Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

RE: [list-admin] Strange authentication attempts
From: "Fulton L. Preston Jr." <fulton () prestons org>
Date: Tue, 30 Mar 2004 23:25:18 -0500
John,

Seeing as how the Portmasters don't have these accounts, I wouldn't worry
too much except to block telnet access to the Portmaster from the outside.
Allowing telnet access to your terminal servers from outside your network
isn't a good idea.

Also, your seeing the hits on your radius server probably because you have
your Portmasters configured to use Radius auth.  The Portmaster's will check
all local accounts first, then based on the port settings either send to a
rlogin, telnet, or radius server depending on the global/and or individual
port settings.

If this Portmaster is just used for PPP dialup access I wouldn't worry about
the accounts tried, but primarily the default root account on the PM's of
"!root", that is not good.

Block telnet access to your PM's on your edge router.  It doesn't even hurt
to configure the Portmaster to reject telnet access period and only log on
through the serial port, that is what I did after my PM got hacked via
telnet from the local network (you can't stop hackers from stealing local
PPP passwords from users, that very same PPP account established on the PM
can telnet to the host terminal server regardless of your edge router
settings.)

I still run three Portmasters and love them, but never ever open telnet (or
PMLOGIN) to the server itself.  I use a serial cable tied to one of my
Solaris servers for managing them (a server that only staff has command line
access to using SSH) and is plugged into S0, the serial console port.  For
awhile we only used a VT-220 terminal that we plugged into them to configure
them, but eventually settled on securing a *nix server to allow us remote
access with better protections than simple telnet.

Regards,
Fulton Preston


-----Original Message-----
From: John Narron [mailto:zeek () cdsinet net] 
Sent: Tuesday, March 30, 2004 11:42 AM
To: incidents () securityfocus com
Subject: [list-admin] Strange authentication attempts



I woke up to find these entries in my RADIUS log file:

Tue Mar 30 10:26:00 2004: Auth: Login incorrect: [config/system] (from nas
xxxx/S99)
Tue Mar 30 10:26:00 2004: Auth: Login incorrect: [config/password admin]
(from nas xxxx/S99)
Tue Mar 30 10:26:00 2004: Auth: Login incorrect: [config/13370n3z] (from nas
xxxx/S99)
Tue Mar 30 10:26:01 2004: Auth: Login incorrect: [password/fawkoffsz] (from
nas xxxx/S99)
Tue Mar 30 10:26:01 2004: Auth: Login incorrect: [password/save] (from nas
xxxx/S99)

(S99 being the "telnet" port for Livingston Portmasters)

Just to cover the bases, I also checked our TACACS+ server:

Tue Mar 30 10:26:00 2004   xxxx tty3    82.41.104.193   system
rejected        login
Tue Mar 30 10:26:02 2004   xxxx tty2    82.41.104.193   config
rejected        login
Tue Mar 30 10:26:05 2004   xxxx tty3    82.41.104.193   13370n3z
rejected        login
Tue Mar 30 10:26:06 2004   xxxx tty2    82.41.104.193   password admin
rejected        login
Tue Mar 30 10:26:08 2004   xxxx tty2    82.41.104.193   config
rejected        login
Tue Mar 30 10:26:09 2004   xxxx tty3    82.41.104.193   config
rejected        login
Tue Mar 30 10:26:10 2004   xxxx tty4    82.41.104.193   config
rejected        login
Tue Mar 30 10:26:11 2004   xxxx tty5    82.41.104.193   config
rejected        login
Tue Mar 30 10:26:12 2004   xxxx tty6    82.41.104.193   config
rejected        login
Tue Mar 30 10:26:13 2004   xxxx tty2    82.41.104.193   password admin
rejected        login

The IP address listed there is the sender of such bad requests, and its not
the only one.  The tacacs+ server has shown the following IPs attempting to
log on:

82.41.104.193
82.65.148.223
80.117.241.24
195.220.120.198
82.255.146.205
82.39.50.12
200.64.30.164

The first recorded attempt was at Tue Mar 30 09:46:53 2004

Anyone else seeing these pop up?

John Narron            | "Sacrifice, they always say
Network Administration |  Is a sign of nobility
CDS/CDSinet, LLC       |  But where does one draw the line
http://www.cdsinet.net |  In the face of injury?"
(660) 886 4045         |     - Queensryche

---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with
Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost
of
ownership.

Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
  • RE: [list-admin] Strange authentication attempts Fulton L. Preston Jr. (Mar 31)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]