[HECnet] 108.31.82.9/QCOCAL

Brian Schenkenberger, VAXman- system at TMESIS.COM
Mon Jun 20 11:14:31 PDT 2016 

Johnny Billquist <bqt at softjar.se> writes:

>On 2016-06-20 19:30, Brian Schenkenberger, VAXman- wrote:
>> Johnny Billquist <bqt at softjar.se> writes:
>>
>>> On 2016-06-20 18:19, Brian Schenkenberger, VAXman- wrote:
>>>>   ___     _     _  _  __   __    _     _      _  _   ___   _____
>>>>  / __|   /_\   | \| | \ \ / /   /_\   | |    | \| | | __| |_   _|
>>>>  \__ \  / _ \  | .` |  \ V /   / _ \  | |__  | .` | | _|    | |
>>>>  |___/ /_/_\_\_|_|\_|   |_|   /_/ \_\ |____| |_|\_| |___|_  |_|
>>>>
>>>> You've allowed this node on HECnet, so I assume somebody on this list knows
>>>> who runs it.
>>>
>>> Who runs it can always easily be found by http://mim.update.uu.se/nodedb
>>>
>>>>  Please have it secured!  It has been used in the past several
>>>> days to try and break into my system(s).  It is highly irresponsible to put
>>>> access credentials into its SYS$ANNOUNCE allowing ANYBODY access to DCL and
>>>> other utilities that can affect systems on the internet.  A reasonable way
>>>> to allow access would be to have a guest account (restricted/captive) that
>>>> can be used to create other login accounts.  Validate such accounts with a
>>>> valid email address and other schemes that will insure that whomever is on
>>>> this system can be vetted in some fashion.
>>>>
>>>> THANK YOU!
>>>
>>> I'm curious about what kind of intrusions we're talking about, and over
>>> which network.
>>>
>>> In general, I want to keep HECnet more open than what you are suggesting
>>> above, but this also requires that people act responsibly. If there is
>>> abuse, I'd like to know.
>>
>> Well, since I have not yet put any of my systems on HECnet, it should have
>> been obvious that it's via the internet.
>
>Ah. Sorry for being dense. Thanks.
>
>So what kind of intrusion attempts are we talking about? Essentially 
>your issue is that someone have a machine on the internet. Getting 
>access on the machine is easy, and something/someone on that machine is 
>trying to do something to your machine?

Well, for one, trying brute force attacks agains services.  Here are some of
the FTP attempts from 108.31.82.9.

admin
support
guest
vizxv
123
1234
12345
123456
cisco
admin
service
1234
root
support
vizxv
123
12345
123456
xc3511
7ujMko0admin
root
root
support
123
12345
123456
xc3511
smcadmin
1234
xc3511
meinsm
vizxv
admin
admin
service
service
root
root
xc3511
12345
meinsm
dreambox
user
changeme
12345
pass
vizxv
user
changeme
root


I'm guessing that, due to the repeated nature of the usernames attempted, the
system has been logged into by a great many different twits.

-- 
VAXman- A Bored Certified VMS Kernel Mode Hacker    VAXman(at)TMESIS(dot)ORG

I speak to machines with the voice of humanity.

More information about the Hecnet-list mailing list