I was looking at the output of "last" recently and found several entries like this on my home server: userxx pts/0 c-24-91-141-172. Sun Dec 2 14:57 - 15:09 (00:11) (userxx represents my username) I did a reverse lookup on 172.141.92.24: host 172.141.92.24 24.92.141.172.in-addr.arpa domain name pointer AC8D5C18.ipt.aol.com. Looks like something from AOL. I got a little freaked, so I changed my password and also blocked that IP in /etc/hosts.deny. I'm not an aol user, but my wife is... but the "last" output shows this as connecting with my username. Any ideas? Thanks, Bill
I'm not sure why you're looking up a 172 IP address. The output is a host name not an IP. c-24-91-141-173.hsd1.ma.comcast. net. Is this your cable modem? On Dec 16, 2012 12:09 PM, "Bill Mills-Curran" <bill@mills-curran.net> wrote:
I was looking at the output of "last" recently and found several entries like this on my home server:
userxx pts/0 c-24-91-141-172. Sun Dec 2 14:57 - 15:09 (00:11)
(userxx represents my username)
I did a reverse lookup on 172.141.92.24:
host 172.141.92.24 24.92.141.172.in-addr.arpa domain name pointer AC8D5C18.ipt.aol.com.
Looks like something from AOL.
I got a little freaked, so I changed my password and also blocked that IP in /etc/hosts.deny.
I'm not an aol user, but my wife is... but the "last" output shows this as connecting with my username.
Any ideas?
Thanks, Bill _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
172.... default Airport wireless address range? On 12/16/2012 12:16 PM, Theo Van Dinter wrote:
I'm not sure why you're looking up a 172 IP address. The output is a host name not an IP. c-24-91-141-173.hsd1.ma.comcast. net. Is this your cable modem?
On Dec 16, 2012 12:09 PM, "Bill Mills-Curran" <bill@mills-curran.net <mailto:bill@mills-curran.net>> wrote:
I was looking at the output of "last" recently and found several entries like this on my home server:
userxx pts/0 c-24-91-141-172. Sun Dec 2 14:57 - 15:09 (00:11)
(userxx represents my username)
I did a reverse lookup on 172.141.92.24 <http://172.141.92.24>:
host 172.141.92.24 24.92.141.172 <tel:24.92.141.172>.in-addr.arpa domain name pointer AC8D5C18.ipt.aol.com <http://AC8D5C18.ipt.aol.com>.
Looks like something from AOL.
I got a little freaked, so I changed my password and also blocked that IP in /etc/hosts.deny.
I'm not an aol user, but my wife is... but the "last" output shows this as connecting with my username.
Any ideas?
Thanks, Bill _______________________________________________ Wlug mailing list Wlug@mail.wlug.org <mailto:Wlug@mail.wlug.org> http://mail.wlug.org/mailman/listinfo/wlug
_______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
-- David P. Connell "Watch where you're going; remember where you've been."
RFC1918 which defines internal ip space doesn't include all of 172.*. Most of it is public space. On Dec 16, 2012 1:10 PM, "David P. Connell" <davec99@charter.net> wrote:
172.... default Airport wireless address range?
On 12/16/2012 12:16 PM, Theo Van Dinter wrote:
I'm not sure why you're looking up a 172 IP address. The output is a host name not an IP. c-24-91-141-173.hsd1.ma.comcast. net. Is this your cable modem? On Dec 16, 2012 12:09 PM, "Bill Mills-Curran" <bill@mills-curran.net> wrote:
I was looking at the output of "last" recently and found several entries like this on my home server:
userxx pts/0 c-24-91-141-172. Sun Dec 2 14:57 - 15:09 (00:11)
(userxx represents my username)
I did a reverse lookup on 172.141.92.24:
host 172.141.92.24 24.92.141.172.in-addr.arpa domain name pointer AC8D5C18.ipt.aol.com.
Looks like something from AOL.
I got a little freaked, so I changed my password and also blocked that IP in /etc/hosts.deny.
I'm not an aol user, but my wife is... but the "last" output shows this as connecting with my username.
Any ideas?
Thanks, Bill _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
_______________________________________________ Wlug mailing listWlug@mail.wlug.orghttp://mail.wlug.org/mailman/listinfo/wlug
-- David P. Connell "Watch where you're going; remember where you've been."
_______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
Did you by chance look at the logs of your router? (If that is logging) can you see an in bound connection to your box? Is there a WAP in the house? Is it secured? WPA2? If so what about those logs? Any unusual machine names on the network toplogy? (meaning is someone squatting on your network and you dont know yet? ) Just ideas. On Sun, Dec 16, 2012 at 1:33 PM, Gregory Boyce <gregory.boyce@gmail.com>wrote:
RFC1918 which defines internal ip space doesn't include all of 172.*. Most of it is public space. On Dec 16, 2012 1:10 PM, "David P. Connell" <davec99@charter.net> wrote:
172.... default Airport wireless address range?
On 12/16/2012 12:16 PM, Theo Van Dinter wrote:
I'm not sure why you're looking up a 172 IP address. The output is a host name not an IP. c-24-91-141-173.hsd1.ma.comcast. net. Is this your cable modem? On Dec 16, 2012 12:09 PM, "Bill Mills-Curran" <bill@mills-curran.net> wrote:
I was looking at the output of "last" recently and found several entries like this on my home server:
userxx pts/0 c-24-91-141-172. Sun Dec 2 14:57 - 15:09 (00:11)
(userxx represents my username)
I did a reverse lookup on 172.141.92.24:
host 172.141.92.24 24.92.141.172.in-addr.arpa domain name pointer AC8D5C18.ipt.aol.com.
Looks like something from AOL.
I got a little freaked, so I changed my password and also blocked that IP in /etc/hosts.deny.
I'm not an aol user, but my wife is... but the "last" output shows this as connecting with my username.
Any ideas?
Thanks, Bill _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
_______________________________________________ Wlug mailing listWlug@mail.wlug.orghttp://mail.wlug.org/mailman/listinfo/wlug
-- David P. Connell "Watch where you're going; remember where you've been."
_______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
_______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
-- Gentlemen, *we can* rebuild him. *We have the technology*.
Output of last here reports my own static internal IP address. It's a 192.__._.__ number. Output of last on friend's laptop here reports a whole bunch of stuff (bootups &etc) but no IP address at all. Third PC here has custom Debian install, and there is no output for last. Whatever package it's in is not installed, I guess. We are not wireless. Running through my router, my modem, Charter ISP. Liz J
On 12/16/2012 12:16 PM, Theo Van Dinter wrote:
I'm not sure why you're looking up a 172 IP address. The output is a host name not an IP. c-24-91-141-173.hsd1.ma.comcast. net. Is this your cable modem?
Well Bill, not knowing much about your home network topology/architecture (routing, firewall, NAT/port-forwarding, ISP, dynamic DNS etc.), or how you SSH into your Linux box (i.e. through a public external IP/FQDN or through a private local IP/FQDN) limits how best to answer this, but I'll make some various assumptions along the way.... I'll agree with Theo tho, it's a Comcast address, not an AOL one when you do a reverse lookup on '24.91.141.172'. If you run 'last' with a couple different flags, it will present the IP/host in their entirety since it will place it in the last column, with either the FQDN of the IP, or just the IP. Ex. #> last -a (or 'last -ad' for that matter)userxx pts/0 Sat Dec 15 20:45 - 21:18 (00:32) c-24-91-141-172.hsd1.ma.comcast.net #> last -aiuserxx pts/0 Sat Dec 15 20:45 - 21:18 (00:32) 24.91.141.172 If Comcast is your ISP, then there is a topology where this would just be you, but I'm pretty sure you'd know that it was yourself since it takes some effort to setup. You'd have to be doing NAT'ing/Port-Forwarding on your cable modem or router for the SSH port to your Linux box, and ssh'ing into your Linux box on that external address (which would probably get associated with dynamic DNS updates from the router/modem) from your local net. Since you were taking that route, you'd get NAT'd to the router/cable modem's external IP (or a global NAT IP you have configured to present to the internet for outbound connections), which would show up in the 'last' output as that IP/FQDN of that IP. Are you ssh'ing into your Linux box on it's internal LAN IP or at it's external public IP? What IP gets reported back to you when you go to http://whatismyip.com from the box you ssh into your linux box from? Like I said initially, I'm pretty sure you'd know your network and system set up, and would know if this was actually you are not. Now all of this is completely moot if your ISP isn't Comcast. And from looking at your email headers, I see a few hops of yours mills-curran.net (206.130.122.207) & cheapo.curran (pool-108-20-153-93.bstnma.fios.verizon.net [108.20.153.93]), which obviously aren't Comcast. FWIW, my best practice is to implicitly deny all SSH connections and explicitly allow only the ones I want in /etc/hosts.allow. Makes it a PITA when I'm on a new network for the first time, but it definitely adds another layer someone has to work around to get in. If you block 24.91.141.172 in your hosts.deny, do you get 'refused connect from c-24-91-141-172.hsd1.ma.comcast.net (24.91.141.172)' messages in /var/log/secure (or the Debian equivalent, I think that's what you are running based on some of the mail headers). Dave Date: Sun, 16 Dec 2012 13:34:06 -0500 From: iris.gates@gmail.com To: wlug@mail.wlug.org Subject: Re: [Wlug] Possible intrusion? Output of last here reports my own static internal IP address. It's a 192.__._.__ number. Output of last on friend's laptop here reports a whole bunch of stuff (bootups &etc) but no IP address at all. Third PC here has custom Debian install, and there is no output for last. Whatever package it's in is not installed, I guess. We are not wireless. Running through my router, my modem, Charter ISP. Liz J On 12/16/2012 12:16 PM, Theo Van Dinter wrote: I'm not sure why you're looking up a 172 IP address. The output is a host name not an IP. c-24-91-141-173.hsd1.ma.comcast. net. Is this your cable modem? _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
I'd look into setting up fail2ban, it hasn't failed me yet. (Even if this wasn't an intrusion, better safe than sorry) On Dec 16, 2012 3:59 PM, "David Coutu" <cout@alum.wpi.edu> wrote:
Well Bill, not knowing much about your home network topology/architecture (routing, firewall, NAT/port-forwarding, ISP, dynamic DNS etc.), or how you SSH into your Linux box (i.e. through a public external IP/FQDN or through a private local IP/FQDN) limits how best to answer this, but I'll make some various assumptions along the way....
I'll agree with Theo tho, it's a Comcast address, not an AOL one when you do a reverse lookup on '24.91.141.172'. If you run 'last' with a couple different flags, it will present the IP/host in their entirety since it will place it in the last column, with either the FQDN of the IP, or just the IP.
Ex.
#> last -a (or 'last -ad' for that matter) userxx pts/0 Sat Dec 15 20:45 - 21:18 (00:32) c-24-91-141-172.hsd1.ma.comcast.net
#> last -ai userxx pts/0 Sat Dec 15 20:45 - 21:18 (00:32) 24.91.141.172
If Comcast is your ISP, then there is a topology where this would just be you, but I'm pretty sure you'd know that it was yourself since it takes some effort to setup. You'd have to be doing NAT'ing/Port-Forwarding on your cable modem or router for the SSH port to your Linux box, and ssh'ing into your Linux box on that external address (which would probably get associated with dynamic DNS updates from the router/modem) from your local net. Since you were taking that route, you'd get NAT'd to the router/cable modem's external IP (or a global NAT IP you have configured to present to the internet for outbound connections), which would show up in the 'last' output as that IP/FQDN of that IP.
Are you ssh'ing into your Linux box on it's internal LAN IP or at it's external public IP? What IP gets reported back to you when you go to http://whatismyip.com from the box you ssh into your linux box from? Like I said initially, I'm pretty sure you'd know your network and system set up, and would know if this was actually you are not.
Now all of this is completely moot if your ISP isn't Comcast. And from looking at your email headers, I see a few hops of yours mills-curran.net(206.130.122.207) & cheapo.curran (pool-108-20-153-93.bstnma.fios.verizon.net[108.20.153.93]), which obviously aren't Comcast.
FWIW, my best practice is to implicitly deny all SSH connections and explicitly allow only the ones I want in /etc/hosts.allow. Makes it a PITA when I'm on a new network for the first time, but it definitely adds another layer someone has to work around to get in. If you block 24.91.141.172 in your hosts.deny, do you get 'refused connect from c-24-91-141-172.hsd1.ma.comcast.net (24.91.141.172)' messages in /var/log/secure (or the Debian equivalent, I think that's what you are running based on some of the mail headers).
Dave
------------------------------ Date: Sun, 16 Dec 2012 13:34:06 -0500 From: iris.gates@gmail.com To: wlug@mail.wlug.org Subject: Re: [Wlug] Possible intrusion?
Output of last here reports my own static internal IP address. It's a 192.__._.__ number.
Output of last on friend's laptop here reports a whole bunch of stuff (bootups &etc) but no IP address at all.
Third PC here has custom Debian install, and there is no output for last. Whatever package it's in is not installed, I guess.
We are not wireless. Running through my router, my modem, Charter ISP.
Liz J
On 12/16/2012 12:16 PM, Theo Van Dinter wrote:
I'm not sure why you're looking up a 172 IP address. The output is a host name not an IP. c-24-91-141-173.hsd1.ma.comcast. net. Is this your cable modem?
_______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
_______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
Thanks for the suggestion. I'm already using denyhosts, and I've accumulated quite a list of banned hosts as a result. As I noted in an earlier response, I found there was no intrusion -- only a poor memory on my part. I forgot that I logged in from my church's network, and I didn't recognize the DNS entry. So, it was a false alarm. To all who responded: thanks for your attention and suggestions. Bill On Sun, Dec 16, 2012 at 06:56:03PM -0500, Jason Couture wrote:
Date: Sun, 16 Dec 2012 18:56:03 -0500 From: Jason Couture <plaguethenet@gmail.com> To: Worcester Linux Users Group <wlug@mail.wlug.org> Subject: Re: [Wlug] Possible intrusion? Reply-To: Worcester Linux Users Group <wlug@mail.wlug.org> Precedence: list
I'd look into setting up fail2ban, it hasn't failed me yet. (Even if this wasn't an intrusion, better safe than sorry)
On Dec 16, 2012 3:59 PM, "David Coutu" <cout@alum.wpi.edu> wrote:
Well Bill, not knowing much about your home network topology/architecture (routing, firewall, NAT/port-forwarding, ISP, dynamic DNS etc.), or how you SSH into your Linux box (i.e. through a public external IP/FQDN or through a private local IP/FQDN) limits how best to answer this, but I'll make some various assumptions along the way.... I'll agree with Theo tho, it's a Comcast address, not an AOL one when you do a reverse lookup on '24.91.141.172'. *If you run 'last' with a couple different flags, it will present the IP/host in their entirety since it will place it in the last column, with either the FQDN of the IP, or just the IP. Ex. #>*last -a * (or 'last -ad' for that matter) userxx * * pts/0 * * * *Sat Dec 15 20:45 - 21:18 *(00:32) * * c-24-91-141-172.hsd1.ma.comcast.net #> last -ai userxx * * pts/0 * * * *Sat Dec 15 20:45 - 21:18 *(00:32) * * 24.91.141.172 If Comcast is your ISP, then there is a topology where this would just be you, but I'm pretty sure you'd know that it was yourself since it takes some effort to setup. *You'd have to be doing NAT'ing/Port-Forwarding on your cable modem or router for the SSH port to your Linux box, and ssh'ing into your Linux box on that external address (which would probably get associated with dynamic DNS updates from the router/modem) from your local net. *Since you were taking that route, you'd get NAT'd to the router/cable modem's external IP (or a global NAT IP you have configured to present to the internet for outbound connections), which would show up in the 'last' output as that IP/FQDN of that IP. Are you ssh'ing into your Linux box on it's internal LAN IP or at it's external public IP? *What IP gets reported back to you when you go to http://whatismyip.com from the box you ssh into your linux box from? *Like I said initially, I'm pretty sure you'd know your network and system set up, and would know if this was actually you are not. Now all of this is completely moot if your ISP isn't Comcast. *And from looking at your email headers, I see a few hops of yours*mills-curran.net (206.130.122.207) &*cheapo.curran (pool-108-20-153-93.bstnma.fios.verizon.net [108.20.153.93]), which obviously aren't Comcast. FWIW, my best practice is to implicitly deny all SSH connections and explicitly allow only the ones I want in /etc/hosts.allow. *Makes it a PITA when I'm on a new network for the first time, but it definitely adds another layer someone has to work around to get in. *If you block*24.91.141.172 in your hosts.deny, do you get 'refused connect from*c-24-91-141-172.hsd1.ma.comcast.net (24.91.141.172)' messages in /var/log/secure (or the Debian equivalent, I think that's what you are running based on some of the mail headers). Dave
--------------------------------------------------------------------------
Date: Sun, 16 Dec 2012 13:34:06 -0500 From: iris.gates@gmail.com To: wlug@mail.wlug.org Subject: Re: [Wlug] Possible intrusion?
Output of last here reports my own static internal IP address. It's a 192.__._.__ number.
Output of last on friend's laptop here reports a whole bunch of stuff (bootups &etc) but no IP address at all.
Third PC here has custom Debian install, and there is no output for last.* Whatever package it's in is not installed, I guess.
We are not wireless. Running through my router, my modem, Charter ISP.
Liz J *
On 12/16/2012 12:16 PM, Theo Van Dinter wrote:
I'm not sure why you're looking up a 172 IP address. The output is a host name not an IP.* c-24-91-141-173.hsd1.ma.comcast. net.* Is this your cable modem?
_______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
_______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
That's certainly a good question, and now it makes sense. It was NOT an intrusion. The reason I was sure this was not valid is that I was at church... Now I remember I was working from my laptop from the church network connection before services. This was just me, and the unfamiliar address was my church's modem. What's that saying... Just because they really are out to get you doesn't mean you aren't paranoid. I'm definitely paranoid. :-) Thanks for the help. Bill On Sun, Dec 16, 2012 at 12:16:50PM -0500, Theo Van Dinter wrote:
Date: Sun, 16 Dec 2012 12:16:50 -0500 From: Theo Van Dinter <felicity@kluge.net> To: Worcester Linux Users Group <wlug@mail.wlug.org> Cc: Worcester Linux Users Group <wlug@wlug.org> Subject: Re: [Wlug] Possible intrusion? Reply-To: Worcester Linux Users Group <wlug@mail.wlug.org> Precedence: list
I'm not sure why you're looking up a 172 IP address. The output is a host name not an IP.* c-24-91-141-173.hsd1.ma.comcast. net.* Is this your cable modem?
On Dec 16, 2012 12:09 PM, "Bill Mills-Curran" <bill@mills-curran.net> wrote:
I was looking at the output of "last" recently and found several entries like this on my home server:
userxx *pts/0 * * * *c-24-91-141-172. Sun Dec *2 14:57 - 15:09 (00:11)
(userxx represents my username)
I did a reverse lookup on 172.141.92.24:
host 172.141.92.24 24.92.141.172.in-addr.arpa domain name pointer AC8D5C18.ipt.aol.com.
Looks like something from AOL.
I got a little freaked, so I changed my password and also blocked that IP in /etc/hosts.deny.
I'm not an aol user, but my wife is... *but the "last" output shows this as connecting with my username.
Any ideas?
Thanks, Bill _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
_______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
On Sun, Dec 16, 2012 at 12:08:28PM -0500, Bill Mills-Curran wrote:
I was looking at the output of "last" recently and found several entries like this on my home server:
userxx pts/0 c-24-91-141-172. Sun Dec 2 14:57 - 15:09 (00:11)
(userxx represents my username)
I did a reverse lookup on 172.141.92.24:
Besides the fact that the IP you are looking up doesn't match the hostname c-24-91-141-172 in forward or reverse order (you are off by one), you can't be sure of the format of the logged hostname--you are assuming you need to reverse the components of the hostname to come up with an IP address of 172.141.91.24, but how do you know it isn't really 24.91.141.172? How can you be sure there is any relation at all between the FQDN format and any IP address at all? Also, you are looking at trumcated hostnames from "last". You should always check the actual IP that was logged in wtmp with last -i, and put the hostname or IP at the end of the output lines so it doesn't get truncated with last -a: last -i -a and then do a whois lookup on that IP. Reverse DNS can't be trusted since the owner of the IP address can often set their reverse DNS to absolutely anything they want--it should never be relied upon solely for audit logging.
On Sun, Dec 16, 2012 at 11:54:35PM -0500, Chuck Anderson wrote:
Date: Sun, 16 Dec 2012 23:54:35 -0500 From: Chuck Anderson <cra@WPI.EDU> To: Worcester Linux Users Group <wlug@wlug.org> Subject: Re: [Wlug] Possible intrusion? Reply-To: Worcester Linux Users Group <wlug@mail.wlug.org> Precedence: list
On Sun, Dec 16, 2012 at 12:08:28PM -0500, Bill Mills-Curran wrote:
I was looking at the output of "last" recently and found several entries like this on my home server:
userxx pts/0 c-24-91-141-172. Sun Dec 2 14:57 - 15:09 (00:11)
(userxx represents my username)
I did a reverse lookup on 172.141.92.24:
Besides the fact that the IP you are looking up doesn't match the hostname c-24-91-141-172 in forward or reverse order (you are off by one), you can't be sure of the format of the logged hostname--you are assuming you need to reverse the components of the hostname to come up with an IP address of 172.141.91.24, but how do you know it isn't really 24.91.141.172? How can you be sure there is any relation at all between the FQDN format and any IP address at all? Also, you are looking at trumcated hostnames from "last".
You should always check the actual IP that was logged in wtmp with last -i, and put the hostname or IP at the end of the output lines so it doesn't get truncated with last -a:
last -i -a
and then do a whois lookup on that IP.
Reverse DNS can't be trusted since the owner of the IP address can often set their reverse DNS to absolutely anything they want--it should never be relied upon solely for audit logging. _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
Thanks for the tip.
participants (9)
-
Bill Mills-Curran -
Chuck Anderson -
David Coutu -
David P. Connell -
E Johnson -
Gregory Boyce -
Jason Couture -
Steve Pelland -
Theo Van Dinter