SSH hacked?

Smoot Carl-Mitchell smoot at tic.com
Tue Jan 13 13:18:32 UTC 2009 

> Jan 12 22:20:58 frog sshd[16229]: Address 85.92.138.150 maps to
> www.kpnglasvezelaanvragen.nl, but this does not map back to the
> address - POSSIBLE BREAK-IN ATTEMPT!
> 
> Looks to me like he did not get in. I am running Denyhost. Perhaps the
> disk noise was the logging? But it did say connected in the firewall.
> Maybe it said that to accept the password?

The firewall allowed the TCP connection which needs to be established
for SSH to negotiate the authentication.

> Can this Cracker be tracked down?

You know the IP address from the logs (85.92.138.150) which is likely
from some ISPs pool of addresses.  You can always notify the ISP of the
attempted breakin and see if they have any information in their logs as
to who was using the address at the time of the breakin attempt.  A
quick registry search via http://www.iana.org shows the 85/8 block was
assigned by RIPE.  Doing a search at http://www.db.ripe.net on the
source IP adress shows the following:

% This is the RIPE Whois query server #3.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html
% Note: This output has been filtered.
%       To receive output for a database update, use the "-B" flag.
% Information related to '85.92.137.0 - 85.92.138.255'
inetnum:         85.92.137.0 - 85.92.138.255
netname:         PCEXTREME
descr:           PCextreme BV
country:         NL
admin-c:         PB8076-RIPE
tech-c:          PB8076-RIPE
status:          ASSIGNED PA status: definitions
mnt-by:          MNT-PCEXTREME
mnt-by:          MNT-REASONNET
mnt-lower:       MNT-REASONNET
mnt-routes:      MNT-REASONNET
source:          RIPE # Filtered
role:            PCextreme BV
address:         Londensekaai 1
address:         4331JG Middelburg
address:         The Netherlands
abuse-mailbox:   abuse at pcextreme.nl
admin-c:         TdL35-RIPE
tech-c:          TdL35-RIPE
nic-hdl:         PB8076-RIPE
mnt-by:          MNT-PCEXTREME
mnt-by:          MNT-REASONNET
source:          RIPE # Filtered
% Information related to '85.92.128.0/20AS25525'
route:           85.92.128.0/20
descr:           RSN8592
origin:          AS25525
mnt-lower:       MNT-REASONNET
mnt-routes:      MNT-REASONNET
mnt-by:          MNT-REASONNET
source:          RIPE # Filtered
% Information related to '85.92.128.0/19AS25525'
route:           85.92.128.0/19
descr:           RSN8592
origin:          AS25525
mnt-lower:       MNT-REASONNET
mnt-routes:      MNT-REASONNET
mnt-by:          MNT-REASONNET
source:          RIPE # Filtered
% Information related to '85.92.138.0/24AS25525'
route:           85.92.138.0/24
descr:           RSN8592
origin:          AS25525
mnt-lower:       MNT-REASONNET
mnt-routes:      MNT-REASONNET
mnt-by:          MNT-REASONNET
source:          RIPE # Filtered

Looks like the address is assigned to an outfit called Reason Net.
-- 
Smoot Carl-Mitchell
Computer Systems and
Network Consultant
smoot at tic.com
+1 480 922 7313
cell: +1 602 421 9005

More information about the ubuntu-users mailing list