Thanks everyone for your input so far.

A special thanks to B_o_B (I think) who has been diligently trying to hack
me. :)

SMB is on but not open to the public.
Finger is on but not open to public

It is an email and web server.

The only VRFY message in the maillog is a rejection for B_o_B.

domain.com/~username returns the same for valid and invalid users.

B_o_B has passed along the nmap and the results look like they should - I
think.

Still wondering....

Doug

-----Original Message-----
From: John T. Hoffoss [mailto:hoff0438 at umn.edu]
Sent: Thursday, March 04, 2004 9:07 AM
To: dcoats at heritagemail.org; 'TCLUG Mailing List'
Subject: RE: [TCLUG] Attack


SMB? Finger? A Windows box with the same users? Is this a mail server?
Does your mail server support the VRFY method? This could have allowed
random user enumeration. There are vulnerabilities in certain Apache
configurations that allow for user enumeration as well; when you go to
domain.com/~realuser you get a 'permission deined' message, and
domain.com/~fakeuser you get 'directory not accessible' or something.

What is the box used for? Have you ever run nmap on it from outside?

> -----Original Message-----
> From: tclug-list-bounces at mn-linux.org
> [mailto:tclug-list-bounces at mn-linux.org] On Behalf Of Pastor
> Doug Coats
> Sent: Thursday, March 04, 2004 8:55 AM
> To: TCLUG Mailing List
> Subject: [TCLUG] Attack
>
>
> I am running Fedora Core1 and had an interesting attack show
> up in my logs.
>
> Someone tried to ssh running through the entire list of users.
>
> My question is how did they get that list of valid users?
> There is no evidence of simply trying random users - they
> knew every user.
>
> Is there something in Linux that would return a request for
> every user name?
>
> Is there something I should have turned off so that cannot
> happen again?
>
> I blocked their IP address in IPTables but they can find a
> way around that. And I would like to block anyone from trying
> something similar.
>
> Any suggestions would be greatly appreciated.
>
> Thanks All,
>
> Doug
>
>
> _______________________________________________
> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list


_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list