Saturday, April 07, 2007

that's life in the big network

We run a home server, a Linux machine that handles e-mail, network printing, and backups for us, plus the occasional things-Unix-does-best tools. Because it has a few ports open to the Internet, it sees daily break-in attempts. For instance, here are a couple someones trying to get in last night:
sshd:
Authentication Failures:
unknown (222.122.76.185): 1522 Time(s)
root (211.138.100.130): 426 Time(s)
unknown (211.138.100.130): 32 Time(s)
root (222.122.76.185): 8 Time(s)
lp (222.122.76.185): 2 Time(s)
cyrus (222.122.76.185): 1 Time(s)
postfix (222.122.76.185): 1 Time(s)
smmsp (222.122.76.185): 1 Time(s)
uucp (222.122.76.185): 1 Time(s)
Invalid Users:
Unknown Account: 1554 Time(s)
I couldn't find a host name for either address, so I'm guessing they're probably some infected Windows machines hanging out on a DSL or cable modem connection.

I just checked our server's logs and, lo and behold, we have another contestant trying to break in right now. 61.136.58.249. The Real-Time IP Locator puts them somewhere in China. Out of mild curiosity, I ran a quick scan. It's a Linux machine. They have open ports 22 (ssh), 80 (web), and 3306 (MySQL). Since they were kind enough to put up a web server, you can see our attacker's web page by clicking here. (English semi-translation, courtesy of Google, here.)

I've been calling them our attacker, but in fairness it's not the people who own the machine--they were just clueless enough to put the machine on the Internet without properly securing it. Someone else scanned it, found it vulnerable, took it over, and turned it around to start scanning and attacking other machines. Anyone who speaks some variant of Chinese and has an international calling plan is more than welcome to phone them up--their number's on their web page--and tell them their machine's been cracked and is creating a nuisance.

No comments: