PDA

View Full Version : [ubuntu] Potential Hack?



mregister
September 15th, 2008, 07:25 PM
Hello All,

I am new to Linux/Ubuntu and I have setup a Ubuntu/Lamp box and I was just looking through the apache2 log file and i have a lot of lines that read 70.63.86.162 - - [14/Sep/2008:11:38:09 -0500] "GET /~fareeda/ HTTP/1.1" 404 319 "-" "-". There is a long list of these and it seems that it's an alpabetical list of poetntial user names. That is just one line of many. What is this? What does it mean? Is this an attempted hack?

Thanks.

t0p
September 15th, 2008, 07:35 PM
Hello All,

I am new to Linux/Ubuntu and I have setup a Ubuntu/Lamp box and I was just looking through the apache2 log file and i have a lot of lines that read 70.63.86.162 - - [14/Sep/2008:11:38:09 -0500] "GET /~fareeda/ HTTP/1.1" 404 319 "-" "-". There is a long list of these and it seems that it's an alpabetical list of poetntial user names. That is just one line of many. What is this? What does it mean? Is this an attempted hack?

Thanks.

Possibly... crackers use "dictionary files" to brute-force login/password combos and the like. How many such entries are there in the log?

That IP address 70.63.86.162 is in a block registered to "Cape Fear Community College". Is that a real college? Does it mean anything to you? Or anyone else?

mregister
September 15th, 2008, 08:03 PM
there are a lot. It looks like a dictionary. They start with A and all the way through, just about every name there is. No the college does not mean anything to me. How did you find out what block it comes from. How do I stop that kind of attack. Wow I have a lot to learn.

anotherdisciple
September 15th, 2008, 08:28 PM
Crazy! Is there any way to have ubuntu automatically check for brute force attacks? Say maybe it informs you that there have been a certain number of failed login attempts... at the GUI level... not console.

meborc
September 15th, 2008, 08:31 PM
the absolute beginners section might not be the right place for this :)

try the security section - http://ubuntuforums.org/forumdisplay.php?f=338

they have all the knowledge you need...

bodhi.zazen
September 15th, 2008, 08:32 PM
See this link :

http://ubuntuforums.org/showthread.php?t=919472

Truth is these kinds of things are very common, take a look at ssh if you run it.

If I see a persistent IP -> black list the IP with iptables (UFW).

https://help.ubuntu.com/community/Uncomplicated_Firewall_ufw#Advanced%20Blocking%20R ules

hvac3901
September 15th, 2008, 08:34 PM
there are a lot. It looks like a dictionary. They start with A and all the way through, just about every name there is. No the college does not mean anything to me. How did you find out what block it comes from. How do I stop that kind of attack. Wow I have a lot to learn.

concider using ".htaccess" to protect your dirrectory, and you can also block alot of known bad BOTS with it.

hvac3901
September 15th, 2008, 08:36 PM
Possibly... crackers use "dictionary files" to brute-force login/password combos and the like. How many such entries are there in the log?

That IP address 70.63.86.162 is in a block registered to "Cape Fear Community College". Is that a real college? Does it mean anything to you? Or anyone else?

google shows that ip being used alot for wierd stuff and strange user names.

k33bz
September 15th, 2008, 08:46 PM
OrgName: Road Runner HoldCo LLC
OrgID: RCMS
Address: 13241 Woodland Park Road
City: Herndon
StateProv: VA
PostalCode: 20171
Country: US

I get that with a whois lookup

mregister
September 15th, 2008, 09:16 PM
thanks I will read that