(RADIATOR) mikem user possible hack attempt?

Dan Boucaut danb at p1solutions.com.au
Mon Mar 25 20:34:26 CST 2002 

Hello,

I have pulled the following output from my logfile. As you can see there 
is a user called mikem which says he is coming from open.com.au ( which 
I believe is spoofed). I believe this is an attempt to get through with 
default radius user settings.

has anyone else seen this? any way to find out where the packets are 
coming from?


thanks
Dan Boucaut


Tue Mar 26 08:52:43 2002: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 43066 ....
Code:       Access-Request
Identifier: 193
Authentic:  1234567890123456
Attributes:
        User-Name = "mikem"
        Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Port = 1234
        Called-Station-Id = "123456789"
        Calling-Station-Id = "987654321"
        NAS-Port-Type = Async
        User-Password = 
"<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>"

Tue Mar 26 08:52:43 2002: DEBUG: Handling request with Handler 
'Realm=DEFAULT'
Tue Mar 26 08:52:43 2002: DEBUG:  Deleting session for mikem, 
203.63.154.1, 1234
Tue Mar 26 08:52:43 2002: DEBUG: Handling with NT
Tue Mar 26 08:52:43 2002: INFO: Access rejected for mikem: NT 
Authentication failed: Logon Error (3)
Tue Mar 26 08:52:43 2002: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 43066 ....
Code:       Access-Reject
Identifier: 193
Authentic:  1234567890123456
Attributes:
        Reply-Message = "Request Denied"

Tue Mar 26 08:52:43 2002: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 43066 ....
Code:       Accounting-Request
Identifier: 194
Authentic:  
<253><229>D<154><222><211>0<210>O<19><244><233><207><226><167><145>
Attributes:
        User-Name = "mikem"
        Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Port = 1234
        NAS-Port-Type = Async
        Acct-Session-Id = "00001234"
        Acct-Status-Type = Start
        Called-Station-Id = "123456789"
        Calling-Station-Id = "987654321"

Tue Mar 26 08:52:43 2002: DEBUG: Handling request with Handler 
'Realm=DEFAULT'
Tue Mar 26 08:52:43 2002: DEBUG:  Adding session for mikem, 
203.63.154.1, 1234
Tue Mar 26 08:52:43 2002: DEBUG: Handling with NT
Tue Mar 26 08:52:43 2002: DEBUG: Accounting accepted
Tue Mar 26 08:52:43 2002: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 43066 ....
Code:       Accounting-Response
Identifier: 194
Authentic:  
<253><229>D<154><222><211>0<210>O<19><244><233><207><226><167><145>
Attributes:

Tue Mar 26 08:52:43 2002: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 43066 ....
Code:       Accounting-Request
Identifier: 195
Authentic:  <6><249><144><217><195>O<3><139><211>V<127>n<212><30>Q<127>
Attributes:
        User-Name = "mikem"
        Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Port = 1234
        NAS-Port-Type = Async
        Acct-Session-Id = "00001234"
        Acct-Status-Type = Stop
        Called-Station-Id = "123456789"
        Calling-Station-Id = "987654321"
        Acct-Delay-Time = 0
        Acct-Session-Time = 1000
        Acct-Input-Octets = 20000
        Acct-Output-Octets = 30000

Tue Mar 26 08:52:43 2002: DEBUG: Handling request with Handler 
'Realm=DEFAULT'
Tue Mar 26 08:52:43 2002: DEBUG:  Deleting session for mikem, 
203.63.154.1, 1234
Tue Mar 26 08:52:43 2002: DEBUG: Handling with NT
Tue Mar 26 08:52:43 2002: DEBUG: Accounting accepted
Tue Mar 26 08:52:43 2002: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 43066 ....
Code:       Accounting-Response
Identifier: 195
Authentic:  <6><249><144><217><195>O<3><139><211>V<127>n<212><30>Q<127>
Attributes:

Tue Mar 26 08:52:52 2002: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 43067 ....
Code:       Access-Request
Identifier: 201
Authentic:  1234567890123456
Attributes:
        User-Name = "mikem"
        Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Port = 1234
        Called-Station-Id = "123456789"
        Calling-Station-Id = "987654321"
        NAS-Port-Type = Async
        User-Password = 
"<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>"

Tue Mar 26 08:52:52 2002: DEBUG: Handling request with Handler 
'Realm=DEFAULT'
Tue Mar 26 08:52:52 2002: DEBUG:  Deleting session for mikem, 
203.63.154.1, 1234
Tue Mar 26 08:52:52 2002: DEBUG: Handling with NT
Tue Mar 26 08:52:52 2002: INFO: Access rejected for mikem: NT 
Authentication failed: Logon Error (3)
Tue Mar 26 08:52:52 2002: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 43067 ....
Code:       Access-Reject
Identifier: 201
Authentic:  1234567890123456
Attributes:
        Reply-Message = "Request Denied"

Tue Mar 26 08:52:52 2002: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 43067 ....
Code:       Accounting-Request
Identifier: 202
Authentic:  P<144><155><139><164><236><190>5<200>MBn<231><253>xe
Attributes:
        User-Name = "mikem"
        Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Port = 1234
        NAS-Port-Type = Async
        Acct-Session-Id = "00001234"
        Acct-Status-Type = Start
        Called-Station-Id = "123456789"
        Calling-Station-Id = "987654321"

Tue Mar 26 08:52:52 2002: DEBUG: Handling request with Handler 
'Realm=DEFAULT'
Tue Mar 26 08:52:52 2002: DEBUG:  Adding session for mikem, 
203.63.154.1, 1234
Tue Mar 26 08:52:52 2002: DEBUG: Handling with NT
Tue Mar 26 08:52:52 2002: DEBUG: Accounting accepted
Tue Mar 26 08:52:52 2002: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 43067 ....
Code:       Accounting-Response
Identifier: 202
Authentic:  P<144><155><139><164><236><190>5<200>MBn<231><253>xe
Attributes:

Tue Mar 26 08:52:52 2002: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 43067 ....
Code:       Accounting-Request
Identifier: 203
Authentic:  <252><182>G<208><4>ad6<198><151>V<242><207>s<186><223>
Attributes:
        User-Name = "mikem"
        Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Port = 1234
        NAS-Port-Type = Async
        Acct-Session-Id = "00001234"
        Acct-Status-Type = Stop
        Called-Station-Id = "123456789"
        Calling-Station-Id = "987654321"
        Acct-Delay-Time = 0
        Acct-Session-Time = 1000
        Acct-Input-Octets = 20000
        Acct-Output-Octets = 30000

Tue Mar 26 08:52:52 2002: DEBUG: Handling request with Handler 
'Realm=DEFAULT'
Tue Mar 26 08:52:52 2002: DEBUG:  Deleting session for mikem, 
203.63.154.1, 1234
Tue Mar 26 08:52:52 2002: DEBUG: Handling with NT
Tue Mar 26 08:52:52 2002: DEBUG: Accounting accepted
Tue Mar 26 08:52:52 2002: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 43067 ....
Code:       Accounting-Response
Identifier: 203
Authentic:  <252><182>G<208><4>ad6<198><151>V<242><207>s<186><223>
Attributes:


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list