[Leaplist] Server break-in attempt, a couple of QUESTIONS.

patrick pberry2 at cfl.rr.com
Fri Sep 7 06:52:42 EDT 2007 

patrick wrote:
> David Simmons wrote:
>> Guys/Gals,
>>  
>>  Just was able to catch a 'break in attempt' on one
>> of my webservers
>>  
>>  It was from the RIPE network in
>> Amserdam....IP address was 86.126.41.177
>>  
>>
>> they were logging in through the NAGIOS user and (trying to run)
>> two programs (files from):
>>  
>>  brute.tgz
>>  fast.tgz
>>  
>>  Just a word of caution to double-check those servers....
>>  
>>
>> dave
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Leaplist mailing list
>> Leaplist at leap-cf.org
>> http://lists.leap-cf.org/mailman/listinfo/leaplist
> 
> My whois query brings back:
> 
>> % This is the RIPE Whois query server #1.
>> % The objects are in RPSL format.
>> %
>> % Rights restricted by copyright.
>> % See http://www.ripe.net/db/copyright.html
>>
>> % Note: This output has been filtered.
>> %       To receive output for a database update, use the "-B" flag.
>>
>> % Information related to '86.126.41.0 - 86.126.41.255'
>>
>> inetnum:        86.126.41.0 - 86.126.41.255
>> netname:        RO-RCS-RDS-FIBERLINK
>> descr:          RCS & RDS S.A.
>> descr:          FiberLink Customers
>> descr:          Craiova city
>> country:        RO
>> admin-c:        RDS-RIPE
>> tech-c:         RDS-RIPE
>> status:         ASSIGNED PA
>> mnt-by:         AS8708-MNT
>> source:         RIPE # Filtered
>>
>> role:           Romania Data Systems NOC
>> address:        71-75 Dr. Staicovici
>> address:        Bucharest / ROMANIA
>> phone:          +40 21 30 10 888
>> fax-no:         +40 21 30 10 892
>> e-mail:         contact-tech at rdsnet.ro
>> admin-c:        CN19-RIPE
>> admin-c:        GEPU1-RIPE
>> tech-c:         CN19-RIPE
>> tech-c:         GEPU1-RIPE
>> nic-hdl:        RDS-RIPE
>> mnt-by:         AS8708-MNT
>> remarks:        +-----------------------------------------------------------+
>> remarks:        | ABUSE CONTACT: abuse at rdsnet.ro IN CASE OF HACK ATTACKS,   |
>> remarks:        | ILLEGAL ACTIVITY, VIOLATION, SCANS, PROBES, SPAM, ETC.    |
>> remarks:        +-----------------------------------------------------------+
>> source:         RIPE # Filtered
>>
>> % Information related to '86.120.0.0/13AS8708'
>>
>> route:        86.120.0.0/13
>> descr:        RDSNET
>> origin:       AS8708
>> mnt-by:       AS8708-MNT
>> source:       RIPE # Filtered
>>
>>

John Simpson has some great advise.  I am saving that.

Are you going to notify abuse at rdsnet.ro  about this?  A print out in a
file, even, would be a good reminder of the exploits, their source, and
the cure that John has suggested!

Does running a web server on the amber port of an IPCOP box protect the
web server from most exploits?

More information about the Leaplist mailing list