[Novalug] POSSIBLE BREAK-IN in auth.log via ssh
Jon LaBadie
novalugml at jgcomp.com
Fri Feb 13 09:56:04 EST 2009
On Fri, Feb 13, 2009 at 04:19:49AM -0500, Norman Bird wrote:
> This is interesting all,
>
> When I sent this to the lists I sent it to novolug and debian-user,
>
> i just queried the IP address that was trying to hack me and it came up on
> google. It was my question I asked the list on the internet, on this site:
> http://osdir.com/answers/debian/
>
> it appears that my question tot he list and maybe all questions to the list
> I dunno, are pushed out to the internet where the world can query it.
>
> Maybe I'm just a newbie but I had no idea. Just thought I would mention
> that. Anyone got any filler on this?
>
Just a similar observation.
When forming my reply I did a little research on the attacker's IP
address in your logfiles using the ARIN database and simple tools
like whois, dig, ... Didn't come up with anything particularly
interesting so I decided to google the domain the of the attacker,
"wqpax.net" IIRC.
Not only was your question in google's hit list, it was number one.
jl
--
Jon H. LaBadie jon at jgcomp.com
JG Computing
12027 Creekbend Drive (703) 787-0884
Reston, VA 20194 (703) 787-0922 (fax)
More information about the Novalug
mailing list