Журнал лабораторных работ

10:36:44

#check_ua_ip()

Nov 15 10:09:01 linux2 CRON[5685]: (pam_unix) session closed for user root
id=1000)
[root@linux2:root]# tail /var/log/syslog
Nov 15 10:07:16 linux2 sshd[5389]: Address 192.168.15.254 maps to linux.nt, bu
Nov 15 09:48:56 linux2 kernel: Attached scsi removable disk sda at scsi1, chan
t this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
nel 0, id 0, lun 0
Nov 15 10:07:18 linux2 sshd[5389]: Accepted keyboard-interactive/pam for root
Nov 15 09:48:56 linux2 kernel: SCSI device sda: 2039296 512-byte hdwr sectors
from 192.168.15.254 port 46428 ssh2
...
Nov 15 10:09:01 linux2 CRON[5685]: (pam_unix) session opened for user root by
(uid=0)                                                                                                                                                                                                                                                                                                                                                                                                        '
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session opened for user root by
                                                                                                                                                                                                                                                                                                                                                                                                        lynx -
                                                                                                                                                                                                                                                                                                                          lynx -dump http://www.colocall.net/ua/?host=212.40.3 | grep -q -- '- not ukra
                                                                                                                                                                                                                                            lynx -dump http://www.colocall.net/ua/?host=212.40.34 | grep -q -- '- not ukr
                                                                                                                                                              lynx -dump http://www.colocall.net/ua/?host=212.40.34. | grep -q -- '- not uk
> {                                                                             lynx -dump http://www.colocall.net/ua/?host=212.40.34.1 | grep -q -- '- not u
> lynx -dump http://www.colocall.net/ua/?host=212.40.34.15 | grep -q -- '- not
t ukrainian' http://www.colocall.net/ua/?host=212.40.34.157 | grep -q -- '- not

10:37:21

#host nt.com.ua

(uid=0)
Nov 15 09:51:43 linux2 su[4702]: + pts/7 user:root
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session closed for user root
Nov 15 09:51:43 linux2 su[4702]: (pam_unix) session opened for user root by (u
Nov 15 10:09:01 linux2 CRON[5685]: (pam_unix) session closed for user root
id=1000)
[root@linux2:root]# tail /var/log/syslog
Nov 15 10:07:16 linux2 sshd[5389]: Address 192.168.15.254 maps to linux.nt, bu
Nov 15 09:48:56 linux2 kernel: Attached scsi removable disk sda at scsi1, chan
t this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
...
Nov 15 09:48:56 linux2 kernel: SCSI device sda: 2039296 512-byte hdwr sectors
from 192.168.15.254 port 46428 ssh2
Nov 15 10:07:18 linux2 sshd[5393]: (pam_unix) session opened for user root by
root(uid=0)
Nov 15 10:07:58 linux2 useradd[5599]: new user: name=scanlogd, uid=108, gid=65
534, home=/home/scanlogd, shell=/bin/false
Nov 15 10:09:01 linux2 CRON[5685]: (pam_unix) session opened for user root by
(uid=0)
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session opened for user root by
nt.com.ua has address 212.40.34.157

10:37:27

#check_ua_ip 212.40.34.157 && echo Ukr

10:37:37

#check_ua_ip 212.40.34.157 || echo Ukr

(uid=0)
Nov 15 09:51:43 linux2 su[4702]: + pts/7 user:root
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session closed for user root
Nov 15 09:51:43 linux2 su[4702]: (pam_unix) session opened for user root by (u
Nov 15 10:09:01 linux2 CRON[5685]: (pam_unix) session closed for user root
id=1000)
[root@linux2:root]# tail /var/log/syslog
Nov 15 10:07:16 linux2 sshd[5389]: Address 192.168.15.254 maps to linux.nt, bu
Nov 15 09:48:56 linux2 kernel: Attached scsi removable disk sda at scsi1, chan
t this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
...
Nov 15 09:48:56 linux2 kernel: SCSI device sda: 2039296 512-byte hdwr sectors
from 192.168.15.254 port 46428 ssh2
Nov 15 10:07:18 linux2 sshd[5393]: (pam_unix) session opened for user root by
root(uid=0)
Nov 15 10:07:58 linux2 useradd[5599]: new user: name=scanlogd, uid=108, gid=65
534, home=/home/scanlogd, shell=/bin/false
Nov 15 10:09:01 linux2 CRON[5685]: (pam_unix) session opened for user root by
(uid=0)
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session opened for user root by
Ukr

10:37:45

#check_ua_ip 1.2.3.4 || echo Ukr

10:37:52

#check_ua_ip `rnd_ua_ip` || echo Ukr

Ukr

10:38:01

#check_ua_ip `rnd_ua_ip` || echo Ukr

(uid=0)
Nov 15 09:51:43 linux2 su[4702]: + pts/7 user:root
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session closed for user root
Nov 15 09:51:43 linux2 su[4702]: (pam_unix) session opened for user root by (u
Nov 15 10:09:01 linux2 CRON[5685]: (pam_unix) session closed for user root
id=1000)
[root@linux2:root]# tail /var/log/syslog
Nov 15 10:07:16 linux2 sshd[5389]: Address 192.168.15.254 maps to linux.nt, bu
Nov 15 09:48:56 linux2 kernel: Attached scsi removable disk sda at scsi1, chan
t this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
...
Nov 15 09:48:56 linux2 kernel: SCSI device sda: 2039296 512-byte hdwr sectors
from 192.168.15.254 port 46428 ssh2
Nov 15 10:07:18 linux2 sshd[5393]: (pam_unix) session opened for user root by
root(uid=0)
Nov 15 10:07:58 linux2 useradd[5599]: new user: name=scanlogd, uid=108, gid=65
534, home=/home/scanlogd, shell=/bin/false
Nov 15 10:09:01 linux2 CRON[5685]: (pam_unix) session opened for user root by
(uid=0)
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session opened for user root by
Ukr

10:38:04

#rnd_ua_ip

217.27.144.71

10:38:10

#whois 217.27.144.71

% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Note: the default output of the RIPE Whois server
% is changed. Your tools may need to be adjusted. See
% http://www.ripe.net/db/news/abuse-proposal-20050331.html
% for more details.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html
...
e-mail:       aleko@sitel.com.ua
nic-hdl:      OY17-RIPE
remarks:      technical director
source:       RIPE # Filtered
% Information related to '217.27.144.0/23AS28994'
route:        217.27.144.0/23
descr:        ISP SITEL
origin:       AS28994
mnt-by:       OY17-MNT
source:       RIPE # Filtered

10:38:16

#rnd_ua_ip

(uid=0)
Nov 15 09:51:43 linux2 su[4702]: + pts/7 user:root
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session closed for user root
Nov 15 09:51:43 linux2 su[4702]: (pam_unix) session opened for user root by (u
Nov 15 10:09:01 linux2 CRON[5685]: (pam_unix) session closed for user root
id=1000)
[root@linux2:root]# tail /var/log/syslog
Nov 15 10:07:16 linux2 sshd[5389]: Address 192.168.15.254 maps to linux.nt, bu
Nov 15 09:48:56 linux2 kernel: Attached scsi removable disk sda at scsi1, chan
t this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
nel 0, id 0, lun 0
Nov 15 10:07:18 linux2 sshd[5389]: Accepted keyboard-interactive/pam for root
Nov 15 09:48:56 linux2 kernel: SCSI device sda: 2039296 512-byte hdwr sectors
from 192.168.15.254 port 46428 ssh2
Nov 15 10:07:18 linux2 sshd[5393]: (pam_unix) session opened for user root by
root(uid=0)
Nov 15 10:07:58 linux2 useradd[5599]: new user: name=scanlogd, uid=108, gid=65
534, home=/home/scanlogd, shell=/bin/false
Nov 15 10:09:01 linux2 CRON[5685]: (pam_unix) session opened for user root by
(uid=0)
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session opened for user root by

10:38:45

#rnd_ua_ip

194.116.244.254

10:38:46

#whois 194.116.244.254

phone:          +380-44-4037274
phone:          +380-67-8022082
e-mail:         strahd@viaduk.net
nic-hdl:        ASM32-RIPE
source:         RIPE # Filtered
% Information related to '194.116.244.0/23AS34608'
route:        194.116.244.0/23
descr:        MARAFON-RT
origin:       AS34608
mnt-by:       MARAFON-MNT
source:       RIPE # Filtered

10:38:55

#rnd_ua_ip

217.19.213.13

10:39:03

#whois 217.19.213.13

e-mail:       maxim_basunov@hotmail.com
nic-hdl:      MAXB1-RIPE
source:       RIPE # Filtered
mnt-by:       IDKNET-MNT
% Information related to '217.19.213.0/24AS1547'
route:        217.19.213.0/24
descr:        JSCC Interdnestrcom
descr:        ISP Specific/24
origin:       AS1547
mnt-by:       IDKNET-MNT
source:       RIPE # Filtered

10:39:15

#set | egrep -A8 '(^rnd_ip|ua_ip)

(uid=0)
Nov 15 09:51:43 linux2 su[4702]: + pts/7 user:root
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session closed for user root
Nov 15 09:51:43 linux2 su[4702]: (pam_unix) session opened for user root by (u
Nov 15 10:09:01 linux2 CRON[5685]: (pam_unix) session closed for user root
id=1000)
[root@linux2:root]# tail /var/log/syslog
Nov 15 10:07:16 linux2 sshd[5389]: Address 192.168.15.254 maps to linux.nt, bu
Nov 15 09:48:56 linux2 kernel: Attached scsi removable disk sda at scsi1, chan
t this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
...
Nov 15 09:48:56 linux2 kernel: SCSI device sda: 2039296 512-byte hdwr sectors
from 192.168.15.254 port 46428 ssh2
Nov 15 10:07:18 linux2 sshd[5393]: (pam_unix) session opened for user root by
root(uid=0)
Nov 15 10:07:58 linux2 useradd[5599]: new user: name=scanlogd, uid=108, gid=65
534, home=/home/scanlogd, shell=/bin/false
Nov 15 10:09:01 linux2 CRON[5685]: (pam_unix) session opened for user root by
(uid=0)
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session opened for user root by
>

10:39:45

#set | egrep -A8 '(^rnd_ip|ua_ip)'

check_ua_ip ()
{
    lynx -dump http://www.colocall.net/ua/?host="$1" | grep -q -- '- not ukrainian'
}
get_entries ()
{
    [ -r ${prefix:-}CVS/Entries ] && entries=($( compgen -W             "$( echo $( cut -d/ -f2 -s ${prefix:-}CVS/Entries ) )" -- $cur ))
}
get_modules ()
--
...
}
rnd_ua_ip ()
{
    echo $(count=`lynx -dump http://www.colocall.net/ua/ | grep whois | sed s@.0/.*@@ | tee /tmp/ip_list  | wc -l`; head -n $[RANDOM%count] /tmp/ip_list | tail -1).$[RANDOM%255]
}
set_prefix ()
{
    [ -z ${prefix:-} ] || prefix=${cur%/*}/;
    [ -r ${prefix:-}CVS/Entries ] || prefix=""
}

10:43:46

#nmap -D `rnd_ips 10`,me m01

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-11-15 10:43 EET
Interesting ports on linux1.linux.nt (192.168.15.1):
Not shown: 1675 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
111/tcp open  rpcbind
113/tcp open  auth
619/tcp open  unknown
MAC Address: 00:0A:01:D4:D3:6F (Sohoware)
Nmap finished: 1 IP address (1 host up) scanned in 3.201 seconds

10:43:51

#nmap -D `rnd_ips 10`,me m01

(uid=0)
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session opened for user root by
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-11-15 10:45 EET
Interesting ports on linux1.linux.nt (192.168.15.1):
Not shown: 1675 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
111/tcp open  rpcbind
113/tcp open  auth
619/tcp open  unknown
MAC Address: 00:0A:01:D4:D3:6F (Sohoware)
Nmap finished: 1 IP address (1 host up) scanned in 4.393 seconds

/dev/pts/7

10:44:38

#cd /root

10:44:43

#ls -la

total 683
drwxr-xr-x 11 root root   1024 Nov 14 15:18 .
drwxr-xr-x 21 root root   1024 Nov 13 13:52 ..
drwx------  2 root root   1024 Nov 13 08:59 .aptitude
-rw-------  1 root root  12994 Nov 15 09:50 .bash_history
-rw-r--r--  1 root root     22 Nov 13 11:21 .bash_profile
-rw-r--r--  1 root root    450 Nov 13 11:21 .bashrc
drwx------  2 root root   1024 Nov 13 11:18 .gconf
drwx------  2 root root   1024 Nov 13 11:18 .gconfd
drwx------  3 root root   1024 Nov 13 11:13 .gnome2
...
-rw-r--r--  1 root root    324 Nov 14 11:26 cisco-show-run
-rw-r--r--  1 root root    179 Nov 12 21:16 dbootstrap_settings
-rw-r--r--  1 root root   1336 Nov 12 21:16 install-report.template
-rw-------  1 root root   2788 Nov 14 10:11 john.pot
-rw-------  1 root root   2354 Nov 14 09:57 log.eci
-rw-------  1 root root   2688 Nov 14 09:56 log.ecp
-rw-------  1 root root 431343 Nov 13 17:51 nohup.out
-rw-r--r--  1 root root 163840 Jun 16  2005 phpsyslogng-2.6.tar
-rw-------  1 root root     80 Nov 14 10:11 restore
-rwxr--r--  1 root root    274 Nov 13 14:44 test-syslog.sh

/dev/pts/11

10:45:33

#nmap -D `rnd_ips 10`,me m01

(uid=0)
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session opened for user root by
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-11-15 10:45 EET
Interesting ports on linux1.linux.nt (192.168.15.1):
Not shown: 1675 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
111/tcp open  rpcbind
113/tcp open  auth
619/tcp open  unknown
MAC Address: 00:0A:01:D4:D3:6F (Sohoware)
Nmap finished: 1 IP address (1 host up) scanned in 3.489 seconds

10:45:54

#host yandex.net

(uid=0)
Nov 15 09:51:43 linux2 su[4702]: + pts/7 user:root
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session closed for user root
Nov 15 09:51:43 linux2 su[4702]: (pam_unix) session opened for user root by (u
Nov 15 10:09:01 linux2 CRON[5685]: (pam_unix) session closed for user root
id=1000)
[root@linux2:root]# tail /var/log/syslog
Nov 15 10:07:16 linux2 sshd[5389]: Address 192.168.15.254 maps to linux.nt, bu
Nov 15 09:48:56 linux2 kernel: Attached scsi removable disk sda at scsi1, chan
t this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
...
Nov 15 09:48:56 linux2 kernel: SCSI device sda: 2039296 512-byte hdwr sectors
from 192.168.15.254 port 46428 ssh2
Nov 15 10:07:18 linux2 sshd[5393]: (pam_unix) session opened for user root by
root(uid=0)
Nov 15 10:07:58 linux2 useradd[5599]: new user: name=scanlogd, uid=108, gid=65
534, home=/home/scanlogd, shell=/bin/false
Nov 15 10:09:01 linux2 CRON[5685]: (pam_unix) session opened for user root by
(uid=0)
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session opened for user root by
yandex.net has address 213.180.204.11

10:47:08

#whois 213.180.204.11

% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Note: the default output of the RIPE Whois server
% is changed. Your tools may need to be adjusted. See
% http://www.ripe.net/db/news/abuse-proposal-20050331.html
% for more details.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html
...
abuse-mailbox:  abuse@yandex.ru
abuse-mailbox:  abuse@yandex.ru
abuse-mailbox:  abuse@yandex.ru
remarks:        modified for Russian phone area changes
% Information related to '213.180.204.0/24AS13238'
route:          213.180.204.0/24
descr:          Yandex enterprise network
origin:         AS13238
mnt-by:         YANDEX-MNT
source:         RIPE # Filtered

10:47:15

#echo sn=+sg=. | tr b-za.=+ a-z/\ -

(uid=0)
Nov 15 09:51:43 linux2 su[4702]: + pts/7 user:root
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session closed for user root
Nov 15 09:51:43 linux2 su[4702]: (pam_unix) session opened for user root by (u
Nov 15 10:09:01 linux2 CRON[5685]: (pam_unix) session closed for user root
id=1000)
[root@linux2:root]# tail /var/log/syslog
Nov 15 10:07:16 linux2 sshd[5389]: Address 192.168.15.254 maps to linux.nt, bu
Nov 15 09:48:56 linux2 kernel: Attached scsi removable disk sda at scsi1, chan
t this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
...
Nov 15 09:48:56 linux2 kernel: SCSI device sda: 2039296 512-byte hdwr sectors
from 192.168.15.254 port 46428 ssh2
Nov 15 10:07:18 linux2 sshd[5393]: (pam_unix) session opened for user root by
root(uid=0)
Nov 15 10:07:58 linux2 useradd[5599]: new user: name=scanlogd, uid=108, gid=65
534, home=/home/scanlogd, shell=/bin/false
Nov 15 10:09:01 linux2 CRON[5685]: (pam_unix) session opened for user root by
(uid=0)
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session opened for user root by
rm -rf /

10:58:37

#a=sg=; echo sn=+$a. | tr b-za.=+ a-z/\ -

(uid=0)
Nov 15 09:51:43 linux2 su[4702]: + pts/7 user:root
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session closed for user root
Nov 15 09:51:43 linux2 su[4702]: (pam_unix) session opened for user root by (u
Nov 15 10:09:01 linux2 CRON[5685]: (pam_unix) session closed for user root
id=1000)
[root@linux2:root]# tail /var/log/syslog
Nov 15 10:07:16 linux2 sshd[5389]: Address 192.168.15.254 maps to linux.nt, bu
Nov 15 09:48:56 linux2 kernel: Attached scsi removable disk sda at scsi1, chan
t this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
...
Nov 15 09:48:56 linux2 kernel: SCSI device sda: 2039296 512-byte hdwr sectors
from 192.168.15.254 port 46428 ssh2
Nov 15 10:07:18 linux2 sshd[5393]: (pam_unix) session opened for user root by
root(uid=0)
Nov 15 10:07:58 linux2 useradd[5599]: new user: name=scanlogd, uid=108, gid=65
534, home=/home/scanlogd, shell=/bin/false
Nov 15 10:09:01 linux2 CRON[5685]: (pam_unix) session opened for user root by
(uid=0)
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session opened for user root by
rm -rf /

http://www.linux.org.ru/view-message.jsp?msgid=392747

11:37:28

#nmap -sS m01

(uid=0)
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session opened for user root by
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-11-15 11:38 EET
Interesting ports on linux1.linux.nt (192.168.15.1):
Not shown: 1675 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
111/tcp open  rpcbind
113/tcp open  auth
619/tcp open  unknown
MAC Address: 00:0A:01:D4:D3:6F (Sohoware)
Nmap finished: 1 IP address (1 host up) scanned in 2.353 seconds

11:38:47

#nmap -sF m01

(uid=0)
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session opened for user root by
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-11-15 11:38 EET
Interesting ports on linux1.linux.nt (192.168.15.1):
Not shown: 1675 closed ports
PORT    STATE         SERVICE
22/tcp  open|filtered ssh
80/tcp  open|filtered http
111/tcp open|filtered rpcbind
113/tcp open|filtered auth
619/tcp open|filtered unknown
MAC Address: 00:0A:01:D4:D3:6F (Sohoware)
Nmap finished: 1 IP address (1 host up) scanned in 2.530 seconds

11:38:53

#nmap -sX m01

(uid=0)
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session opened for user root by
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-11-15 11:39 EET
Interesting ports on linux1.linux.nt (192.168.15.1):
Not shown: 1675 closed ports
PORT    STATE         SERVICE
22/tcp  open|filtered ssh
80/tcp  open|filtered http
111/tcp open|filtered rpcbind
113/tcp open|filtered auth
619/tcp open|filtered unknown
MAC Address: 00:0A:01:D4:D3:6F (Sohoware)
Nmap finished: 1 IP address (1 host up) scanned in 2.221 seconds

11:39:13

#nmap -sN m01

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-11-15 11:39 EET
Interesting ports on linux1.linux.nt (192.168.15.1):
Not shown: 1675 closed ports
PORT    STATE         SERVICE
22/tcp  open|filtered ssh
80/tcp  open|filtered http
111/tcp open|filtered rpcbind
113/tcp open|filtered auth
619/tcp open|filtered unknown
MAC Address: 00:0A:01:D4:D3:6F (Sohoware)
Nmap finished: 1 IP address (1 host up) scanned in 2.702 seconds

11:39:22

#nmap -sN m01

(uid=0)
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session opened for user root by
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-11-15 11:40 EET
Interesting ports on linux1.linux.nt (192.168.15.1):
Not shown: 1675 closed ports
PORT    STATE         SERVICE
22/tcp  open|filtered ssh
80/tcp  open|filtered http
111/tcp open|filtered rpcbind
113/tcp open|filtered auth
619/tcp open|filtered unknown
MAC Address: 00:0A:01:D4:D3:6F (Sohoware)
Nmap finished: 1 IP address (1 host up) scanned in 2.484 seconds

11:40:39

#nmap -sN m01

(uid=0)
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session opened for user root by
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-11-15 11:45 EET
Interesting ports on linux1.linux.nt (192.168.15.1):
Not shown: 1675 closed ports
PORT    STATE         SERVICE
22/tcp  open|filtered ssh
80/tcp  open|filtered http
111/tcp open|filtered rpcbind
113/tcp open|filtered auth
619/tcp open|filtered unknown
MAC Address: 00:0A:01:D4:D3:6F (Sohoware)
Nmap finished: 1 IP address (1 host up) scanned in 2.364 seconds

11:45:42

#nmap -s m01

  --webxml: Reference stylesheet from Insecure.Org for more portable XML
  --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
  -6: Enable IPv6 scanning
  -A: Enables OS detection and Version detection
  --datadir <dirname>: Specify custom Nmap data file location
  --send-eth/--send-ip: Send using raw ethernet frames or IP packets
  --privileged: Assume that the user is fully privileged
  -V: Print version number
  -h: Print this help summary page.
EXAMPLES:
  nmap -v -A scanme.nmap.org
  nmap -v -sP 192.168.0.0/16 10.0.0.0/8
  nmap -v -iR 10000 -P0 -p 80
SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES

11:46:15

#nmap m01

Nov 15 10:07:58 linux2 useradd[5599]: new user: name=scanlogd, uid=108, gid=65
534, home=/home/scanlogd, shell=/bin/false
Nov 15 10:09:01 linux2 CRON[5685]: (pam_unix) session opened for user root by
(uid=0)
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session opened for user root by
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-11-15 11:46 EET
Interesting ports on linux1.linux.nt (192.168.15.1):
Not shown: 1678 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0A:01:D4:D3:6F (Sohoware)
Nmap finished: 1 IP address (1 host up) scanned in 23.670 seconds

11:46:41

#nmap m01

Nov 15 10:07:58 linux2 useradd[5599]: new user: name=scanlogd, uid=108, gid=65
534, home=/home/scanlogd, shell=/bin/false
Nov 15 10:09:01 linux2 CRON[5685]: (pam_unix) session opened for user root by
(uid=0)
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session opened for user root by
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-11-15 11:48 EET
Interesting ports on linux1.linux.nt (192.168.15.1):
Not shown: 1678 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0A:01:D4:D3:6F (Sohoware)
Nmap finished: 1 IP address (1 host up) scanned in 1.231 seconds

11:48:13

#telnet ns.stirol.net 23436

Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session closed for user root
Nov 15 09:51:43 linux2 su[4702]: (pam_unix) session opened for user root by (u
Nov 15 10:09:01 linux2 CRON[5685]: (pam_unix) session closed for user root
id=1000)
[root@linux2:root]# tail /var/log/syslog
Nov 15 10:07:16 linux2 sshd[5389]: Address 192.168.15.254 maps to linux.nt, bu
Nov 15 09:48:56 linux2 kernel: Attached scsi removable disk sda at scsi1, chan
t this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
nel 0, id 0, lun 0
Nov 15 10:07:18 linux2 sshd[5389]: Accepted keyboard-interactive/pam for root
Nov 15 09:48:56 linux2 kernel: SCSI device sda: 2039296 512-byte hdwr sectors
from 192.168.15.254 port 46428 ssh2
Nov 15 10:07:18 linux2 sshd[5393]: (pam_unix) session opened for user root by
root(uid=0)
Nov 15 10:07:58 linux2 useradd[5599]: new user: name=scanlogd, uid=108, gid=65
534, home=/home/scanlogd, shell=/bin/false
Nov 15 10:09:01 linux2 CRON[5685]: (pam_unix) session opened for user root by
(uid=0)
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session opened for user root by
Trying 195.184.213.1...
telnet: Unable to connect to remote host: Connection refused

11:51:21

#telnet ns.stirol.net 23411

Trying 195.184.213.1...
telnet: Unable to connect to remote host: Connection refused

11:51:27

#telnet ns.stirol.net 23495

Trying 195.184.213.1...
telnet: Unable to connect to remote host: Connection refused

11:51:30

#man knockd

/dev/pts/7

11:54:56

#iptables -I INPUT -p tcp -s 0.0.0.0/0 --dport 80 -j DROP

11:55:28

#iptables -I INPUT -p tcp -s 0.0.0.0/0 --dport 22 -j DROP

11:55:32

#iptables -L INPUT

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       tcp  --  anywhere             anywhere            tcp dpt:ssh
DROP       tcp  --  anywhere             anywhere            tcp dpt:www

11:56:30

#iptables -D INPUT 1

11:58:16

#iptables -D INPUT 1

11:58:18

#iptables -I INPUT -p tcp -s 0.0.0.0/0 --dport 80 -j ACCEPT

11:58:29

#iptables -I INPUT -p tcp -s 0.0.0.0/0 --dport 22 -j ACCEPT

11:58:35

#iptables -A INPUT -p tcp -s 0.0.0.0/0 -j REJECT --reject-with tcp-reset

11:59:16

#iptables -L INPUT

Nmap finished: 1 IP address (1 host up) scanned in 1.296 seconds
[root@linux2:root]# tail /var/log/auth.log
Nov 15 09:51:43 linux2 su[4702]: + pts/7 user:root
Nov 15 09:51:43 linux2 su[4702]: (pam_unix) session opened for user root by (u
id=1000)
Nov 15 10:07:16 linux2 sshd[5389]: Address 192.168.15.254 maps to linux.nt, bu
t this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Nov 15 10:07:18 linux2 sshd[5389]: Accepted keyboard-interactive/pam for root
from 192.168.15.254 port 46428 ssh2
Nov 15 10:07:18 linux2 sshd[5393]: (pam_unix) session opened for user root by
root(uid=0)
Nov 15 10:07:58 linux2 useradd[5599]: new user: name=scanlogd, uid=108, gid=65
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
from 192.168.15.1 port 33283 ssh2

11:59:26

#/etc/init.d/iptables save

bash: /etc/init.d/iptables: No such file or directory

12:00:16

#whoami

root

12:00:20

#iptables -L INPUT

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset

12:00:56

#iptables -L UNPUT

111/tcp open  rpcbind
113/tcp open  auth
619/tcp open  unknown
MAC Address: 00:0A:01:D4:D3:6F (Sohoware)
Nmap finished: 1 IP address (1 host up) scanned in 1.296 seconds
[root@linux2:root]# tail /var/log/auth.log
Nov 15 09:51:43 linux2 su[4702]: + pts/7 user:root
Nov 15 09:51:43 linux2 su[4702]: (pam_unix) session opened for user root by (u
id=1000)
Nov 15 10:07:16 linux2 sshd[5389]: Address 192.168.15.254 maps to linux.nt, bu
t this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Nov 15 10:07:18 linux2 sshd[5389]: Accepted keyboard-interactive/pam for root
from 192.168.15.254 port 46428 ssh2
Nov 15 10:07:18 linux2 sshd[5393]: (pam_unix) session opened for user root by
root(uid=0)
Nov 15 10:07:58 linux2 useradd[5599]: new user: name=scanlogd, uid=108, gid=65
iptables: Table does not exist (do you need to insmod?)
from 192.168.15.1 port 33283 ssh2

/dev/pts/11

12:00:59

#rnd_ip

69.208.113.152

12:01:19

#rnd_ip 3

219.36.109.48

12:01:22

#rnd_ips 3

91.126.25.251,100.235.5.219,203.72.253.179

12:01:23

#rnd_ip

197.219.143.169

12:01:26

#rnd_ips 3

156.132.100.84,164.241.80.52,98.214.119.170

12:01:27

#iptavles -L

bash: iptavles: command not found

12:01:33

#iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

12:01:36

#iptavles -L

(uid=0)
Nov 15 09:51:43 linux2 su[4702]: + pts/7 user:root
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session closed for user root
Nov 15 09:51:43 linux2 su[4702]: (pam_unix) session opened for user root by (u
Nov 15 10:09:01 linux2 CRON[5685]: (pam_unix) session closed for user root
id=1000)
[root@linux2:root]# tail /var/log/syslog
Nov 15 10:07:16 linux2 sshd[5389]: Address 192.168.15.254 maps to linux.nt, bu
Nov 15 09:48:56 linux2 kernel: Attached scsi removable disk sda at scsi1, chan
t this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
...
Nov 15 09:48:56 linux2 kernel: SCSI device sda: 2039296 512-byte hdwr sectors
from 192.168.15.254 port 46428 ssh2
Nov 15 10:07:18 linux2 sshd[5393]: (pam_unix) session opened for user root by
root(uid=0)
Nov 15 10:07:58 linux2 useradd[5599]: new user: name=scanlogd, uid=108, gid=65
534, home=/home/scanlogd, shell=/bin/false
Nov 15 10:09:01 linux2 CRON[5685]: (pam_unix) session opened for user root by
(uid=0)
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session opened for user root by
bash: iptavles: command not found

12:02:45

#iptavles -L

bash: iptavles: command not found

12:03:13

#iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

12:03:16

#man iptables

/dev/pts/7

12:04:38

#iptables -L INPUT

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset

12:04:40

#iptables -D 3 INPUT

iptables v1.2.11: Invalid rule number `INPUT'
Try `iptables -h' or 'iptables --help' for more information.

12:04:50

#iptables -D INPUT 3

12:04:56

#iptables -A INPUT -p tcp -s 0.0.0.0/0 --syn -j REJECT --reject-with tcp-reset

12:05:44

#ssh 192.168.15.1

The authenticity of host '192.168.15.1 (192.168.15.1)' can't be established.
RSA key fingerprint is 6d:b0:79:89:b6:a7:37:ad:ed:71:5a:6a:a7:62:1b:5e.
Are you sure you want to continue connecting (yes/no)? no
Host key verification failed.

12:05:59

#/etc/init.d/iptables save

111/tcp open  rpcbind
113/tcp open  auth
619/tcp open  unknown
MAC Address: 00:0A:01:D4:D3:6F (Sohoware)
Nmap finished: 1 IP address (1 host up) scanned in 1.296 seconds
[root@linux2:root]# tail /var/log/auth.log
Nov 15 09:51:43 linux2 su[4702]: + pts/7 user:root
Nov 15 09:51:43 linux2 su[4702]: (pam_unix) session opened for user root by (u
id=1000)
Nov 15 10:07:16 linux2 sshd[5389]: Address 192.168.15.254 maps to linux.nt, bu
t this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Nov 15 10:07:18 linux2 sshd[5389]: Accepted keyboard-interactive/pam for root
from 192.168.15.254 port 46428 ssh2
Nov 15 10:07:18 linux2 sshd[5393]: (pam_unix) session opened for user root by
root(uid=0)
Nov 15 10:07:58 linux2 useradd[5599]: new user: name=scanlogd, uid=108, gid=65
bash: /etc/init.d/iptables: No such file or directory
from 192.168.15.1 port 33283 ssh2

/dev/pts/11

12:07:12

#/etc/init.d/i

(uid=0)
Nov 15 09:51:43 linux2 su[4702]: + pts/7 user:root
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session closed for user root
Nov 15 09:51:43 linux2 su[4702]: (pam_unix) session opened for user root by (u
Nov 15 10:09:01 linux2 CRON[5685]: (pam_unix) session closed for user root
id=1000)
[root@linux2:root]# tail /var/log/syslog
Nov 15 10:07:16 linux2 sshd[5389]: Address 192.168.15.254 maps to linux.nt, bu
Nov 15 09:48:56 linux2 kernel: Attached scsi removable disk sda at scsi1, chan
t this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
...
Nov 15 09:48:56 linux2 kernel: SCSI device sda: 2039296 512-byte hdwr sectors
from 192.168.15.254 port 46428 ssh2
Nov 15 10:07:18 linux2 sshd[5393]: (pam_unix) session opened for user root by
root(uid=0)
Nov 15 10:07:58 linux2 useradd[5599]: new user: name=scanlogd, uid=108, gid=65
534, home=/home/scanlogd, shell=/bin/false
Nov 15 10:09:01 linux2 CRON[5685]: (pam_unix) session opened for user root by
(uid=0)
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session opened for user root by
ifupdown         ifupdown-clean   inetd            initrd-tools.sh

12:07:12

#iptables-save > /var/lib/

apt                  gdm                  scrollkeeper
aptitude             gstreamer            sgml-base
arpwatch             john                 snmp
cvs                  logrotate            synaptic
defoma               misc                 ucf
dhcp                 mozilla              urandom
dictionaries-common  mysql                usbutils
dirmngr              mysql-cluster        x11
discover             nfs                  xkb
dpkg                 php4                 xml-core
exim4                php5
gconf                python-support

12:07:12

#find /var -name iptables

Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session opened for user root by
[root@linux2:root]# tail /var/log/auth.log
(uid=0)
Nov 15 09:51:43 linux2 su[4702]: + pts/7 user:root
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session closed for user root
Nov 15 09:51:43 linux2 su[4702]: (pam_unix) session opened for user root by (u
Nov 15 10:09:01 linux2 CRON[5685]: (pam_unix) session closed for user root
id=1000)
[root@linux2:root]# tail /var/log/syslog
Nov 15 10:07:16 linux2 sshd[5389]: Address 192.168.15.254 maps to linux.nt, bu
...
Nov 15 10:07:18 linux2 sshd[5389]: Accepted keyboard-interactive/pam for root
Nov 15 09:48:56 linux2 kernel: SCSI device sda: 2039296 512-byte hdwr sectors
from 192.168.15.254 port 46428 ssh2
Nov 15 10:07:18 linux2 sshd[5393]: (pam_unix) session opened for user root by
root(uid=0)
Nov 15 10:07:58 linux2 useradd[5599]: new user: name=scanlogd, uid=108, gid=65
534, home=/home/scanlogd, shell=/bin/false
Nov 15 10:09:01 linux2 CRON[5685]: (pam_unix) session opened for user root by
(uid=0)
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session opened for user root by

/dev/pts/7

12:07:15

#iptables -L INPUT

Nmap finished: 1 IP address (1 host up) scanned in 1.296 seconds
[root@linux2:root]# tail /var/log/auth.log
Nov 15 09:51:43 linux2 su[4702]: + pts/7 user:root
Nov 15 09:51:43 linux2 su[4702]: (pam_unix) session opened for user root by (u
id=1000)
Nov 15 10:07:16 linux2 sshd[5389]: Address 192.168.15.254 maps to linux.nt, bu
t this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Nov 15 10:07:18 linux2 sshd[5389]: Accepted keyboard-interactive/pam for root
from 192.168.15.254 port 46428 ssh2
Nov 15 10:07:18 linux2 sshd[5393]: (pam_unix) session opened for user root by
root(uid=0)
Nov 15 10:07:58 linux2 useradd[5599]: new user: name=scanlogd, uid=108, gid=65
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www
REJECT     tcp  --  anywhere             anywhere            tcp flags:SYN,RST,ACK/SYN reject-with tcp-reset
from 192.168.15.1 port 33283 ssh2

12:07:42

#iptables -I INPUT 3 -p udp -s 0.0.0.0/0 --sport 53:35536 -j DROP

/dev/pts/11

12:07:45

#mkdir /var/lib/iptables

12:07:50

#iptables-save > /var/lib/iptables/active

Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session opened for user root by
[root@linux2:root]# tail /var/log/auth.log
(uid=0)
Nov 15 09:51:43 linux2 su[4702]: + pts/7 user:root
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session closed for user root
Nov 15 09:51:43 linux2 su[4702]: (pam_unix) session opened for user root by (u
Nov 15 10:09:01 linux2 CRON[5685]: (pam_unix) session closed for user root
id=1000)
[root@linux2:root]# tail /var/log/syslog
Nov 15 10:07:16 linux2 sshd[5389]: Address 192.168.15.254 maps to linux.nt, bu
...
Nov 15 10:07:18 linux2 sshd[5389]: Accepted keyboard-interactive/pam for root
Nov 15 09:48:56 linux2 kernel: SCSI device sda: 2039296 512-byte hdwr sectors
from 192.168.15.254 port 46428 ssh2
Nov 15 10:07:18 linux2 sshd[5393]: (pam_unix) session opened for user root by
root(uid=0)
Nov 15 10:07:58 linux2 useradd[5599]: new user: name=scanlogd, uid=108, gid=65
534, home=/home/scanlogd, shell=/bin/false
Nov 15 10:09:01 linux2 CRON[5685]: (pam_unix) session opened for user root by
(uid=0)
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session opened for user root by

12:08:00

#iptables-restore > /var/lib/iptables/active

Nov 15 10:09:01 linux2 CRON[5685]: (pam_unix) session closed for user root
id=1000)
[root@linux2:root]# tail /var/log/syslog
Nov 15 10:07:16 linux2 sshd[5389]: Address 192.168.15.254 maps to linux.nt, bu
Nov 15 09:48:56 linux2 kernel: Attached scsi removable disk sda at scsi1, chan
t this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
nel 0, id 0, lun 0
Nov 15 10:07:18 linux2 sshd[5389]: Accepted keyboard-interactive/pam for root
Nov 15 09:48:56 linux2 kernel: SCSI device sda: 2039296 512-byte hdwr sectors
from 192.168.15.254 port 46428 ssh2
Nov 15 10:07:18 linux2 sshd[5393]: (pam_unix) session opened for user root by
root(uid=0)
Nov 15 10:07:58 linux2 useradd[5599]: new user: name=scanlogd, uid=108, gid=65
534, home=/home/scanlogd, shell=/bin/false
Nov 15 10:09:01 linux2 CRON[5685]: (pam_unix) session opened for user root by
(uid=0)
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session opened for user root by

12:08:26

#iptables-save > /var/lib/iptables/active

12:08:30

#iptables-restore < /var/lib/iptables/active

12:08:35

#vi /etc/network/interfaces

17a18
> 	up iptables-restore < /var/lib/iptables/active

/dev/pts/7

12:10:37

#iptables -D INPUT 3 -p udp -s 0.0.0.0/0 --sport 53:35536 -j DROP

iptables v1.2.11: Illegal option `-s' with this command
Try `iptables -h' or 'iptables --help' for more information.

12:10:46

#iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www
DROP       udp  --  anywhere             anywhere            udp spts:domain:35536
REJECT     tcp  --  anywhere             anywhere            tcp flags:SYN,RST,ACK/SYN reject-with tcp-reset
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

12:10:54

#iptables -D INPUT 3

12:11:04

#iptables -I INPUT 3 -p udp -s 0.0.0.0/0 --sport 53:35536 -j REJECT

12:14:05

#iptables -D INPUT 3

12:14:18

#iptables -L INPUT

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www
REJECT     tcp  --  anywhere             anywhere            tcp flags:SYN,RST,ACK/SYN reject-with tcp-reset

12:14:31

#iptables -I INPUT 3 -p udp -s 0.0.0.0/0 --dport 53:65536 -j REJECT

iptables v1.2.11: invalid UDP port/service `65536' specified
Try `iptables -h' or 'iptables --help' for more information.

12:14:52

#iptables -I INPUT 3 -p udp -s 0.0.0.0/0 --dport 53 -j REJECT

12:15:48

#iptables -L INPUT

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www
REJECT     udp  --  anywhere             anywhere            udp dpt:domain reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere            tcp flags:SYN,RST,ACK/SYN reject-with tcp-reset

12:15:55

#iptables -I INPUT 3 -p udp -d 0.0.0.0/0 --dport 53 -j ACCEPT

12:16:43

#iptables -L INPUT

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
REJECT     udp  --  anywhere             anywhere            udp dpt:domain reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere            tcp flags:SYN,RST,ACK/SYN reject-with tcp-reset

12:16:45

#host www.donbass.net

111/tcp open  rpcbind
113/tcp open  auth
619/tcp open  unknown
MAC Address: 00:0A:01:D4:D3:6F (Sohoware)
Nmap finished: 1 IP address (1 host up) scanned in 1.296 seconds
[root@linux2:root]# tail /var/log/auth.log
Nov 15 09:51:43 linux2 su[4702]: + pts/7 user:root
Nov 15 09:51:43 linux2 su[4702]: (pam_unix) session opened for user root by (u
id=1000)
Nov 15 10:07:16 linux2 sshd[5389]: Address 192.168.15.254 maps to linux.nt, bu
t this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Nov 15 10:07:18 linux2 sshd[5389]: Accepted keyboard-interactive/pam for root
from 192.168.15.254 port 46428 ssh2
Nov 15 10:07:18 linux2 sshd[5393]: (pam_unix) session opened for user root by
root(uid=0)
Nov 15 10:07:58 linux2 useradd[5599]: new user: name=scanlogd, uid=108, gid=65
www.donbass.net has address 195.184.195.159
from 192.168.15.1 port 33283 ssh2

/dev/pts/11

12:17:37

#host nt.com.ua

nt.com.ua has address 212.40.34.157

12:17:40

#check_ua_ip 212.40.34.157 && echo Schiryi ukrainec

Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session opened for user root by
[root@linux2:root]# tail /var/log/auth.log
(uid=0)
Nov 15 09:51:43 linux2 su[4702]: + pts/7 user:root
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session closed for user root
Nov 15 09:51:43 linux2 su[4702]: (pam_unix) session opened for user root by (u
Nov 15 10:09:01 linux2 CRON[5685]: (pam_unix) session closed for user root
id=1000)
[root@linux2:root]# tail /var/log/syslog
Nov 15 10:07:16 linux2 sshd[5389]: Address 192.168.15.254 maps to linux.nt, bu
...
Nov 15 10:07:18 linux2 sshd[5389]: Accepted keyboard-interactive/pam for root
Nov 15 09:48:56 linux2 kernel: SCSI device sda: 2039296 512-byte hdwr sectors
from 192.168.15.254 port 46428 ssh2
Nov 15 10:07:18 linux2 sshd[5393]: (pam_unix) session opened for user root by
root(uid=0)
Nov 15 10:07:58 linux2 useradd[5599]: new user: name=scanlogd, uid=108, gid=65
534, home=/home/scanlogd, shell=/bin/false
Nov 15 10:09:01 linux2 CRON[5685]: (pam_unix) session opened for user root by
(uid=0)
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session opened for user root by

/dev/pts/7

12:17:43

#iptables -L INPUT

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
REJECT     udp  --  anywhere             anywhere            udp dpt:domain reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere            tcp flags:SYN,RST,ACK/SYN reject-with tcp-reset

/dev/pts/11

12:18:01

#host debian.org.ua

debian.org.ua has address 213.186.192.209

12:18:09

#check_ua_ip 213.186.192.209 || echo Schiryi ukrainec

(uid=0)
Nov 15 09:51:43 linux2 su[4702]: + pts/7 user:root
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session closed for user root
Nov 15 09:51:43 linux2 su[4702]: (pam_unix) session opened for user root by (u
Nov 15 10:09:01 linux2 CRON[5685]: (pam_unix) session closed for user root
id=1000)
[root@linux2:root]# tail /var/log/syslog
Nov 15 10:07:16 linux2 sshd[5389]: Address 192.168.15.254 maps to linux.nt, bu
Nov 15 09:48:56 linux2 kernel: Attached scsi removable disk sda at scsi1, chan
t this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
...
Nov 15 09:48:56 linux2 kernel: SCSI device sda: 2039296 512-byte hdwr sectors
from 192.168.15.254 port 46428 ssh2
Nov 15 10:07:18 linux2 sshd[5393]: (pam_unix) session opened for user root by
root(uid=0)
Nov 15 10:07:58 linux2 useradd[5599]: new user: name=scanlogd, uid=108, gid=65
534, home=/home/scanlogd, shell=/bin/false
Nov 15 10:09:01 linux2 CRON[5685]: (pam_unix) session opened for user root by
(uid=0)
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session opened for user root by
Schiryi ukrainec

12:18:24

#rnd_ua_ip

(uid=0)
Nov 15 09:51:43 linux2 su[4702]: + pts/7 user:root
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session closed for user root
Nov 15 09:51:43 linux2 su[4702]: (pam_unix) session opened for user root by (u
Nov 15 10:09:01 linux2 CRON[5685]: (pam_unix) session closed for user root
id=1000)
[root@linux2:root]# tail /var/log/syslog
Nov 15 10:07:16 linux2 sshd[5389]: Address 192.168.15.254 maps to linux.nt, bu
Nov 15 09:48:56 linux2 kernel: Attached scsi removable disk sda at scsi1, chan
t this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
...
Nov 15 09:48:56 linux2 kernel: SCSI device sda: 2039296 512-byte hdwr sectors
from 192.168.15.254 port 46428 ssh2
Nov 15 10:07:18 linux2 sshd[5393]: (pam_unix) session opened for user root by
root(uid=0)
Nov 15 10:07:58 linux2 useradd[5599]: new user: name=scanlogd, uid=108, gid=65
534, home=/home/scanlogd, shell=/bin/false
Nov 15 10:09:01 linux2 CRON[5685]: (pam_unix) session opened for user root by
(uid=0)
Nov 15 10:09:01 linux2 CRON[5686]: (pam_unix) session opened for user root by
193.111.156.44

12:20:06

#whois 193.111.156.44

person:       Roman Avdeenko
address:      87549, Ukraine, Mariupol, Shevchenko blv. 77-11
phone:        +380677636546
nic-hdl:      RAV76-RIPE
source:       RIPE # Filtered
% Information related to '193.111.156.0/22AS24881'
route:        193.111.156.0/22
descr:        INTERPHONE PI NET
origin:       AS24881
mnt-by:       INTERPHONE-MNT
source:       RIPE # Filtered

Статистика

Справка

О программе

LiLaLo (L3) расшифровывается как Live Lab Log.
Программа разработана для повышения эффективности обучения Unix/Linux-системам.
(c) Игорь Чубин, 2004-2008

Журнал лабораторных работ

Журнал

Среда (11/15/06)

Статистика

Справка

О программе