[PLUG] IPv6 and netfilter/ip/iptables
Elliott Mitchell
ehem at m5p.com
Mon Feb 21 21:46:22 UTC 2005
>From: "Roderick A. Anderson" <raanders at acm.org>
> I'm seeing a bunch of "script-kiddie-ish" attempts on several servers that
> look like they are coming coming from an ipv6 interface.
>
> This from logwatch:
>
> Failed logins from these:
> guest/password from ::ffff:206.71.67.75: 1 Time(s)
> test/password from ::ffff:206.71.67.75: 1 Time(s)
>
> Illegal users from these:
> guest/none from ::ffff:206.71.67.75: 1 Time(s)
> guest/password from ::ffff:206.71.67.75: 1 Time(s)
> test/none from ::ffff:206.71.67.75: 1 Time(s)
> test/password from ::ffff:206.71.67.75: 1 Time(s)
I'd guess you've got a single sshd process and it is listening on ::?
What you're seeing is the sshd process is only talking to the IPv6 stack,
and so it perceives IPv4 connections like the above. The IPv6 ::ffff:
addresses are used for maping IPv4 connections for an app only talking
IPv6. So it looks like the IPv4 machine 206.71.67.75 is a script-kiddie
zombie.
--
(\___(\___(\______ --=> 8-) EHM <=-- ______/)___/)___/)
\ ( | EHeM at gremlin.m5p.com PGP 8881EF59 | ) /
\_ \ | _____ -O #include <stddisclaimer.h> O- _____ | / _/
\___\_|_/82 04 A1 3C C7 B1 37 2A*E3 6E 84 DA 97 4C 40 E6\_|_/___/
More information about the PLUG
mailing list