Computers under attack

---

Why do we need security?. Some log extracts:

Jul  8 09:04:28 sebastian kernel: Packet log: input REJECT ppp0 PROTO=6 209.119.188.93:4377 128.119.232.151:119 L=44 S=0x00 I=8067 F=0x4000 T=116 SYN (#13)
Jul  8 09:04:31 sebastian kernel: Packet log: input REJECT ppp0 PROTO=6 209.119.188.93:4377 128.119.232.151:119 L=44 S=0x00 I=14211 F=0x4000 T=116 SYN (#13)
Jul  8 09:04:37 sebastian kernel: Packet log: input REJECT ppp0 PROTO=6 209.119.188.93:4377 128.119.232.151:119 L=44 S=0x00 I=21123 F=0x4000 T=116 SYN (#13)
Jul  8 09:04:49 sebastian kernel: Packet log: input REJECT ppp0 PROTO=6 209.119.188.93:4377 128.119.232.151:119 L=44 S=0x00 I=4996 F=0x4000 T=116 SYN (#13)
Jul 15 08:26:54 sebastian kernel: Packet log: input REJECT ppp0 PROTO=6 216.217.108.71:4982 128.119.232.225:21 L=60 S=0x00 I=45566 F=0x4000 T=51 SYN (#13)

It shows on July 8th, four attempts in 21 seconds to connect to the nntp (Usenet news) port on my machine (port 119). The address 209.119.188.93 maps to the domain popsite.net, and a look at www.popsite.net shows that they are aware that many of their users are spammers. Indeed, this looks like somebody was trying to use my PC to spam Usenet news.

This guy probably only wanted to post spam, but that's not so benign as it seems. If this attack had been successful, the spam would appear to come from my machine, and could get me on people's black lists and so on.

But if you want an example of something more worrying, see the last entry above (July 15) and also these, from three of the servers which I administer:

Jul  7 03:02:13 frak wu.ftpd[32362]: refused connect from root@cc629397-n.narltn1.nj.home.com
Jul  7 03:02:13 frik wu.ftpd[17344]: refused connect from root@cc629397-n.narltn1.nj.home.com
Jul  7 03:02:13 lists BeroFTPD[4008]: refused connect from root@cc629397-n.narltn1.nj.home.com
Jul  7 03:02:34 lists BeroFTPD[4012]: refused connect from root@cc629397-n.narltn1.nj.home.com
Jul  7 03:02:53 frik wu.ftpd[17345]: refused connect from root@cc629397-n.narltn1.nj.home.com
Jul  7 03:03:08 frak wu.ftpd[32363]: refused connect from root@cc629397-n.narltn1.nj.home.com
Jul  7 03:08:10 frak wu.ftpd[30760]: refused connect from cx28444-a.omhan1.ne.home.com
Jul  7 03:08:10 frik wu.ftpd[4834]: refused connect from cx28444-a.omhan1.ne.home.com
Jul  7 03:08:10 lists BeroFTPD[4018]: refused connect from cx28444-a.omhan1.ne.home.com
Jul  7 03:08:36 lists BeroFTPD[4022]: refused connect from cx28444-a.omhan1.ne.home.com
Jul  7 03:08:46 frik wu.ftpd[4835]: refused connect from cx28444-a.omhan1.ne.home.com
Jul  7 03:08:56 frak wu.ftpd[30761]: refused connect from cx28444-a.omhan1.ne.home.com
Jul  7 03:17:40 frak wu.ftpd[2255]: refused connect from root@cx506665-b.mesa1.az.home.com
Jul  7 03:17:40 frik wu.ftpd[28418]: refused connect from root@cx506665-b.mesa1.az.home.com
Jul  7 03:17:40 lists BeroFTPD[4033]: refused connect from root@cx506665-b.mesa1.az.home.com
Jul  7 03:18:01 lists BeroFTPD[4037]: refused connect from root@cx506665-b.mesa1.az.home.com
Jul  7 03:18:10 frik wu.ftpd[28419]: refused connect from root@cx506665-b.mesa1.az.home.com
Jul  7 03:18:18 frak wu.ftpd[2256]: refused connect from root@cx506665-b.mesa1.az.home.com
Jul  7 05:37:50 frik wu.ftpd[16539]: refused connect from root@cx213037-a.cv1.sdca.home.com
Jul  7 05:37:51 frak wu.ftpd[23625]: refused connect from root@cx213037-a.cv1.sdca.home.com
Jul  7 05:37:51 lists BeroFTPD[4226]: refused connect from root@cx213037-a.cv1.sdca.home.com
Jul  7 05:38:12 lists BeroFTPD[4230]: refused connect from root@cx213037-a.cv1.sdca.home.com
Jul  7 05:38:21 frik wu.ftpd[16540]: refused connect from root@cx213037-a.cv1.sdca.home.com
Jul  7 05:38:31 frak wu.ftpd[23626]: refused connect from root@cx213037-a.cv1.sdca.home.com
Jul  7 09:07:57 lists BeroFTPD[4573]: refused connect from root@c106522-a.rchdsn1.tx.home.com
Jul  7 09:07:58 frak wu.ftpd[17142]: refused connect from root@c106522-a.rchdsn1.tx.home.com
Jul  7 09:07:58 frik wu.ftpd[29303]: refused connect from root@c106522-a.rchdsn1.tx.home.com
Jul  7 09:08:24 lists BeroFTPD[4577]: refused connect from root@c106522-a.rchdsn1.tx.home.com
Jul  7 09:08:34 frik wu.ftpd[29304]: refused connect from root@c106522-a.rchdsn1.tx.home.com
Jul  7 09:08:42 frak wu.ftpd[20147]: refused connect from root@c106522-a.rchdsn1.tx.home.com
Jul  7 10:36:08 frak wu.ftpd[16943]: refused connect from root@c567258-c.baden1.pa.home.com
Jul  7 10:36:08 frik wu.ftpd[31378]: refused connect from root@c567258-c.baden1.pa.home.com
Jul  7 10:36:08 lists BeroFTPD[4919]: refused connect from root@c567258-c.baden1.pa.home.com
Jul  7 10:36:40 lists BeroFTPD[4920]: refused connect from unknown
Jul  7 10:36:40 lists BeroFTPD[4921]: refused connect from unknown
Jul  7 10:36:40 lists BeroFTPD[4922]: refused connect from unknown
Jul  7 10:36:43 lists BeroFTPD[4923]: refused connect from root@c567258-c.baden1.pa.home.com
Jul  7 10:36:54 frik wu.ftpd[31379]: refused connect from root@c567258-c.baden1.pa.home.com
Jul  7 10:37:09 frak wu.ftpd[16944]: refused connect from root@c567258-c.baden1.pa.home.com
Jul  7 12:47:08 frak wu.ftpd[6744]: refused connect from 216.218.45.66
Jul  7 12:47:08 frik wu.ftpd[29015]: refused connect from 216.218.45.66
Jul  7 12:47:08 lists BeroFTPD[5069]: refused connect from 216.218.45.66
Jul  7 16:17:26 frak wu.ftpd[8419]: refused connect from root@c518560-a.plstn1.sfba.home.com
Jul  7 16:17:26 frik wu.ftpd[24249]: refused connect from root@c518560-a.plstn1.sfba.home.com
Jul  7 16:17:26 lists BeroFTPD[5303]: refused connect from root@c518560-a.plstn1.sfba.home.com
Jul  8 05:37:21 lists BeroFTPD[6228]: refused connect from root@c298640-a.brln1.ct.home.com
Jul  8 05:37:22 frak wu.ftpd[7953]: refused connect from root@c298640-a.brln1.ct.home.com
Jul  8 05:37:22 frik wu.ftpd[22929]: refused connect from root@c298640-a.brln1.ct.home.com
Jul 14 14:47:43 frak wu.ftpd[3326]: refused connect from root@203.231.5.40
Jul 14 14:47:43 frik wu.ftpd[27262]: refused connect from root@203.231.5.40
Jul 14 14:47:43 lists BeroFTPD[31819]: refused connect from root@203.231.5.40
Jul 14 16:48:08 lists BeroFTPD[31937]: refused connect from root@203.231.5.40
Jul 14 16:48:19 frak wu.ftpd[1838]: refused connect from root@203.231.5.40
Jul 14 16:48:28 frik wu.ftpd[13681]: refused connect from root@203.231.5.40
Jul 15 08:11:40 lists BeroFTPD[269]: refused connect from 216.217.108.71
Jul 15 08:11:41 frik wu.ftpd[26264]: refused connect from 216.217.108.71
Jul 15 08:11:42 frak wu.ftpd[22923]: refused connect from 216.217.108.71
Jul 15 08:35:04 lists BeroFTPD[294]: refused connect from 216.217.108.71
Jul 15 08:35:10 frik wu.ftpd[6119]: refused connect from 216.217.108.71
Jul 15 08:35:15 frak wu.ftpd[12347]: refused connect from 216.217.108.71
Jul 15 15:30:16 lists BeroFTPD[701]: refused connect from user-2initt7.dialup.mindspring.com
Jul 15 15:30:18 frak wu.ftpd[27266]: refused connect from user-2initt7.dialup.mindspring.com
Jul 15 15:30:18 frik wu.ftpd[764]: refused connect from user-2initt7.dialup.mindspring.com
Jul 16 08:20:40 lists BeroFTPD[1744]: refused connect from unknown
Jul 16 08:20:40 lists BeroFTPD[1744]: warning: can't get client address: Connection reset by peer
Jul 16 21:46:53 lists BeroFTPD[2588]: refused connect from p3E9BA1C2.dip0.t-ipconnect.de
Jul 16 21:46:56 frik wu.ftpd[11095]: refused connect from p3E9BA1C2.dip0.t-ipconnect.de
Jul 16 21:47:03 frak wu.ftpd[12951]: refused connect from p3E9BA1C2.dip0.t-ipconnect.de

Had any of these attempts succeeded, the attacker would have gained root, basically owning the system after that.

(Note: the logs look different, because the first set was produced by the Linux IPchains packet filtering facility. The second set was produced by tcp wrappers.)

There is another, less obvious but sadder, lesson in these logs. A good portion of the attacks on my machines come from DSL/broadband PCs (some of them running Linux, embarassingly enough) that appear to have been themselves broken into, and being used to attack others, possibly without their owners' knowledge.

You could be next...