SSH Hacker Activity!! AAHHH!!

Look at this fool!:

Code:

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN     -
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN     -
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN     -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     -
tcp        0      0 69.29.250.67:22         66.128.33.38:40417      TIME_WAIT  -
tcp        0      0 69.29.250.67:22         66.128.33.38:40553      TIME_WAIT  -
tcp        0      0 69.29.250.67:22         66.128.33.38:40872      TIME_WAIT  -
tcp        0      0 69.29.250.67:22         66.128.33.38:40370      TIME_WAIT  -
tcp        0      0 69.29.250.67:22         66.128.33.38:40689      TIME_WAIT  -
tcp        0      0 69.29.250.67:22         66.128.33.38:40823      TIME_WAIT  -
tcp        0      0 69.29.250.67:22         66.128.33.38:40506      TIME_WAIT  -
tcp        0      0 69.29.250.67:22         66.128.33.38:40642      TIME_WAIT  -
tcp        0      0 69.29.250.67:22         66.128.33.38:40779      TIME_WAIT  -
tcp        0      0 69.29.250.67:22         66.128.33.38:40461      TIME_WAIT  -
tcp        0      0 69.29.250.67:22         66.128.33.38:40592      TIME_WAIT  -
tcp        1      1 69.29.250.67:22         66.128.33.38:40919      CLOSING    -
tcp        0      0 69.29.250.67:22         66.128.33.38:40733      TIME_WAIT  -

He was sending large amounts of data, it was way outta line. At first I was like, "Port 22, SSL, logging into my system...sending large amounts of data as quickly as possible...hmmm". Then I checked his website to check out his personality:
Not Cool
That isn't too cool, he's spanish too, that means if he takes over my system, then I won't be able to talk to him! "Hey buddy, try not to delete the pr0n files" ya know!?

So has anyone else felt like they're being taken over by spanish hackers?

He's from the Caribean!!, search up: 66.128.33.38. Those Caribean hackers! Darn them! I think I should report that guy, whoever he was, I wonder if I sent an abuse email, and the administrator would even understand!

"I RECEivED packets through SSL port 22, uuhh, could you call him up and tell him he's being a bad person!?" I can just see them, laughing at my face! :(

EDIT---------------------

HAHAHAHAHHAHA, THIS GUY IS AWESOME

Code:

Jan 16 20:43:42 Shiva sshd[32399]: Illegal user jordan from 66.128.33.38
Jan 16 20:43:46 Shiva sshd[32401]: Illegal user michael from 66.128.33.38
Jan 16 20:43:50 Shiva sshd[32403]: Illegal user nicole from 66.128.33.38
Jan 16 20:43:54 Shiva sshd[32405]: Illegal user daniel from 66.128.33.38
Jan 16 20:43:58 Shiva sshd[32407]: Illegal user andrew from 66.128.33.38
Jan 16 20:44:03 Shiva sshd[32409]: Illegal user magic from 66.128.33.38
Jan 16 20:44:07 Shiva sshd[32411]: Illegal user lion from 66.128.33.38
Jan 16 20:44:11 Shiva sshd[32413]: Illegal user david from 66.128.33.38
Jan 16 20:44:16 Shiva sshd[32415]: Illegal user jason from 66.128.33.38
Jan 16 20:44:20 Shiva sshd[32417]: Illegal user carmen from 66.128.33.38
Jan 16 20:44:24 Shiva sshd[32419]: Illegal user justin from 66.128.33.38
Jan 16 20:44:29 Shiva sshd[32421]: Illegal user charlie from 66.128.33.38
Jan 16 20:44:33 Shiva sshd[32423]: Illegal user steven from 66.128.33.38
Jan 16 20:44:38 Shiva sshd[32425]: Illegal user brandon from 66.128.33.38
Jan 16 20:44:42 Shiva sshd[32427]: Illegal user brian from 66.128.33.38
Jan 16 20:44:47 Shiva sshd[32429]: Illegal user stephen from 66.128.33.38
Jan 16 20:44:51 Shiva sshd[32431]: Illegal user william from 66.128.33.38
Jan 16 20:44:56 Shiva sshd[32433]: Illegal user angel from 66.128.33.38
Jan 16 20:45:00 Shiva sshd[32435]: Illegal user emily from 66.128.33.38
Jan 16 20:45:05 Shiva sshd[32445]: Illegal user eric from 66.128.33.38
Jan 16 20:45:09 Shiva sshd[32447]: Illegal user joe from 66.128.33.38
Jan 16 20:45:14 Shiva sshd[32450]: Illegal user tom from 66.128.33.38
Jan 16 20:45:18 Shiva sshd[32452]: Illegal user billy from 66.128.33.38
Jan 16 20:45:23 Shiva sshd[32454]: Illegal user buddy from 66.128.33.38
Jan 16 20:45:27 Shiva sshd[32457]: Illegal user jeremy from 66.128.33.38
Jan 16 20:45:32 Shiva sshd[32460]: Illegal user vampire from 66.128.33.38
Jan 16 20:45:36 Shiva sshd[32462]: Illegal user betty from 66.128.33.38
Jan 16 20:45:41 Shiva sshd[32465]: Illegal user max from 66.128.33.38
Jan 16 20:45:46 Shiva sshd[32467]: Illegal user nicholas from 66.128.33.38
Jan 16 20:45:50 Shiva sshd[32469]: Illegal user robin from 66.128.33.38
Jan 16 20:45:55 Shiva sshd[32471]: Illegal user johnny from 66.128.33.38
Jan 16 20:46:00 Shiva sshd[32473]: Illegal user lucy from 66.128.33.38
Jan 16 20:46:04 Shiva sshd[32475]: Illegal user maria from 66.128.33.38
Jan 16 20:46:09 Shiva sshd[32477]: Illegal user rose from 66.128.33.38
Jan 16 20:46:19 Shiva sshd[32481]: Illegal user god from 66.128.33.38
Jan 16 20:46:24 Shiva sshd[32483]: Illegal user barbara from 66.128.33.38
Jan 16 20:46:28 Shiva sshd[32486]: Illegal user larisa from 66.128.33.38
Jan 16 20:46:33 Shiva sshd[32489]: Illegal user jane from 66.128.33.38
Jan 16 20:46:38 Shiva sshd[32491]: Illegal user dog from 66.128.33.38
Jan 16 20:46:43 Shiva sshd[32493]: Illegal user sparc from 66.128.33.38
Jan 16 20:46:47 Shiva sshd[32495]: Illegal user credit from 66.128.33.38
Jan 16 20:46:52 Shiva sshd[32497]: Illegal user info from 66.128.33.38
Jan 16 20:46:57 Shiva sshd[32499]: Illegal user manager from 66.128.33.38
Jan 16 20:47:02 Shiva sshd[32507]: Illegal user horse from 66.128.33.38
Jan 16 20:47:07 Shiva sshd[32509]: Illegal user nokia from 66.128.33.3

id be suprised if that person is in the Carr. Its more likely that they are bouncing off of a bunch of non local servers. Its probably a script kiddie, so long as you rnot allowing any access through unsecured ports you should be fine.

Does anyone seriously use their forename as a uid?!? Okay, give a linux newbie the choice and they may well opt for that (Assuming that they understand not to use root all the time), but certainly a business server (i.e. something worth hacking) would not use anything like that form.

Although I have to admit my Windows username is "nokia"...

> Jan 16 20:46:19 Shiva sshd[32481]: Illegal user god from 66.128.33.38
Huh-oh, they're onto me

> could you call him up and tell him he's being a bad person!?"
Forward your logs to postmaster@loserisp.com and abuse@loserisp.com

Or find out how to do this locally on your machine
http://labrea.sourceforge.net/labrea-info.html
That should slow them down

hey Kleid-o, look into honeynets, you could have some fun with that guy

Originally Posted by axon

hey Kleid-o, look into honeynets, you could have some fun with that guy

If I exposed my computer any further, I'd be inside out!

There used to be some annoying Spanish script kiddie who used constantly try to get into my computer. I got him booted off of his ISP once, but I caught him a week or so later back at it from a new ISP. I tried emailing that ISP too, but it never worked. He stopped sooner or later, but it was clogging up my logs like crazy.

>>Does anyone seriously use their forename as a uid?!?

Me, but then again, look at my forum name . I'm not afraid of an evil hacker breaking into my OSX or Linux boxes, because the passwords are pretty good on each.

>>Does anyone seriously use their forename as a uid?!?
I do. But my linux boxen are behind a NAT.
Of course, the nat runs 'that other os', so the point is mainly invalid, but my dad hasn't been able to get the modem to respond properly with Linux.
EDIT: Damn! Where's my head? NAT OS changed.

Originally Posted by SMurf

Does anyone seriously use their forename as a uid?!?

Yes.
But the password is 20+ non-alphanumeric characters.
I don't think it's a problem to use easy guessable user names.

>>I'm not afraid of an evil hacker breaking into my OSX or Linux boxes, because the passwords are pretty good on each.<<

who told you "Iliekboiz" is a good password?

Originally Posted by DrakkenKorin

>>I'm not afraid of an evil hacker breaking into my OSX or Linux boxes, because the passwords are pretty good on each.<<

who told you "Iliekboiz" is a good password?

Well it's a mix of capitulization and non-dictionary words, isn't it?

yes, but you forgot the numeric character and the special character.

you should change it to "1liekbo!z"

Why not use 1773 |-|4><><0|2 code

I think what you are seeing here is a worm. I've spent the past few weeks adding information together. I've seen roughly 23 servers with the exact same logs coming from around the world. I recently talked to a gentleman in boston from a legit business and it turns out his computer was compromised. As long as you are seeing the messages in the secure log, you're ok. (I know it's an uneasy feeling)