(RADIATOR) mikem user possible hack attempt?
Hugh Irvine
hugh at open.com.au
Tue Mar 26 00:56:44 CST 2002
Hello Dan -
This is a result of someone at your site running "radpwtst" on the Radiator
host with the default username, and request attributes.
regards
Hugh
On Tue, 26 Mar 2002 13:34, Dan Boucaut wrote:
> Hello,
>
> I have pulled the following output from my logfile. As you can see there
> is a user called mikem which says he is coming from open.com.au ( which
> I believe is spoofed). I believe this is an attempt to get through with
> default radius user settings.
>
> has anyone else seen this? any way to find out where the packets are
> coming from?
>
>
> thanks
> Dan Boucaut
>
>
> Tue Mar 26 08:52:43 2002: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 43066 ....
> Code: Access-Request
> Identifier: 193
> Authentic: 1234567890123456
> Attributes:
> User-Name = "mikem"
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Port = 1234
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> NAS-Port-Type = Async
> User-Password =
> "<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>"
>
> Tue Mar 26 08:52:43 2002: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Tue Mar 26 08:52:43 2002: DEBUG: Deleting session for mikem,
> 203.63.154.1, 1234
> Tue Mar 26 08:52:43 2002: DEBUG: Handling with NT
> Tue Mar 26 08:52:43 2002: INFO: Access rejected for mikem: NT
> Authentication failed: Logon Error (3)
> Tue Mar 26 08:52:43 2002: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 43066 ....
> Code: Access-Reject
> Identifier: 193
> Authentic: 1234567890123456
> Attributes:
> Reply-Message = "Request Denied"
>
> Tue Mar 26 08:52:43 2002: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 43066 ....
> Code: Accounting-Request
> Identifier: 194
> Authentic:
> <253><229>D<154><222><211>0<210>O<19><244><233><207><226><167><145>
> Attributes:
> User-Name = "mikem"
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Port = 1234
> NAS-Port-Type = Async
> Acct-Session-Id = "00001234"
> Acct-Status-Type = Start
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
>
> Tue Mar 26 08:52:43 2002: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Tue Mar 26 08:52:43 2002: DEBUG: Adding session for mikem,
> 203.63.154.1, 1234
> Tue Mar 26 08:52:43 2002: DEBUG: Handling with NT
> Tue Mar 26 08:52:43 2002: DEBUG: Accounting accepted
> Tue Mar 26 08:52:43 2002: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 43066 ....
> Code: Accounting-Response
> Identifier: 194
> Authentic:
> <253><229>D<154><222><211>0<210>O<19><244><233><207><226><167><145>
> Attributes:
>
> Tue Mar 26 08:52:43 2002: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 43066 ....
> Code: Accounting-Request
> Identifier: 195
> Authentic: <6><249><144><217><195>O<3><139><211>V<127>n<212><30>Q<127>
> Attributes:
> User-Name = "mikem"
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Port = 1234
> NAS-Port-Type = Async
> Acct-Session-Id = "00001234"
> Acct-Status-Type = Stop
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> Acct-Delay-Time = 0
> Acct-Session-Time = 1000
> Acct-Input-Octets = 20000
> Acct-Output-Octets = 30000
>
> Tue Mar 26 08:52:43 2002: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Tue Mar 26 08:52:43 2002: DEBUG: Deleting session for mikem,
> 203.63.154.1, 1234
> Tue Mar 26 08:52:43 2002: DEBUG: Handling with NT
> Tue Mar 26 08:52:43 2002: DEBUG: Accounting accepted
> Tue Mar 26 08:52:43 2002: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 43066 ....
> Code: Accounting-Response
> Identifier: 195
> Authentic: <6><249><144><217><195>O<3><139><211>V<127>n<212><30>Q<127>
> Attributes:
>
> Tue Mar 26 08:52:52 2002: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 43067 ....
> Code: Access-Request
> Identifier: 201
> Authentic: 1234567890123456
> Attributes:
> User-Name = "mikem"
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Port = 1234
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> NAS-Port-Type = Async
> User-Password =
> "<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>"
>
> Tue Mar 26 08:52:52 2002: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Tue Mar 26 08:52:52 2002: DEBUG: Deleting session for mikem,
> 203.63.154.1, 1234
> Tue Mar 26 08:52:52 2002: DEBUG: Handling with NT
> Tue Mar 26 08:52:52 2002: INFO: Access rejected for mikem: NT
> Authentication failed: Logon Error (3)
> Tue Mar 26 08:52:52 2002: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 43067 ....
> Code: Access-Reject
> Identifier: 201
> Authentic: 1234567890123456
> Attributes:
> Reply-Message = "Request Denied"
>
> Tue Mar 26 08:52:52 2002: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 43067 ....
> Code: Accounting-Request
> Identifier: 202
> Authentic: P<144><155><139><164><236><190>5<200>MBn<231><253>xe
> Attributes:
> User-Name = "mikem"
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Port = 1234
> NAS-Port-Type = Async
> Acct-Session-Id = "00001234"
> Acct-Status-Type = Start
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
>
> Tue Mar 26 08:52:52 2002: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Tue Mar 26 08:52:52 2002: DEBUG: Adding session for mikem,
> 203.63.154.1, 1234
> Tue Mar 26 08:52:52 2002: DEBUG: Handling with NT
> Tue Mar 26 08:52:52 2002: DEBUG: Accounting accepted
> Tue Mar 26 08:52:52 2002: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 43067 ....
> Code: Accounting-Response
> Identifier: 202
> Authentic: P<144><155><139><164><236><190>5<200>MBn<231><253>xe
> Attributes:
>
> Tue Mar 26 08:52:52 2002: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 43067 ....
> Code: Accounting-Request
> Identifier: 203
> Authentic: <252><182>G<208><4>ad6<198><151>V<242><207>s<186><223>
> Attributes:
> User-Name = "mikem"
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Port = 1234
> NAS-Port-Type = Async
> Acct-Session-Id = "00001234"
> Acct-Status-Type = Stop
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> Acct-Delay-Time = 0
> Acct-Session-Time = 1000
> Acct-Input-Octets = 20000
> Acct-Output-Octets = 30000
>
> Tue Mar 26 08:52:52 2002: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Tue Mar 26 08:52:52 2002: DEBUG: Deleting session for mikem,
> 203.63.154.1, 1234
> Tue Mar 26 08:52:52 2002: DEBUG: Handling with NT
> Tue Mar 26 08:52:52 2002: DEBUG: Accounting accepted
> Tue Mar 26 08:52:52 2002: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 43067 ....
> Code: Accounting-Response
> Identifier: 203
> Authentic: <252><182>G<208><4>ad6<198><151>V<242><207>s<186><223>
> Attributes:
>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list