[4eyes] SSH service on 128.111.28.94 port 2222
Matthew Turk
mturk at cs.ucsb.edu
Tue Jul 13 14:59:04 PDT 2010
Everyone in the trailer:
There seems to be an issue with SSH coming from a machine in the trailer
with an IP address of 128.111.28.94 - DHCP, so it's probably a laptop. Is
anyone doing anything special with SSH on port 2222?
Please check the IP address of your machine and let me know if it's
128.111.28.94.
Thanks,
Matthew
From: Andreas Boschke [mailto:andreas at cs.ucsb.edu]
Sent: Tuesday, July 13, 2010 2:56 PM
To: Matthew Turk
Subject: Re: [COMS #30394] Re: [UCSB-OIT #252085] SSH service on
128.111.28.94 port 2222
Hi Matthew:
It seems to be from the trailer.
-Andreas
On Jul 13, 2010, at 2:40 PM, Matthew Turk wrote:
Andreas,
Do you know if this is from Trailer 932 or from the Foglab (in Elings Hall)?
Matthew
From: Andreas Boschke [mailto:andreas at cs.ucsb.edu]
Sent: Tuesday, July 13, 2010 11:10 AM
To: Matthew Turk; Tobias Hollerer
Subject: Fwd: [COMS #30394] Re: [UCSB-OIT #252085] SSH service on
128.111.28.94 port 2222
Hi Matthew and Tobias:
In the Ilab, IP 128.111.28.94 from the DHCP pool is having SSH trouble.
Would you please ask if the user is doing anything special with SSH on PORT
2222?
Thanks,
-Andreas
REF:
=
Starting Nmap 5.21 ( http://nmap.org ) at 2010-07-13 11:09 PDT
Nmap scan report for ilab-94.cs.ucsb.edu (128.111.28.94)
Host is up (0.00052s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
2222/tcp open unknown
4445/tcp open unknown
=
Begin forwarded message:
From: "security at ucsb.edu via CS Support" <support at cs.ucsb.edu>
Date: July 13, 2010 10:01:17 AM PDT
Subject: [COMS #30394] Re: [UCSB-OIT #252085] SSH service on 128.111.28.94
port 2222
Reply-To: support at cs.ucsb.edu
Tue Jul 13 10:01:17 2010: Request 30394 was acted upon.
Transaction: Ticket created by security at ucsb.edu
Queue: General
Subject: Re: [UCSB-OIT #252085] SSH service on 128.111.28.94 port 2222
Owner: Nobody
Requestors: security at ucsb.edu
Status: new
Ticket <URL: https://rt.cs.ucsb.edu/Ticket/Display.html?id=30394 >
I think we know the answer by now.
81.218.143.158 has been null-routed for the attack.
Thanks,
--
Igor Shabaltas
Campus Network Programmer
University of California, Santa Barbara
<igor.shabaltas at ucsb.edu> (805) 893-7939
Greetings support at cs.ucsb.edu,
Could you confirm that SSH service on 128.111.28.94 port 2222 is started by
the user on purpose?
Host name is ilab-94.cs.ucsb.edu, MAC address - 000c2973eeb7,
location - most likely bldg.489 (TB-Sycamore).
noc$ nc 128.111.28.94 2222
SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu3
^C
noc$ date
Tue Jul 13 09:29:12 PDT 2010
There is someone out there who is probably (as it looks to me) running a
slow-pace dictionary attack against this box/service (and another three
systems on campus, same port) or, for unknown reason, repeatedly (last night
every 6 or so mins) trying to connect to the box. Here is a short traffic
sample:
Start SrcIPaddress SrcP DstIPaddress DstP P Fl Pkts
Octets
0713.07:41:44.341 81.218.143.158 35784 128.111.28.94 2222 6 2 2
120
0713.07:41:44.339 81.218.143.158 36453 128.111.145.6 2222 6 2 2
120
0713.07:41:44.351 81.218.143.158 46575 128.111.40.225 2222 6 2 2
120
0713.07:41:44.337 81.218.143.158 46865 128.111.127.36 2222 6 3 13
1212
0713.07:47:58.148 81.218.143.158 50653 128.111.145.6 2222 6 2 2
120
0713.07:47:58.167 81.218.143.158 48479 128.111.40.225 2222 6 2 2
120
0713.07:47:58.148 81.218.143.158 54523 128.111.127.36 2222 6 2 2
120
0713.07:47:58.164 81.218.143.158 42976 128.111.28.94 2222 6 3 12
1152
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cs.ucsb.edu/pipermail/ilab-users/attachments/20100713/d73d6662/attachment-0001.html>
More information about the Ilab-users
mailing list