SSH Hacker Activity!! AAHHH!!

Kleid-0 · 01-16-2005, 11:01 PM

Look at this fool!:

Code:

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN     -
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN     -
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN     -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     -
tcp        0      0 69.29.250.67:22         66.128.33.38:40417      TIME_WAIT  -
tcp        0      0 69.29.250.67:22         66.128.33.38:40553      TIME_WAIT  -
tcp        0      0 69.29.250.67:22         66.128.33.38:40872      TIME_WAIT  -
tcp        0      0 69.29.250.67:22         66.128.33.38:40370      TIME_WAIT  -
tcp        0      0 69.29.250.67:22         66.128.33.38:40689      TIME_WAIT  -
tcp        0      0 69.29.250.67:22         66.128.33.38:40823      TIME_WAIT  -
tcp        0      0 69.29.250.67:22         66.128.33.38:40506      TIME_WAIT  -
tcp        0      0 69.29.250.67:22         66.128.33.38:40642      TIME_WAIT  -
tcp        0      0 69.29.250.67:22         66.128.33.38:40779      TIME_WAIT  -
tcp        0      0 69.29.250.67:22         66.128.33.38:40461      TIME_WAIT  -
tcp        0      0 69.29.250.67:22         66.128.33.38:40592      TIME_WAIT  -
tcp        1      1 69.29.250.67:22         66.128.33.38:40919      CLOSING    -
tcp        0      0 69.29.250.67:22         66.128.33.38:40733      TIME_WAIT  -

He was sending large amounts of data, it was way outta line. At first I was like, "Port 22, SSL, logging into my system...sending large amounts of data as quickly as possible...hmmm". Then I checked his website to check out his personality:
Not Cool
That isn't too cool, he's spanish too, that means if he takes over my system, then I won't be able to talk to him! "Hey buddy, try not to delete the pr0n files" ya know!?

So has anyone else felt like they're being taken over by spanish hackers?

Kleid-0 · 01-16-2005, 11:05 PM

He's from the Caribean!!, search up: 66.128.33.38. Those Caribean hackers! Darn them! I think I should report that guy, whoever he was, I wonder if I sent an abuse email, and the administrator would even understand!

"I RECEivED packets through SSL port 22, uuhh, could you call him up and tell him he's being a bad person!?" I can just see them, laughing at my face! :(

EDIT---------------------

HAHAHAHAHHAHA, THIS GUY IS AWESOME

Code:

Jan 16 20:43:42 Shiva sshd[32399]: Illegal user jordan from 66.128.33.38
Jan 16 20:43:46 Shiva sshd[32401]: Illegal user michael from 66.128.33.38
Jan 16 20:43:50 Shiva sshd[32403]: Illegal user nicole from 66.128.33.38
Jan 16 20:43:54 Shiva sshd[32405]: Illegal user daniel from 66.128.33.38
Jan 16 20:43:58 Shiva sshd[32407]: Illegal user andrew from 66.128.33.38
Jan 16 20:44:03 Shiva sshd[32409]: Illegal user magic from 66.128.33.38
Jan 16 20:44:07 Shiva sshd[32411]: Illegal user lion from 66.128.33.38
Jan 16 20:44:11 Shiva sshd[32413]: Illegal user david from 66.128.33.38
Jan 16 20:44:16 Shiva sshd[32415]: Illegal user jason from 66.128.33.38
Jan 16 20:44:20 Shiva sshd[32417]: Illegal user carmen from 66.128.33.38
Jan 16 20:44:24 Shiva sshd[32419]: Illegal user justin from 66.128.33.38
Jan 16 20:44:29 Shiva sshd[32421]: Illegal user charlie from 66.128.33.38
Jan 16 20:44:33 Shiva sshd[32423]: Illegal user steven from 66.128.33.38
Jan 16 20:44:38 Shiva sshd[32425]: Illegal user brandon from 66.128.33.38
Jan 16 20:44:42 Shiva sshd[32427]: Illegal user brian from 66.128.33.38
Jan 16 20:44:47 Shiva sshd[32429]: Illegal user stephen from 66.128.33.38
Jan 16 20:44:51 Shiva sshd[32431]: Illegal user william from 66.128.33.38
Jan 16 20:44:56 Shiva sshd[32433]: Illegal user angel from 66.128.33.38
Jan 16 20:45:00 Shiva sshd[32435]: Illegal user emily from 66.128.33.38
Jan 16 20:45:05 Shiva sshd[32445]: Illegal user eric from 66.128.33.38
Jan 16 20:45:09 Shiva sshd[32447]: Illegal user joe from 66.128.33.38
Jan 16 20:45:14 Shiva sshd[32450]: Illegal user tom from 66.128.33.38
Jan 16 20:45:18 Shiva sshd[32452]: Illegal user billy from 66.128.33.38
Jan 16 20:45:23 Shiva sshd[32454]: Illegal user buddy from 66.128.33.38
Jan 16 20:45:27 Shiva sshd[32457]: Illegal user jeremy from 66.128.33.38
Jan 16 20:45:32 Shiva sshd[32460]: Illegal user vampire from 66.128.33.38
Jan 16 20:45:36 Shiva sshd[32462]: Illegal user betty from 66.128.33.38
Jan 16 20:45:41 Shiva sshd[32465]: Illegal user max from 66.128.33.38
Jan 16 20:45:46 Shiva sshd[32467]: Illegal user nicholas from 66.128.33.38
Jan 16 20:45:50 Shiva sshd[32469]: Illegal user robin from 66.128.33.38
Jan 16 20:45:55 Shiva sshd[32471]: Illegal user johnny from 66.128.33.38
Jan 16 20:46:00 Shiva sshd[32473]: Illegal user lucy from 66.128.33.38
Jan 16 20:46:04 Shiva sshd[32475]: Illegal user maria from 66.128.33.38
Jan 16 20:46:09 Shiva sshd[32477]: Illegal user rose from 66.128.33.38
Jan 16 20:46:19 Shiva sshd[32481]: Illegal user god from 66.128.33.38
Jan 16 20:46:24 Shiva sshd[32483]: Illegal user barbara from 66.128.33.38
Jan 16 20:46:28 Shiva sshd[32486]: Illegal user larisa from 66.128.33.38
Jan 16 20:46:33 Shiva sshd[32489]: Illegal user jane from 66.128.33.38
Jan 16 20:46:38 Shiva sshd[32491]: Illegal user dog from 66.128.33.38
Jan 16 20:46:43 Shiva sshd[32493]: Illegal user sparc from 66.128.33.38
Jan 16 20:46:47 Shiva sshd[32495]: Illegal user credit from 66.128.33.38
Jan 16 20:46:52 Shiva sshd[32497]: Illegal user info from 66.128.33.38
Jan 16 20:46:57 Shiva sshd[32499]: Illegal user manager from 66.128.33.38
Jan 16 20:47:02 Shiva sshd[32507]: Illegal user horse from 66.128.33.38
Jan 16 20:47:07 Shiva sshd[32509]: Illegal user nokia from 66.128.33.3

RoD · 01-17-2005, 12:04 AM

id be suprised if that person is in the Carr. Its more likely that they are bouncing off of a bunch of non local servers. Its probably a script kiddie, so long as you rnot allowing any access through unsecured ports you should be fine.

SMurf · 01-17-2005, 03:43 AM

Does anyone seriously use their forename as a uid?!? Okay, give a linux newbie the choice and they may well opt for that (Assuming that they understand not to use root all the time), but certainly a business server (i.e. something worth hacking) would not use anything like that form.

Although I have to admit my Windows username is "nokia"...

**Salem** · 01-17-2005, 08:10 AM

> Jan 16 20:46:19 Shiva sshd[32481]: Illegal user god from 66.128.33.38
Huh-oh, they're onto me

> could you call him up and tell him he's being a bad person!?"
Forward your logs to postmaster@loserisp.com and abuse@loserisp.com

Or find out how to do this locally on your machine
http://labrea.sourceforge.net/labrea-info.html
That should slow them down

axon · 01-17-2005, 10:04 AM

hey Kleid-o, look into honeynets, you could have some fun with that guy

Kleid-0 · 01-17-2005, 10:26 AM

Quote:

Originally Posted by axon

hey Kleid-o, look into honeynets, you could have some fun with that guy

If I exposed my computer any further, I'd be inside out!

-KEN- · 01-17-2005, 11:45 AM

There used to be some annoying Spanish script kiddie who used constantly try to get into my computer. I got him booted off of his ISP once, but I caught him a week or so later back at it from a new ISP. I tried emailing that ISP too, but it never worked. He stopped sooner or later, but it was clogging up my logs like crazy.

>>Does anyone seriously use their forename as a uid?!?

Me, but then again, look at my forum name

. I'm not afraid of an evil hacker breaking into my OSX or Linux boxes, because the passwords are pretty good on each.

-=SoKrA=- · 01-18-2005, 07:32 AM

>>Does anyone seriously use their forename as a uid?!?
I do. But my linux boxen are behind a NAT.
Of course, the nat runs 'that other os', so the point is mainly invalid, but my dad hasn't been able to get the modem to respond properly with Linux.
EDIT: Damn! Where's my head? NAT OS changed.

Sang-drax · 01-18-2005, 10:30 AM

Quote:

Originally Posted by SMurf

Does anyone seriously use their forename as a uid?!?

Yes.
But the password is 20+ non-alphanumeric characters.
I don't think it's a problem to use easy guessable user names.

DrakkenKorin · 01-18-2005, 10:55 AM

>>I'm not afraid of an evil hacker breaking into my OSX or Linux boxes, because the passwords are pretty good on each.<<

who told you "Iliekboiz" is a good password?

-KEN- · 01-18-2005, 02:40 PM

Quote:

Originally Posted by DrakkenKorin

>>I'm not afraid of an evil hacker breaking into my OSX or Linux boxes, because the passwords are pretty good on each.<<

who told you "Iliekboiz" is a good password?

Well it's a mix of capitulization and non-dictionary words, isn't it?

DrakkenKorin · 01-18-2005, 02:45 PM

yes, but you forgot the numeric character and the special character.

you should change it to "1liekbo!z"

Shakti · 01-18-2005, 02:54 PM

Why not use 1773 |-|4><><0|2 code

Neonblue · 03-06-2005, 03:25 PM

I think what you are seeing here is a worm. I've spent the past few weeks adding information together. I've seen roughly 23 servers with the exact same logs coming from around the world. I recently talked to a gentleman in boston from a legit business and it turns out his computer was compromised. As long as you are seeing the messages in the secure log, you're ok. (I know it's an uneasy feeling)

01-17-2005, 12:04 AM	#3
RoD Banned Join Date: Sep 2002 Posts: 6,334	id be suprised if that person is in the Carr. Its more likely that they are bouncing off of a bunch of non local servers. Its probably a script kiddie, so long as you rnot allowing any access through unsecured ports you should be fine.
RoD is offline

01-17-2005, 03:43 AM	#4
SMurf Registered User Join Date: Aug 2001 Location: Newport, South Wales, UK Posts: 1,094	Does anyone seriously use their forename as a uid?!? Okay, give a linux newbie the choice and they may well opt for that (Assuming that they understand not to use root all the time), but certainly a business server (i.e. something worth hacking) would not use anything like that form. Although I have to admit my Windows username is "nokia"...
SMurf is offline

01-17-2005, 08:10 AM	#5
Salem and the hat of vanishing Join Date: Aug 2001 Location: The edge of the known universe Posts: 21,214	> Jan 16 20:46:19 Shiva sshd[32481]: Illegal user god from 66.128.33.38 Huh-oh, they're onto me > could you call him up and tell him he's being a bad person!?" Forward your logs to postmaster@loserisp.com and abuse@loserisp.com Or find out how to do this locally on your machine http://labrea.sourceforge.net/labrea-info.html That should slow them down __________________ If you dance barefoot on the broken glass of undefined behaviour, you've got to expect the occasional cut. Up to 8Mb PlusNet broadband from only £5.99 a month!
Salem is offline

01-17-2005, 10:04 AM	#6
axon Registered User Join Date: Feb 2003 Location: Mt. Prospect, IL Posts: 2,602	hey Kleid-o, look into honeynets, you could have some fun with that guy __________________ some entropy with that sink? entropysink.com there are two cardinal sins from which all others spring: Impatience and Laziness. - franz kafka
axon is offline

01-17-2005, 11:45 AM	#8
-KEN- Just one more wrong move. Join Date: Aug 2001 Posts: 3,232	There used to be some annoying Spanish script kiddie who used constantly try to get into my computer. I got him booted off of his ISP once, but I caught him a week or so later back at it from a new ISP. I tried emailing that ISP too, but it never worked. He stopped sooner or later, but it was clogging up my logs like crazy. >>Does anyone seriously use their forename as a uid?!? Me, but then again, look at my forum name . I'm not afraid of an evil hacker breaking into my OSX or Linux boxes, because the passwords are pretty good on each. __________________ Gays can't love like real people entropysink.com -- because arses weren't designed for running websites.
-KEN- is offline

01-18-2005, 07:32 AM	#9
-=SoKrA=- Me Join Date: Oct 2002 Location: Europe Posts: 448	>>Does anyone seriously use their forename as a uid?!? I do. But my linux boxen are behind a NAT. Of course, the nat runs 'that other os', so the point is mainly invalid, but my dad hasn't been able to get the modem to respond properly with Linux. EDIT: Damn! Where's my head? NAT OS changed. __________________ SoKrA-BTS "Judge not the program I made, but the one I've yet to code" I say what I say, I mean what I mean. IDE: emacs + make + gcc and proud of it.
-=SoKrA=- is offline

01-18-2005, 10:55 AM	#11
DrakkenKorin Nosepicker Join Date: Nov 2001 Posts: 407	>>I'm not afraid of an evil hacker breaking into my OSX or Linux boxes, because the passwords are pretty good on each.<< who told you "Iliekboiz" is a good password? __________________ DrakkenKorin Get off my Intarweb!!!!
DrakkenKorin is offline

01-18-2005, 02:45 PM	#13
DrakkenKorin Nosepicker Join Date: Nov 2001 Posts: 407	yes, but you forgot the numeric character and the special character. you should change it to "1liekbo!z" __________________ DrakkenKorin Get off my Intarweb!!!!
DrakkenKorin is offline

01-18-2005, 02:54 PM	#14
Shakti Registered User Join Date: Aug 2003 Posts: 774	Why not use 1773 \|-\|4><><0\|2 code
Shakti is offline

03-06-2005, 03:25 PM	#15
Neonblue Registered User Join Date: Mar 2005 Posts: 1	Worm I think what you are seeing here is a worm. I've spent the past few weeks adding information together. I've seen roughly 23 servers with the exact same logs coming from around the world. I recently talked to a gentleman in boston from a legit business and it turns out his computer was compromised. As long as you are seeing the messages in the secure log, you're ok. (I know it's an uneasy feeling)
Neonblue is offline

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
ssh daemon question	Overworked_PhD	Linux Programming	4	07-07-2009 11:44 AM
Windows SSH Wrapper	pobri19	Networking/Device Communication	2	04-04-2009 04:36 AM
SSH via C program	yogesh3073	C Programming	3	01-11-2007 03:29 PM
SSH tunnel	kastrup_carioca	C Programming	10	01-18-2006 04:29 PM