66.128.33.38
    Jan 16 20:47:07 Shiva sshd[32509]: Illegal user nokia from 66.128.33.3
    Last edited by Kleid-0; 01-16-2005 at 11:26 PM.

  3. #3
    Redundantly Redundant RoD's Avatar
    Join Date
    Sep 2002
    Location
    Missouri
    Posts
    6,331
    id be suprised if that person is in the Carr. Its more likely that they are bouncing off of a bunch of non local servers. Its probably a script kiddie, so long as you rnot allowing any access through unsecured ports you should be fine.

  4. #4
    Registered /usr
    Join Date
    Aug 2001
    Location
    Newport, South Wales, UK
    Posts
    1,273
    Does anyone seriously use their forename as a uid?!? Okay, give a linux newbie the choice and they may well opt for that (Assuming that they understand not to use root all the time), but certainly a business server (i.e. something worth hacking) would not use anything like that form.

    Although I have to admit my Windows username is "nokia"...

  5. #5
    and the hat of int overfl Salem's Avatar
    Join Date
    Aug 2001
    Location
    The edge of the known universe
    Posts
    39,660
    > Jan 16 20:46:19 Shiva sshd[32481]: Illegal user god from 66.128.33.38
    Huh-oh, they're onto me

    > could you call him up and tell him he's being a bad person!?"
    Forward your logs to [email protected] and [email protected]

    Or find out how to do this locally on your machine
    http://labrea.sourceforge.net/labrea-info.html
    That should slow them down
    If you dance barefoot on the broken glass of undefined behaviour, you've got to expect the occasional cut.
    If at first you don't succeed, try writing your phone number on the exam paper.

  6. #6
    Registered User axon's Avatar
    Join Date
    Feb 2003
    Posts
    2,572
    hey Kleid-o, look into honeynets, you could have some fun with that guy

    some entropy with that sink? entropysink.com

    there are two cardinal sins from which all others spring: Impatience and Laziness. - franz kafka

  7. #7
    UT2004 Addict Kleid-0's Avatar
    Join Date
    Dec 2004
    Posts
    656
    Quote Originally Posted by axon
    hey Kleid-o, look into honeynets, you could have some fun with that guy
    If I exposed my computer any further, I'd be inside out!

  8. #8
    Just one more wrong move. -KEN-'s Avatar
    Join Date
    Aug 2001
    Posts
    3,227
    There used to be some annoying Spanish script kiddie who used constantly try to get into my computer. I got him booted off of his ISP once, but I caught him a week or so later back at it from a new ISP. I tried emailing that ISP too, but it never worked. He stopped sooner or later, but it was clogging up my logs like crazy.

    >>Does anyone seriously use their forename as a uid?!?

    Me, but then again, look at my forum name . I'm not afraid of an evil hacker breaking into my OSX or Linux boxes, because the passwords are pretty good on each.

  9. #9
    Me -=SoKrA=-'s Avatar
    Join Date
    Oct 2002
    Location
    Europe
    Posts
    448
    >>Does anyone seriously use their forename as a uid?!?
    I do. But my linux boxen are behind a NAT.
    Of course, the nat runs 'that other os', so the point is mainly invalid, but my dad hasn't been able to get the modem to respond properly with Linux.
    EDIT: Damn! Where's my head? NAT OS changed.
    SoKrA-BTS "Judge not the program I made, but the one I've yet to code"
    I say what I say, I mean what I mean.
    IDE: emacs + make + gcc and proud of it.

  10. #10
    S Sang-drax's Avatar
    Join Date
    May 2002
    Location
    Göteborg, Sweden
    Posts
    2,072
    Quote Originally Posted by SMurf
    Does anyone seriously use their forename as a uid?!?
    Yes.
    But the password is 20+ non-alphanumeric characters.
    I don't think it's a problem to use easy guessable user names.
    Last edited by Sang-drax : Tomorrow at 02:21 AM. Reason: Time travelling

  11. #11
    >>I'm not afraid of an evil hacker breaking into my OSX or Linux boxes, because the passwords are pretty good on each.<<

    who told you "Iliekboiz" is a good password?

    DrakkenKorin

    Get off my Intarweb!!!!

  12. #12
    Just one more wrong move. -KEN-'s Avatar
    Join Date
    Aug 2001
    Posts
    3,227
    Quote Originally Posted by DrakkenKorin
    >>I'm not afraid of an evil hacker breaking into my OSX or Linux boxes, because the passwords are pretty good on each.<<

    who told you "Iliekboiz" is a good password?

    Well it's a mix of capitulization and non-dictionary words, isn't it?

  13. #13
    yes, but you forgot the numeric character and the special character.

    you should change it to "1liekbo!z"
    DrakkenKorin

    Get off my Intarweb!!!!

  14. #14
    Registered User
    Join Date
    Aug 2003
    Posts
    1,218
    Why not use 1773 |-|4><><0|2 code

  15. #15
    Registered User
    Join Date
    Mar 2005
    Posts
    1

    Worm

    I think what you are seeing here is a worm. I've spent the past few weeks adding information together. I've seen roughly 23 servers with the exact same logs coming from around the world. I recently talked to a gentleman in boston from a legit business and it turns out his computer was compromised. As long as you are seeing the messages in the secure log, you're ok. (I know it's an uneasy feeling)

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. SSH via C program
    By yogesh3073 in forum C Programming
    Replies: 5
    Last Post: 01-12-2011, 04:13 PM
  2. ssh daemon question
    By Overworked_PhD in forum Linux Programming
    Replies: 4
    Last Post: 07-07-2009, 11:44 AM
  3. Windows SSH Wrapper
    By pobri19 in forum Networking/Device Communication
    Replies: 2
    Last Post: 04-04-2009, 04:36 AM
  4. SSH tunnel
    By kastrup_carioca in forum C Programming
    Replies: 10
    Last Post: 01-18-2006, 04:29 PM