log entry question on sshd

log entry question on sshd

[Raul A. Gallegos]

Hey gang.  I received this log entry and am not sure if it's a portscan
of some type or not.  Anyone seen this before?

Jan 20 19:23:25 saidin sshd[4209]: scanned from 195.178.168.129 with
+SSH-1.0-SSH_Version_Mapper.  Don't panic.
Jan 20 19:24:47 saidin sshd[4216]: scanned from 195.178.168.129 with
+SSH-1.0-SSH_Version_Mapper.  Don't panic.
Jan 20 19:26:00 saidin sshd[4220]: scanned from 195.178.168.129 with
+SSH-1.0-SSH_Version_Mapper.  Don't panic.

-- 
We are writing this e-mail to inform you that the mail server is down.
Please do not call the help desk for assistance.  To see the progress of
any outage refer to your e-mail notifications.
Raul A. Gallegos - http://www.asmodean.net

Re: log entry question on sshd

[Kirk Wood]

I haven't seen it, but would be inclined to follow the advice given right
in the log.

=======
Kirk Wood
Cpt.Kirk@1tree.net

Nowlan's Theory:
        He who hesitates is not only lost, but several miles from
        the next freeway exit.

Eudora address book conversion?

[charles crawford]

Hi All,

	I want to take my Eudora addressbook in Windows and convert it to
pine.  Anyone know if this is possible?

-- Charlie Crawford.

Re: Eudora address book conversion?

[Steve Holmes]

If you can identify the formats of the Eudora address book, A perl script
could be built to do the job.  I did that when working between Pine and
Agent for Windows.  If you need that script built, let me know privately
and I'll be glad to do it.  Just get me the format definitions of the
address book and we'll go from there.

On Mon, 21 Jan 2002, charles crawford wrote:

>
> Hi All,
>
> 	I want to take my Eudora addressbook in Windows and convert it to
> pine.  Anyone know if this is possible?
>
> -- Charlie Crawford.
>
>
>
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
>

Re: Eudora address book conversion?

[charles crawford]

Steve,

	Thanks for the offer of help in converting my Eudora.  may well
take you up on it.  I have over 1,200 addresses in that sucker.

-- charlie Crawford.

Re: log entry question on sshd

[Darrell Shandrow]

Hi Raul,

Hmmm, looks like a rather persistent port scan, in my estimation.

At 11:04 PM 1/20/2002 -0600, you wrote:
>Hey gang.  I received this log entry and am not sure if it's a portscan
>of some type or not.  Anyone seen this before?
>
>Jan 20 19:23:25 saidin sshd[4209]: scanned from 195.178.168.129 with
>+SSH-1.0-SSH_Version_Mapper.  Don't panic.
>Jan 20 19:24:47 saidin sshd[4216]: scanned from 195.178.168.129 with
>+SSH-1.0-SSH_Version_Mapper.  Don't panic.
>Jan 20 19:26:00 saidin sshd[4220]: scanned from 195.178.168.129 with
>+SSH-1.0-SSH_Version_Mapper.  Don't panic.
>
>--
>We are writing this e-mail to inform you that the mail server is down.
>Please do not call the help desk for assistance.  To see the progress of
>any outage refer to your e-mail notifications.
>Raul A. Gallegos - http://www.asmodean.net
>
>_______________________________________________
>Speakup mailing list
>Speakup@braille.uwo.ca
>http://speech.braille.uwo.ca/mailman/listinfo/speakup

Best regards and happy New Year,
Darrell
Access technology consulting / network and UNIX         systems administration.

Re: log entry question on sshd

[Raul A. Gallegos]

Darrell Shandrow said the following on Tue, Jan 22, 2002 at 08:43:41PM -0700:
> Hi Raul,
> 
> Hmmm, looks like a rather persistent port scan, in my estimation.
> 
> At 11:04 PM 1/20/2002 -0600, you wrote:
> >Hey gang.  I received this log entry and am not sure if it's a portscan
> >of some type or not.  Anyone seen this before?
> >
> >Jan 20 19:23:25 saidin sshd[4209]: scanned from 195.178.168.129 with
> >+SSH-1.0-SSH_Version_Mapper.  Don't panic.
> >Jan 20 19:24:47 saidin sshd[4216]: scanned from 195.178.168.129 with
> >+SSH-1.0-SSH_Version_Mapper.  Don't panic.
> >Jan 20 19:26:00 saidin sshd[4220]: scanned from 195.178.168.129 with
> >+SSH-1.0-SSH_Version_Mapper.  Don't panic.


I thought so at first but usually portscans will scan more ports than
ssh.  Besides I'm not worried about anyone breaking in via ssh.  My ssh 
is secure and does not allow root to ssh in anyway.  I also didn't see
any other portscans on any other ports.  What it seems to me is that
they were trying to use ssh1 to connect on ssh2 or something but who
knows.  It has not happened since so I am not worried.

-- 
We are writing this e-mail to inform you that the mail server is down.
Please do not call the help desk for assistance.  To see the progress of
any outage refer to your e-mail notifications.
Raul A. Gallegos - http://www.asmodean.net

Re: log entry question on sshd

[Darrell Shandrow]

Hi Raul,

You could access the ARIN (American Registry of Internet Numbers) web site 
at http://www.arin.net to find out the provider who has registered the IP 
address in question, and contact that provider.  I have certainly dealt 
with those sorts of security inqueries at work on a number of occasions.


At 09:11 AM 1/23/2002 -0600, you wrote:
>Darrell Shandrow said the following on Tue, Jan 22, 2002 at 08:43:41PM -0700:
> > Hi Raul,
> >
> > Hmmm, looks like a rather persistent port scan, in my estimation.
> >
> > At 11:04 PM 1/20/2002 -0600, you wrote:
> > >Hey gang.  I received this log entry and am not sure if it's a portscan
> > >of some type or not.  Anyone seen this before?
> > >
> > >Jan 20 19:23:25 saidin sshd[4209]: scanned from 195.178.168.129 with
> > >+SSH-1.0-SSH_Version_Mapper.  Don't panic.
> > >Jan 20 19:24:47 saidin sshd[4216]: scanned from 195.178.168.129 with
> > >+SSH-1.0-SSH_Version_Mapper.  Don't panic.
> > >Jan 20 19:26:00 saidin sshd[4220]: scanned from 195.178.168.129 with
> > >+SSH-1.0-SSH_Version_Mapper.  Don't panic.
>
>
>I thought so at first but usually portscans will scan more ports than
>ssh.  Besides I'm not worried about anyone breaking in via ssh.  My ssh
>is secure and does not allow root to ssh in anyway.  I also didn't see
>any other portscans on any other ports.  What it seems to me is that
>they were trying to use ssh1 to connect on ssh2 or something but who
>knows.  It has not happened since so I am not worried.
>
>--
>We are writing this e-mail to inform you that the mail server is down.
>Please do not call the help desk for assistance.  To see the progress of
>any outage refer to your e-mail notifications.
>Raul A. Gallegos - http://www.asmodean.net
>
>_______________________________________________
>Speakup mailing list
>Speakup@braille.uwo.ca
>http://speech.braille.uwo.ca/mailman/listinfo/speakup

Best regards and happy New Year,
Darrell
Access technology consulting / network and UNIX         systems administration.

Re: log entry question on sshd

[Amanda Lee]

Beat me to it! was pointed out last week when I took the TCP/IP class.

Now going to go key-in the IP's I see here after Comcast alledgedly cutover
from the @home debacle  to their network yesterday.  I do see a different
numbering series and am currious to know who these are registered to.

Amanda Lee

----- Original Message -----
From: "Darrell Shandrow" <nu7i@azboss.net>
To: <speakup@braille.uwo.ca>
Sent: Wednesday, January 23, 2002 10:58 PM
Subject: Re: log entry question on sshd


> Hi Raul,
>
> You could access the ARIN (American Registry of Internet Numbers) web site
> at http://www.arin.net to find out the provider who has registered the IP
> address in question, and contact that provider.  I have certainly dealt
> with those sorts of security inqueries at work on a number of occasions.
>
>
> At 09:11 AM 1/23/2002 -0600, you wrote:
> >Darrell Shandrow said the following on Tue, Jan 22, 2002 at
08:43:41PM -0700:
> > > Hi Raul,
> > >
> > > Hmmm, looks like a rather persistent port scan, in my estimation.
> > >
> > > At 11:04 PM 1/20/2002 -0600, you wrote:
> > > >Hey gang.  I received this log entry and am not sure if it's a
portscan
> > > >of some type or not.  Anyone seen this before?
> > > >
> > > >Jan 20 19:23:25 saidin sshd[4209]: scanned from 195.178.168.129 with
> > > >+SSH-1.0-SSH_Version_Mapper.  Don't panic.
> > > >Jan 20 19:24:47 saidin sshd[4216]: scanned from 195.178.168.129 with
> > > >+SSH-1.0-SSH_Version_Mapper.  Don't panic.
> > > >Jan 20 19:26:00 saidin sshd[4220]: scanned from 195.178.168.129 with
> > > >+SSH-1.0-SSH_Version_Mapper.  Don't panic.
> >
> >
> >I thought so at first but usually portscans will scan more ports than
> >ssh.  Besides I'm not worried about anyone breaking in via ssh.  My ssh
> >is secure and does not allow root to ssh in anyway.  I also didn't see
> >any other portscans on any other ports.  What it seems to me is that
> >they were trying to use ssh1 to connect on ssh2 or something but who
> >knows.  It has not happened since so I am not worried.
> >
> >--
> >We are writing this e-mail to inform you that the mail server is down.
> >Please do not call the help desk for assistance.  To see the progress of
> >any outage refer to your e-mail notifications.
> >Raul A. Gallegos - http://www.asmodean.net
> >
> >_______________________________________________
> >Speakup mailing list
> >Speakup@braille.uwo.ca
> >http://speech.braille.uwo.ca/mailman/listinfo/speakup
>
> Best regards and happy New Year,
> Darrell
> Access technology consulting / network and UNIX         systems
administration.
>
>
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
>
>

Re: log entry question on sshd

[Geoff Shang]

Hi:

You can  actually use the whois program to do this sort of thing.  It's a
good idea to pipe its output through more (or less) as there can often be
quite a bit of it.  You can either enter IP addresses or domains, and you
can also enter partial IP addresses (i.e. the first 3 numbers).

Geoff.


-- 
Geoff Shang <gshang10@scu.edu.au>
ICQ number 43634701