The 'almost exactly in the order' meant that they eliminated trying to logon
as certain entities like "apache" but not others.  They could have used some
script that recognized key words and left them out of the logon attempts.

As far as I can tell the IP is from the Philippines.  So it is probably not
a local attack.

Doug

-----Original Message-----
From: Kent Schumacher [mailto:kent at structural-wood.com]
Sent: Thursday, March 04, 2004 11:58 AM
To: dcoats at heritagemail.org
Subject: Re: [TCLUG] Attack


What I see rather frequently is people e-mailing everyone in the
company as well as a couple good friends when there is something
cool (You know, 22 ways to cheer yourself up after life has done
you wrong).

The clue about passwd file order kind of eliminates that thought,
although the comment 'almost exactly in the order' bears some
examination.  Maybe the attacker thought it would be a good idea
not to try using their own login, and then reconsidered?

How about "Could you please e-mail me the file /etc/passwd.  My company
is doing a survey and we'd like to know what version of the passwd
utility you are using".

Good luck,
Kent


Pastor Doug Coats wrote:
> That is a good question!
>
> The attacker tried almost every user almost exactly in the order they were
> created.  This leaves me to believe they somehow accessed the passwd's
file
> or some other file that tracks the order a user is created.  I have no
> activity from the attackers IP before the attack.  I have no record of a
> successful logon that is from any unaccountable IP or User.  There are
very
> few people (2) that actually log onto this box for anything other than
mail
> traffic.
>
> I am going to do some web searching to see if anyone else has had a
similar
> experience because if this was from the outside I think there are many
> people on this list that would be interested as to how it was done.
>
> Doug
>
> -----Original Message-----
> From: Kent Schumacher [mailto:kent at structural-wood.com]
> Sent: Thursday, March 04, 2004 11:22 AM
> To: dcoats at heritagemail.org; TCLUG Mailing List
> Subject: Re: [TCLUG] Attack
>
>
> Social Engineering?
>
>
> Pastor Doug Coats wrote:
>
>>Thanks everyone for your input so far.
>>
>>A special thanks to B_o_B (I think) who has been diligently trying to hack
>>me. :)
>>
>>SMB is on but not open to the public.
>>Finger is on but not open to public
>>
>>It is an email and web server.
>>
>>The only VRFY message in the maillog is a rejection for B_o_B.
>>
>>domain.com/~username returns the same for valid and invalid users.
>>
>>B_o_B has passed along the nmap and the results look like they should - I
>>think.
>>
>>Still wondering....
>>
>>Doug
>>
>
>
> [ Trim ]
>


_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list