Hello Dan -
This is a result of someone at your site running "radpwtst" on the Radiator host with the default username, and request attributes. regards Hugh On Tue, 26 Mar 2002 13:34, Dan Boucaut wrote: > Hello, > > I have pulled the following output from my logfile. As you can see there > is a user called mikem which says he is coming from open.com.au ( which > I believe is spoofed). I believe this is an attempt to get through with > default radius user settings. > > has anyone else seen this? any way to find out where the packets are > coming from? > > > thanks > Dan Boucaut > > > Tue Mar 26 08:52:43 2002: DEBUG: Packet dump: > *** Received from 127.0.0.1 port 43066 .... > Code: Access-Request > Identifier: 193 > Authentic: 1234567890123456 > Attributes: > User-Name = "mikem" > Service-Type = Framed-User > NAS-IP-Address = 203.63.154.1 > NAS-Port = 1234 > Called-Station-Id = "123456789" > Calling-Station-Id = "987654321" > NAS-Port-Type = Async > User-Password = > "<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>" > > Tue Mar 26 08:52:43 2002: DEBUG: Handling request with Handler > 'Realm=DEFAULT' > Tue Mar 26 08:52:43 2002: DEBUG: Deleting session for mikem, > 203.63.154.1, 1234 > Tue Mar 26 08:52:43 2002: DEBUG: Handling with NT > Tue Mar 26 08:52:43 2002: INFO: Access rejected for mikem: NT > Authentication failed: Logon Error (3) > Tue Mar 26 08:52:43 2002: DEBUG: Packet dump: > *** Sending to 127.0.0.1 port 43066 .... > Code: Access-Reject > Identifier: 193 > Authentic: 1234567890123456 > Attributes: > Reply-Message = "Request Denied" > > Tue Mar 26 08:52:43 2002: DEBUG: Packet dump: > *** Received from 127.0.0.1 port 43066 .... > Code: Accounting-Request > Identifier: 194 > Authentic: > <253><229>D<154><222><211>0<210>O<19><244><233><207><226><167><145> > Attributes: > User-Name = "mikem" > Service-Type = Framed-User > NAS-IP-Address = 203.63.154.1 > NAS-Port = 1234 > NAS-Port-Type = Async > Acct-Session-Id = "00001234" > Acct-Status-Type = Start > Called-Station-Id = "123456789" > Calling-Station-Id = "987654321" > > Tue Mar 26 08:52:43 2002: DEBUG: Handling request with Handler > 'Realm=DEFAULT' > Tue Mar 26 08:52:43 2002: DEBUG: Adding session for mikem, > 203.63.154.1, 1234 > Tue Mar 26 08:52:43 2002: DEBUG: Handling with NT > Tue Mar 26 08:52:43 2002: DEBUG: Accounting accepted > Tue Mar 26 08:52:43 2002: DEBUG: Packet dump: > *** Sending to 127.0.0.1 port 43066 .... > Code: Accounting-Response > Identifier: 194 > Authentic: > <253><229>D<154><222><211>0<210>O<19><244><233><207><226><167><145> > Attributes: > > Tue Mar 26 08:52:43 2002: DEBUG: Packet dump: > *** Received from 127.0.0.1 port 43066 .... > Code: Accounting-Request > Identifier: 195 > Authentic: <6><249><144><217><195>O<3><139><211>V<127>n<212><30>Q<127> > Attributes: > User-Name = "mikem" > Service-Type = Framed-User > NAS-IP-Address = 203.63.154.1 > NAS-Port = 1234 > NAS-Port-Type = Async > Acct-Session-Id = "00001234" > Acct-Status-Type = Stop > Called-Station-Id = "123456789" > Calling-Station-Id = "987654321" > Acct-Delay-Time = 0 > Acct-Session-Time = 1000 > Acct-Input-Octets = 20000 > Acct-Output-Octets = 30000 > > Tue Mar 26 08:52:43 2002: DEBUG: Handling request with Handler > 'Realm=DEFAULT' > Tue Mar 26 08:52:43 2002: DEBUG: Deleting session for mikem, > 203.63.154.1, 1234 > Tue Mar 26 08:52:43 2002: DEBUG: Handling with NT > Tue Mar 26 08:52:43 2002: DEBUG: Accounting accepted > Tue Mar 26 08:52:43 2002: DEBUG: Packet dump: > *** Sending to 127.0.0.1 port 43066 .... > Code: Accounting-Response > Identifier: 195 > Authentic: <6><249><144><217><195>O<3><139><211>V<127>n<212><30>Q<127> > Attributes: > > Tue Mar 26 08:52:52 2002: DEBUG: Packet dump: > *** Received from 127.0.0.1 port 43067 .... > Code: Access-Request > Identifier: 201 > Authentic: 1234567890123456 > Attributes: > User-Name = "mikem" > Service-Type = Framed-User > NAS-IP-Address = 203.63.154.1 > NAS-Port = 1234 > Called-Station-Id = "123456789" > Calling-Station-Id = "987654321" > NAS-Port-Type = Async > User-Password = > "<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>" > > Tue Mar 26 08:52:52 2002: DEBUG: Handling request with Handler > 'Realm=DEFAULT' > Tue Mar 26 08:52:52 2002: DEBUG: Deleting session for mikem, > 203.63.154.1, 1234 > Tue Mar 26 08:52:52 2002: DEBUG: Handling with NT > Tue Mar 26 08:52:52 2002: INFO: Access rejected for mikem: NT > Authentication failed: Logon Error (3) > Tue Mar 26 08:52:52 2002: DEBUG: Packet dump: > *** Sending to 127.0.0.1 port 43067 .... > Code: Access-Reject > Identifier: 201 > Authentic: 1234567890123456 > Attributes: > Reply-Message = "Request Denied" > > Tue Mar 26 08:52:52 2002: DEBUG: Packet dump: > *** Received from 127.0.0.1 port 43067 .... > Code: Accounting-Request > Identifier: 202 > Authentic: P<144><155><139><164><236><190>5<200>MBn<231><253>xe > Attributes: > User-Name = "mikem" > Service-Type = Framed-User > NAS-IP-Address = 203.63.154.1 > NAS-Port = 1234 > NAS-Port-Type = Async > Acct-Session-Id = "00001234" > Acct-Status-Type = Start > Called-Station-Id = "123456789" > Calling-Station-Id = "987654321" > > Tue Mar 26 08:52:52 2002: DEBUG: Handling request with Handler > 'Realm=DEFAULT' > Tue Mar 26 08:52:52 2002: DEBUG: Adding session for mikem, > 203.63.154.1, 1234 > Tue Mar 26 08:52:52 2002: DEBUG: Handling with NT > Tue Mar 26 08:52:52 2002: DEBUG: Accounting accepted > Tue Mar 26 08:52:52 2002: DEBUG: Packet dump: > *** Sending to 127.0.0.1 port 43067 .... > Code: Accounting-Response > Identifier: 202 > Authentic: P<144><155><139><164><236><190>5<200>MBn<231><253>xe > Attributes: > > Tue Mar 26 08:52:52 2002: DEBUG: Packet dump: > *** Received from 127.0.0.1 port 43067 .... > Code: Accounting-Request > Identifier: 203 > Authentic: <252><182>G<208><4>ad6<198><151>V<242><207>s<186><223> > Attributes: > User-Name = "mikem" > Service-Type = Framed-User > NAS-IP-Address = 203.63.154.1 > NAS-Port = 1234 > NAS-Port-Type = Async > Acct-Session-Id = "00001234" > Acct-Status-Type = Stop > Called-Station-Id = "123456789" > Calling-Station-Id = "987654321" > Acct-Delay-Time = 0 > Acct-Session-Time = 1000 > Acct-Input-Octets = 20000 > Acct-Output-Octets = 30000 > > Tue Mar 26 08:52:52 2002: DEBUG: Handling request with Handler > 'Realm=DEFAULT' > Tue Mar 26 08:52:52 2002: DEBUG: Deleting session for mikem, > 203.63.154.1, 1234 > Tue Mar 26 08:52:52 2002: DEBUG: Handling with NT > Tue Mar 26 08:52:52 2002: DEBUG: Accounting accepted > Tue Mar 26 08:52:52 2002: DEBUG: Packet dump: > *** Sending to 127.0.0.1 port 43067 .... > Code: Accounting-Response > Identifier: 203 > Authentic: <252><182>G<208><4>ad6<198><151>V<242><207>s<186><223> > Attributes: > > > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
