two attempted break-ins from Hong Kong & Italy

Discussion in 'Computer Security' started by yarmfelder@yahoo.com, Jul 5, 2005.

  1. Guest

    Hello,

    I would like to announce two attempted but failed
    break-in attempts to a computer that I have locally.

    The first was someone from Italy, ip address
    80.17.93.150 who attempted to break in via ssh,
    using random user names and passwords.

    inetnum: 80.17.93.128 - 80.17.93.159
    netname: CONSORZIO-AGRARIO-PICENO
    descr: CONSORZIO AGRARIO PICENO
    country: IT
    admin-c: FP27-RIPE
    tech-c: FP27-RIPE
    status: ASSIGNED PA "status:" definitions
    mnt-by: INTERB-MNT
    source: RIPE # Filtered
    address: CONSORZIO AGRARIO PICENO
    address: viale Indipendenza 2
    address: I- 63100 Ascoli Piceno AP
    address: Italy
    nic-hdl: FP27-RIPE
    source: RIPE # Filtered

    The second from Hong Kong had the IP 210.17.180.83,
    who wanted to log in via ssh as root.

    Here is their info:

    inetnum: 210.17.180.80 - 210.17.180.95
    netname: SPORT_FIELD
    descr: Sport Field Limited
    person: PSN NOC
    nic-hdl: PN2-AP
    e-mail:
    address: 574, 1 TradeMart Drive,
    address: HITEC, Kowloon Bay,
    address: Hong Kong
    phone: +85-226-201880
    fax-no: +85-223-354520
    country: HK
    changed: 20030825
    mnt-by: MAINT-HKSUPER-AP
    source: APNIC

    I shall certainly be reporting this to the appropriate
    authorities :)

    YF
     
    , Jul 5, 2005
    #1
    1. Advertising

  2. >>>>> "yarmfelder" == yarmfelder <> writes:

    yarmfelder> Hello, I would like to announce two attempted but failed
    yarmfelder> break-in attempts to a computer that I have locally...

    I would like to announce that the sun rose over my domicile this morning.
    I will be informing the local weather bureau shortly...

    --
    Richard Silverman
     
    Richard E. Silverman, Jul 5, 2005
    #2
    1. Advertising

  3. Quaoar Guest

    wrote:
    > Hello,
    >
    > I would like to announce two attempted but failed
    > break-in attempts to a computer that I have locally.
    >
    > The first was someone from Italy, ip address
    > 80.17.93.150 who attempted to break in via ssh,
    > using random user names and passwords.
    >
    > inetnum: 80.17.93.128 - 80.17.93.159
    > netname: CONSORZIO-AGRARIO-PICENO
    > descr: CONSORZIO AGRARIO PICENO
    > country: IT
    > admin-c: FP27-RIPE
    > tech-c: FP27-RIPE
    > status: ASSIGNED PA "status:" definitions
    > mnt-by: INTERB-MNT
    > source: RIPE # Filtered
    > address: CONSORZIO AGRARIO PICENO
    > address: viale Indipendenza 2
    > address: I- 63100 Ascoli Piceno AP
    > address: Italy
    > nic-hdl: FP27-RIPE
    > source: RIPE # Filtered
    >
    > The second from Hong Kong had the IP 210.17.180.83,
    > who wanted to log in via ssh as root.
    >
    > Here is their info:
    >
    > inetnum: 210.17.180.80 - 210.17.180.95
    > netname: SPORT_FIELD
    > descr: Sport Field Limited
    > person: PSN NOC
    > nic-hdl: PN2-AP
    > e-mail:
    > address: 574, 1 TradeMart Drive,
    > address: HITEC, Kowloon Bay,
    > address: Hong Kong
    > phone: +85-226-201880
    > fax-no: +85-223-354520
    > country: HK
    > changed: 20030825
    > mnt-by: MAINT-HKSUPER-AP
    > source: APNIC
    >
    > I shall certainly be reporting this to the appropriate
    > authorities :)
    >
    > YF


    FWIW, you shall be shouting into the darkness. Practically, no one
    cares and that's the reason for establishing personal computer security.

    Q
     
    Quaoar, Jul 5, 2005
    #3
  4. Sensei Guest

    wrote:
    > I would like to announce two attempted but failed
    > break-in attempts to a computer that I have locally.


    We have 20.000 break-in attempts. I shall declare war to the world.

    > I shall certainly be reporting this to the appropriate
    > authorities :)


    1. Who cares about those complains? Nobody, trust me.
    2. Do you really care those IP are real? If the cracker is good...
     
    Sensei, Jul 5, 2005
    #4
  5. Leythos Guest

    In article <>,
    says...
    > Hello,
    >
    > I would like to announce two attempted but failed
    > break-in attempts to a computer that I have locally.

    [snip]
    > I shall certainly be reporting this to the appropriate
    > authorities :)


    I hate to tell you this, but you've offered nothing that indicates they
    tried to "break-in" to your computer. Many of us have a number of IP's
    that are scanned hourly (or faster) and consider it part of the
    background chatter, increases some days, decreases others, but it's
    always there.

    If you were smart, you would have your computer/network protected by a
    border device so that they can't reach your computer. You would also
    have a block list setup so that most IP's outside your own country are
    blocked from inbound access to your network.


    --
    --

    (Remove 999 to reply to me)
     
    Leythos, Jul 5, 2005
    #5
  6. Unruh Guest

    Sensei <> writes:

    > wrote:
    >> I would like to announce two attempted but failed
    >> break-in attempts to a computer that I have locally.


    >We have 20.000 break-in attempts. I shall declare war to the world.


    >> I shall certainly be reporting this to the appropriate
    >> authorities :)


    >1. Who cares about those complains? Nobody, trust me.
    >2. Do you really care those IP are real? If the cracker is good...


    Let me explain why you are getting such dismissive responses.
    a) This happens all the time to everyone who has ssh open on their system .
    And those sites are probably "innocent" sites which have been broken into
    by the crackers who then launched the attack. Unfortunately there is little
    you can do about it, except make sure that all you users use good
    passwords.
    b) Reporting this to this newsgroup certainly will not help. Again, those
    sites are not unique, and if everyone reported such attempts, this
    newsgroup would have 10000 posts a day, and would be useless for anything
    else.
     
    Unruh, Jul 5, 2005
    #6
  7. Juergen Nieveler, Jul 5, 2005
    #7
  8. Frode Guest

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Unruh wrote:
    > Let me explain why you are getting such dismissive responses.
    > a) This happens all the time to everyone who has ssh open on their system .


    I changed the public port for ssh to get rid of all the log spam myself. It
    was driving me nuts.


    - --
    Frode
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.1 (MingW32)

    iD8DBQFCyulANx8IkioE8tMRAkLQAJwMlN8c47KH+pEcd5EozEZaM/gHDACfTifG
    hyUwbuVVsNJIe7+tYYOsOXY=
    =KWLF
    -----END PGP SIGNATURE-----
     
    Frode, Jul 5, 2005
    #8
  9. Unruh Guest

    Frode <> writes:

    >-----BEGIN PGP SIGNED MESSAGE-----
    >Hash: SHA1


    >Unruh wrote:
    >> Let me explain why you are getting such dismissive responses.
    >> a) This happens all the time to everyone who has ssh open on their system .


    >I changed the public port for ssh to get rid of all the log spam myself. It
    >was driving me nuts.


    One way of doing it. It is just that all your users (including the putty
    users) away from home have to remember which port it is on.
    Mind you I put ssh onto port 80 on one of my machines after I was at a
    location ( a university) where the firewall blocked all outgoing ports
    except port 80
     
    Unruh, Jul 5, 2005
    #9
  10. Guest

    Leythos wrote:

    > If you were smart, you would have your computer/network protected by a
    > border device


    We have a wireless router. It blocks virtually all ports, but not ssh
    since I use that. I could easily use a different port for ssh however.

    > You would also
    > have a block list setup so that most IP's outside your own country are
    > blocked from inbound access to your network.


    How do you suggest doing that? Let's suppose that hypothetically
    I put .net .com .org in my hosts.allow. I'm under the impression
    there are foreign sites with those endings. Or, I don't have a list
    of which IP prefixes are for my region; where can I find one?

    Thanks.
     
    , Jul 6, 2005
    #10
  11. Leythos Guest

    In article <>,
    says...
    > Leythos wrote:
    >
    > > If you were smart, you would have your computer/network protected by a
    > > border device

    >
    > We have a wireless router. It blocks virtually all ports, but not ssh
    > since I use that. I could easily use a different port for ssh however.


    A wireless router is just a router, not a firewall - NAT does not make
    it a firewall. If you can, for personal use, run services on non-
    standard ports. You should be using WallWatcher to log your traffic, so
    you have a good idea of what ports are not being scanned on a regular
    basis.

    > > You would also
    > > have a block list setup so that most IP's outside your own country are
    > > blocked from inbound access to your network.

    >
    > How do you suggest doing that? Let's suppose that hypothetically
    > I put .net .com .org in my hosts.allow. I'm under the impression
    > there are foreign sites with those endings. Or, I don't have a list
    > of which IP prefixes are for my region; where can I find one?


    Notice I said IP, not names, I block foreign networks in my firewall,
    but I have a firewall, you don't and there is no means to block IP lists
    in your router.

    If you get a firewall, not a cheap home NAT device, you can do a lot of
    things that you can't with a router - like being able to use the
    Firewall as a VPN end-point so that you don't have to use SSH, you can
    just PPTP or setup an IPSec tunnel to it.

    Here is a list of IP's that I block, this one is from 4/2005, but it's
    current enough for government work :)

    12.144.182.0/24
    12.45.203.0/24
    12.98.139.0/24
    155.48.106.0/24
    168.126.0.0/16
    172.184.111.203
    193.251.0.0/16
    193.252.0.0/16
    193.253.0.0/16
    195.174.0.0/16
    195.175.16.0/20
    195.58.124.0/24
    200.30.203.0/24
    202.88.186.0/24
    203.152.22.0/24
    205.251.79.0/24
    210.173.37.0/24
    210.201.153.0/24
    210.71.115.0/24
    211.54.40.0/25
    212.150.124.0/24
    212.18.57.0/24
    212.202.178.0/24
    212.27.32.0-212.27.63.255
    212.64.192.0-212.64.203.255
    212.64.223.160/29
    212.64.223.168/29
    212.9.7.0/24
    213.13.26.0/24
    213.144.176.0/24
    213.190.213.0/24
    213.228.7.0/24
    213.228.8.0/24
    216.184.97.0/24
    216.76.35.0/24
    217.118.224.0/24
    217.118.225.0/24
    217.118.239.0/24
    217.160.110.0/24
    218.164.28.0/24
    218.252.74.0/24
    218.67.128.0-218.69.255.255
    218.69.108.0/24
    218.69.148.0/24
    218.76.98.0/24
    219.212.4.0/24

    If you want to get serious, here is a list I got from a chap that I've
    not implemented yet:

    58.0.0.0/8
    59.0.0.0/8
    60.0.0.0/8
    61.0.0.0/8
    62.0.0.0/8
    80.0.0.0/8
    81.0.0.0/8
    82.0.0.0/8
    83.0.0.0/8
    84.0.0.0/8
    85.0.0.0/8
    86.0.0.0/8
    87.0.0.0/8
    88.0.0.0/8
    124.0.0.0/8
    125.0.0.0/8
    126.0.0.0/8
    193.0.0.0/8
    194.0.0.0/8
    195.0.0.0/8
    202.0.0.0/8
    203.0.0.0/8
    210.0.0.0/8
    211.0.0.0/8
    212.0.0.0/8
    213.0.0.0/8
    217.0.0.0/8
    218.0.0.0/8
    219.0.0.0/8
    220.0.0.0/8
    221.0.0.0/8
    222.0.0.0/8

    --
    --

    remove 999 in order to email me
     
    Leythos, Jul 6, 2005
    #11
  12. Guest

    Thanks for the advice. Incidentally, re the router,
    can't I make it into a simple firewall by forwarding
    most ports to a nonsense IP? Also VPN is something
    I'd never use. I need just the basics.
     
    , Jul 6, 2005
    #12
  13. Unruh Guest

    writes:


    >Thanks for the advice. Incidentally, re the router,
    >can't I make it into a simple firewall by forwarding
    >most ports to a nonsense IP? Also VPN is something
    >I'd never use. I need just the basics.


    Sheesh. Still going on about getting a few entries into your logs. Why
    don't you just erase your logs every 5 min, that way you will not see them,
    since that is what your problem seems to be. YOu have no concern about
    security, it is about the image of security. ssh is fine. So what if poeple
    try to knock on your ssh door. They do not get in. But no, there are thos
    entries in the logs!!!!!!! Really important. Those log entries might bite
    you or something.
    ssh works. ssh does what you need. ssh is simply, not complex, but you want
    to use something unkown and complex to replace something simple because of
    some log entries.
     
    Unruh, Jul 6, 2005
    #13
  14. oops Guest

    Combine ssh with port knocking.You'll be fine.Belive me.!!!

    Ï "Unruh" <> Ýãñáøå óôï ìÞíõìá
    news:daec3k$dom$...
    > Sensei <> writes:
    >
    >> wrote:
    >>> I would like to announce two attempted but failed
    >>> break-in attempts to a computer that I have locally.

    >
    >>We have 20.000 break-in attempts. I shall declare war to the world.

    >
    >>> I shall certainly be reporting this to the appropriate
    >>> authorities :)

    >
    >>1. Who cares about those complains? Nobody, trust me.
    >>2. Do you really care those IP are real? If the cracker is good...

    >
    > Let me explain why you are getting such dismissive responses.
    > a) This happens all the time to everyone who has ssh open on their system
    > .
    > And those sites are probably "innocent" sites which have been broken into
    > by the crackers who then launched the attack. Unfortunately there is
    > little
    > you can do about it, except make sure that all you users use good
    > passwords.
    > b) Reporting this to this newsgroup certainly will not help. Again, those
    > sites are not unique, and if everyone reported such attempts, this
    > newsgroup would have 10000 posts a day, and would be useless for anything
    > else.
    >
     
    oops, Sep 5, 2005
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Silverstrand

    ESD's Hong Kong Case Mod @ Mistix.co.uk

    Silverstrand, Jul 28, 2005, in forum: Front Page News
    Replies:
    0
    Views:
    932
    Silverstrand
    Jul 28, 2005
  2. =?Utf-8?B?QWxleCBEb25n?=

    MCSE in Hong Kong

    =?Utf-8?B?QWxleCBEb25n?=, Oct 20, 2004, in forum: MCSE
    Replies:
    26
    Views:
    1,258
    Samuel Cheng
    Oct 22, 2004
  3. Alex
    Replies:
    0
    Views:
    679
  4. Johnathan Smith

    Hong Kong VOIP

    Johnathan Smith, Aug 22, 2005, in forum: UK VOIP
    Replies:
    3
    Views:
    3,241
    Mark Adamson
    Aug 23, 2005
  5. NPS

    canon 10D price in hong kong

    NPS, Jul 28, 2003, in forum: Digital Photography
    Replies:
    1
    Views:
    538
    Ryan Li
    Jul 30, 2003
Loading...

Share This Page