Hi, To find out who owns the IP block you can do 'whois -h whois.arin.net <ip>'.
I don't think reporting it would achieve anything, just a friendly warning from the ISP to the user in question. On Sun, Mar 24, 2002 at 08:01:04AM -0800, Stephen Hassard wrote: > sorta what I figured, but it was a pretty half assed attempt. :P > > on a side note, are these typically worth reporting to the ISP of the > attacker? I tried doing a DNS lookup on the box in question, but it > doesn't seem to have an FDQN registered. What's the best way to figure > out the admin for a subnet from a machine's IP? > > Thanks, > Steve > > shiftee wrote: > > It just looks like someone is trying to brute-force an account, I'm > > sure there are plenty of places that provide tools for this. > > > > Just make sure you enforce secure passwords, and keep an eye on your > > syslog. > > > > On Sun, Mar 24, 2002 at 07:11:25AM -0800, Stephen Hassard wrote: > > > >>Hi there, > >> > >>I found these in my event log from yesterday: > >> > >> >>> > >>Mar 23 09:33:16 www sshd[10998]: input_userauth_request: illegal user www > >>Mar 23 09:33:18 www sshd[10998]: Failed none for illegal user www from > >>213.26.96.103 port 2276 ssh2 > >>Mar 23 09:33:18 www sshd[10998]: Failed keyboard-interactive for illegal > >>user www from 213.26.96.103 port 2276 ssh2 > >>Mar 23 09:33:18 www sshd[10998]: Failed password for illegal user www > >>from 213.26.96.103 port 2276 ssh2 > >>Mar 23 09:33:19 www sshd[10997]: input_userauth_request: illegal user oracle > >>Mar 23 09:33:19 www sshd[10997]: Failed none for illegal user oracle > >>from 213.26.96.103 port 2275 ssh2 > >>Mar 23 09:33:19 www sshd[10997]: Failed keyboard-interactive for illegal > >>user oracle from 213.26.96.103 port 2275 ssh2 > >>Mar 23 09:33:19 www sshd[10997]: Failed password for illegal user oracle > >>from 213.26.96.103 port 2275 ssh2 > >>Mar 23 09:33:19 www sshd[10999]: input_userauth_request: illegal user test > >>Mar 23 09:33:19 www sshd[10999]: Failed none for illegal user test from > >>213.26.96.103 port 2277 ssh2 > >>Mar 23 09:33:19 www sshd[10999]: Failed keyboard-interactive for illegal > >>user test from 213.26.96.103 port 2277 ssh2 > >>Mar 23 09:33:20 www sshd[10999]: Failed password for illegal user test > >>from 213.26.96.103 port 2277 ssh2 > >><<< > >> > >>It seems that from the timestamp that it's most likely a script kiddy; > >>The time duration beween failed password attempts seems really short. > >>I'm just wonder if anyone's seen a script that does this and is > >>available widely, or is it a good chance that I've got someone trying to > >>break in? None of my other services seem to have been probed, just ssh. > >> > >>Thanks, > >>Steve > >> > >> > >>-- > >>To UNSUBSCRIBE, email to [EMAIL PROTECTED] > >>with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- shiftee <[EMAIL PROTECTED]> PGP Key: [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
