loconet6 join:2004-07-27 Richmond Hill, ON |
to pflog
Re: SSH scanning.Finally I found some info on this. Great thread guys. One of the boxes at work actually got rooted through a successful attempt at the account test: Jul 12 22:26:51 server sshd[12868]: Accepted password for test from 130.15.15.239 port 1954 ssh2 Jul 12 22:42:35 server sshd[13998]: Accepted password for test from 216.55.164.10 port 56454 ssh2 ... These were followed by more attempts at user test/guest/admin/root Our ISP shut us down as some other admins reported that this box was now attempting brute force logins on other boxes within the same network space. This actually included one of our other boxes which luckly was not rooted. Anyways, once we managed to bring our box back up we noticed that after the successful login, it proceeded to install a rootkit. In this case we detected SuckIt. After various attempts, we were able to remove SuckIt: [root@server .sk12]# ./sk u /dev/null Detected version: 1.3b Suckit uninstalled sucesfully! As usual for this rootkit, it had installed an exploited sshd , a password sniffer and infected initd and telinetd. More info on sk: » www.phrack.org/show.php?p=58&a=7Up to this day, we get atleast 10 brute force attempts a day on most of our boxes. |
· actions · 2004-Jul-27 11:15 am · (locked) |
1 edit |
to BeesTea
Whoaa...got ANOTHER attach attempt 2 days later: Jul 26 19:30:15 codewarz sshd[2567]: Illegal user test from ::ffff:211.117.66.166 Jul 26 19:30:17 codewarz sshd[2567]: Failed password for illegal user test from ::ffff:211 *.117.66.166 port 59659 ssh2 Jul 26 19:30:19 codewarz sshd[2569]: Illegal user guest from ::ffff:211.117.66.166 Jul 26 19:30:22 codewarz sshd[2569]: Failed password for illegal user guest from ::ffff:21 *1.117.66.166 port 59677 ssh2
(*) WARNING 2 long line(s) split
Here's how it came in my email: --------------------- SSHD Begin ------------------------
Failed logins from these: guest/password from ::ffff:211.117.66.166: 1 Time(s) test/password from ::ffff:211.117.66.166: 1 Time(s)
Illegal users from these: guest/none from ::ffff:211.117.66.166: 1 Time(s) guest/password from ::ffff:211.117.66.166: 1 Time(s) test/none from ::ffff:211.117.66.166: 1 Time(s) test/password from ::ffff:211.117.66.166: 1 Time(s)
Here's the ip: 211.117.66.166 Here's the nmap -sV of 211.117.66.166 Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at 2004-07-27 11:35 EDT RTTVAR has grown to over 2.3 seconds, decreasing to 2.0 Interesting ports on 211.117.66.166: (The 1641 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 20/tcp open ssh OpenSSH 2.9.2 (protocol 1.5) 22/tcp open ssh OpenSSH 3.4p1 (protocol 1.99) 23/tcp open telnet Linux telnetd 25/tcp open smtp Sendmail 8.12.5/8.12.5 111/tcp open rpcbind 2 (rpc #100000) 135/tcp filtered msrpc 136/tcp filtered profile 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 1521/tcp open oracle-tns Oracle DB Listener 9.2.0.1.0 (for Linux) 1720/tcp filtered H.323/Q.931 3128/tcp filtered squid-http 4444/tcp filtered krb524 6000/tcp open X11 (access denied) 8080/tcp open http Oracle XML DB webserver 9.2.0.1.0 (Oracle9i Enterprise *Edition Release) 17300/tcp filtered kuang2 32771/tcp open sometimes-rpc5? 1 service unrecognized despite returning data. If you know the service/version, please sub *mit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port32771-TCP:V=3.55%D=7/27%Time=4106767A%P=powerpc-apple-darwin7.4.0%r SF:(oracle-tns,20,"\0\x20\0\0\x02\0\0\0\x016\0\0\x08\0\x7f\xff\x01\0\0\0\0 SF:\x20A\0\0\0\0\0\0\0\0\0");
(*) WARNING 2 long line(s) split
(I even coppied the unfound one :)) heh |
· actions · 2004-Jul-27 11:42 am · (locked) |
pflogBueller? Bueller? MVM join:2001-09-01 El Dorado Hills, CA |
to loconet6
Ok, that's what we guessed initially, that the sshd was a compromised one, hence the regularity of the accounts being tried.
So the sshd's are used as a "botnet" of sorts between infected hosts? The real question is, how was the box exploited to begin with which led to the trojan'd sshd? |
· actions · 2004-Jul-27 11:59 am · (locked) |
|
| pflog |
to CodeMaker16
Vigilante counter-security is anything but productive.  |
· actions · 2004-Jul-27 12:01 pm · (locked) |
| |
silarsis to BeesTea
Anon
2004-Jul-27 8:22 pm
to BeesTea
We had the same attack - the person in question got in, got root on the box. They then proceeded to download a kernel vulnerability (the mremap one for 2.4.24 and below) from www.hertza.ro and use it to get root, and attempt to create a user "sirzion". The hertza.ro site has been suspended, the creation of the user "sirzion" is interesting because there's a user registered on www.linux.ro with name "sirzion" who claims to be the director of hertza (a computer store). It's not conclusive, but it's interesting.
They also installed an irc bounce program. We spotted them while they were installing things, kicked them off, they logged back in and cleaned up after themselves before we could drop the box. We've since replaced the system with a new box. |
· actions · 2004-Jul-27 8:22 pm · (locked) |
w6bi Premium Member join:2001-03-11 Simi Valley, CA |
to BeesTea
I found these in my firewall logs tonight: Jul 27 19:06:00 fw sshd[31336]: Illegal user test from 66.63.168.131 Jul 27 19:06:03 fw sshd[31336]: Failed password for illegal user test from 66.63.168.131 port 37193 ssh2 Jul 27 19:06:04 fw sshd[31338]: Illegal user guest from 66.63.168.131 Jul 27 19:06:06 fw sshd[31338]: Failed password for illegal user guest from 66.63.168.131 port 37400 ssh2
That resolves to msmtrack.com. It has an apache test page there, and msmtrack.com/usage shows the vanilla webalyzer graphs. Looks like an older Linux box, rooted somehow.
bee-aye |
· actions · 2004-Jul-27 11:32 pm · (locked) |
| |
to BeesTea
I also found a lot of entries from this afternoon and evening: Jul 27 12:59:39 miles newsyslog[21445]: logfile turned over Jul 27 14:59:01 miles sshd[14433]: Illegal user test from 204.167.145.92 Jul 27 14:59:01 miles sshd[14433]: Failed password for illegal user test from 204.167.145. *92 port 51689 ssh2 Jul 27 14:59:01 miles sshd[7787]: input_userauth_request: illegal user test Jul 27 14:59:01 miles sshd[7787]: Failed password for illegal user test from 204.167.145.9 *2 port 51689 ssh2 Jul 27 14:59:01 miles sshd[7787]: Received disconnect from 204.167.145.92: 11: Bye Bye Jul 27 14:59:03 miles sshd[1148]: Illegal user guest from 204.167.145.92 Jul 27 14:59:03 miles sshd[26698]: input_userauth_request: illegal user guest Jul 27 14:59:03 miles sshd[1148]: Failed password for illegal user guest from 204.167.145. *92 port 51751 ssh2 Jul 27 14:59:03 miles sshd[26698]: Failed password for illegal user guest from 204.167.145 *.92 port 51751 ssh2 Jul 27 14:59:03 miles sshd[26698]: Received disconnect from 204.167.145.92: 11: Bye Bye Jul 27 20:31:42 miles sshd[9444]: Failed password for nobody from 66.135.33.104 port 48293 * ssh2 Jul 27 20:31:42 miles sshd[9061]: Failed password for nobody from 66.135.33.104 port 48293 * ssh2 Jul 27 20:31:42 miles sshd[9444]: Received disconnect from 66.135.33.104: 11: Bye Bye Jul 27 20:31:43 miles sshd[2079]: Illegal user patrick from 66.135.33.104 Jul 27 20:31:43 miles sshd[18326]: input_userauth_request: illegal user patrick Jul 27 20:31:43 miles sshd[2079]: Failed password for illegal user patrick from 66.135.33. *104 port 48295 ssh2 Jul 27 20:31:43 miles sshd[18326]: Failed password for illegal user patrick from 66.135.33 *.104 port 48295 ssh2 Jul 27 20:31:43 miles sshd[18326]: Received disconnect from 66.135.33.104: 11: Bye Bye Jul 27 20:31:44 miles sshd[13442]: Illegal user patrick from 66.135.33.104 Jul 27 20:31:44 miles sshd[23970]: input_userauth_request: illegal user patrick Jul 27 20:31:44 miles sshd[13442]: Failed password for illegal user patrick from 66.135.33 *.104 port 48296 ssh2 Jul 27 20:31:44 miles sshd[23970]: Failed password for illegal user patrick from 66.135.33 *.104 port 48296 ssh2 Jul 27 20:31:44 miles sshd[23970]: Received disconnect from 66.135.33.104: 11: Bye Bye Jul 27 20:31:45 miles sshd[30976]: Failed password for root from 66.135.33.104 port 48297 *ssh2 Jul 27 20:31:45 miles sshd[24751]: Failed password for root from 66.135.33.104 port 48297 *ssh2 Jul 27 20:31:45 miles sshd[30976]: Received disconnect from 66.135.33.104: 11: Bye Bye Jul 27 20:31:47 miles sshd[7045]: Failed password for root from 66.135.33.104 port 48299 s *sh2 Jul 27 20:31:47 miles sshd[32712]: Failed password for root from 66.135.33.104 port 48299 *ssh2 Jul 27 20:31:47 miles sshd[32712]: Received disconnect from 66.135.33.104: 11: Bye Bye Jul 27 20:31:48 miles sshd[21440]: Failed password for www from 66.135.33.104 port 48300 s *sh2 Jul 27 20:31:48 miles sshd[22890]: Failed password for www from 66.135.33.104 port 48300 s *sh2 Jul 27 20:31:48 miles sshd[21440]: Received disconnect from 66.135.33.104: 11: Bye Bye Jul 27 20:31:50 miles sshd[17814]: Illegal user wwwrun from 66.135.33.104 Jul 27 20:31:50 miles sshd[29238]: input_userauth_request: illegal user wwwrun Jul 27 20:31:50 miles sshd[17814]: Failed password for illegal user wwwrun from 66.135.33. *104 port 48301 ssh2 Jul 27 20:31:50 miles sshd[29238]: Failed password for illegal user wwwrun from 66.135.33. *104 port 48301 ssh2 Jul 27 20:31:50 miles sshd[29238]: Received disconnect from 66.135.33.104: 11: Bye Bye Jul 27 20:31:51 miles sshd[4941]: Illegal user matt from 66.135.33.104 Jul 27 20:31:51 miles sshd[26159]: input_userauth_request: illegal user matt Jul 27 20:31:51 miles sshd[4941]: Failed password for illegal user matt from 66.135.33.104 * port 48303 ssh2 Jul 27 20:31:51 miles sshd[26159]: Failed password for illegal user matt from 66.135.33.10 *4 port 48303 ssh2 Jul 27 20:31:51 miles sshd[26159]: Received disconnect from 66.135.33.104: 11: Bye Bye Jul 27 20:31:52 miles sshd[6398]: Illegal user test from 66.135.33.104 Jul 27 20:31:52 miles sshd[21975]: input_userauth_request: illegal user test Jul 27 20:31:52 miles sshd[6398]: Failed password for illegal user test from 66.135.33.104 * port 48304 ssh2 Jul 27 20:31:52 miles sshd[21975]: Failed password for illegal user test from 66.135.33.10 *4 port 48304 ssh2 Jul 27 20:31:52 miles sshd[21975]: Received disconnect from 66.135.33.104: 11: Bye Bye Jul 27 20:31:53 miles sshd[16834]: Illegal user test from 66.135.33.104 Jul 27 20:31:53 miles sshd[16466]: input_userauth_request: illegal user test Jul 27 20:31:53 miles sshd[16834]: Failed password for illegal user test from 66.135.33.10 *4 port 48305 ssh2 Jul 27 20:31:53 miles sshd[16466]: Failed password for illegal user test from 66.135.33.10 *4 port 48305 ssh2 Jul 27 20:31:53 miles sshd[16466]: Received disconnect from 66.135.33.104: 11: Bye Bye Jul 27 20:31:54 miles sshd[11793]: Illegal user test from 66.135.33.104 Jul 27 20:31:54 miles sshd[25816]: input_userauth_request: illegal user test Jul 27 20:31:54 miles sshd[11793]: Failed password for illegal user test from 66.135.33.10 *4 port 48307 ssh2 Jul 27 20:31:54 miles sshd[25816]: Failed password for illegal user test from 66.135.33.10 *4 port 48307 ssh2 Jul 27 20:31:54 miles sshd[25816]: Received disconnect from 66.135.33.104: 11: Bye Bye Jul 27 20:31:55 miles sshd[29596]: Illegal user test from 66.135.33.104 Jul 27 20:31:55 miles sshd[23294]: input_userauth_request: illegal user test Jul 27 20:31:55 miles sshd[29596]: Failed password for illegal user test from 66.135.33.10 *4 port 48308 ssh2 Jul 27 20:31:55 miles sshd[23294]: Failed password for illegal user test from 66.135.33.10 *4 port 48308 ssh2 Jul 27 20:31:55 miles sshd[23294]: Received disconnect from 66.135.33.104: 11: Bye Bye Jul 27 20:31:56 miles sshd[21765]: Illegal user www-data from 66.135.33.104 Jul 27 20:31:56 miles sshd[11975]: input_userauth_request: illegal user www-data Jul 27 20:31:56 miles sshd[21765]: Failed password for illegal user www-data from 66.135.3 *3.104 port 48309 ssh2 Jul 27 20:31:56 miles sshd[11975]: Failed password for illegal user www-data from 66.135.3 *3.104 port 48309 ssh2 Jul 27 20:31:56 miles sshd[11975]: Received disconnect from 66.135.33.104: 11: Bye Bye Jul 27 20:31:57 miles sshd[17267]: Illegal user apache from 66.135.33.104 Jul 27 20:31:57 miles sshd[28817]: input_userauth_request: illegal user apache Jul 27 20:31:57 miles sshd[17267]: Failed password for illegal user apache from 66.135.33. *104 port 48311 ssh2 Jul 27 20:31:57 miles sshd[28817]: Failed password for illegal user apache from 66.135.33. *104 port 48311 ssh2 Jul 27 20:31:57 miles sshd[28817]: Received disconnect from 66.135.33.104: 11: Bye Bye Jul 27 20:31:59 miles sshd[31025]: Failed password for root from 66.135.33.104 port 48312 *ssh2 Jul 27 20:31:59 miles sshd[7773]: Failed password for root from 66.135.33.104 port 48312 s *sh2 Jul 27 20:31:59 miles sshd[31025]: Received disconnect from 66.135.33.104: 11: Bye Bye Jul 27 20:32:00 miles sshd[6038]: Failed password for root from 66.135.33.104 port 48313 s *sh2 Jul 27 20:32:00 miles sshd[30345]: Failed password for root from 66.135.33.104 port 48313 *ssh2 Jul 27 20:32:00 miles sshd[6038]: Received disconnect from 66.135.33.104: 11: Bye Bye Jul 27 20:32:01 miles sshd[27679]: Failed password for root from 66.135.33.104 port 48315 *ssh2 Jul 27 20:32:01 miles sshd[20614]: Failed password for root from 66.135.33.104 port 48315 *ssh2 Jul 27 20:32:01 miles sshd[27679]: Received disconnect from 66.135.33.104: 11: Bye Bye Jul 27 20:32:02 miles sshd[19236]: Failed password for root from 66.135.33.104 port 48316 *ssh2 Jul 27 20:32:02 miles sshd[9414]: Failed password for root from 66.135.33.104 port 48316 s *sh2 Jul 27 20:32:02 miles sshd[19236]: Received disconnect from 66.135.33.104: 11: Bye Bye Jul 27 20:32:03 miles sshd[3425]: Failed password for root from 66.135.33.104 port 48317 s *sh2 Jul 27 20:32:03 miles sshd[15323]: Failed password for root from 66.135.33.104 port 48317 *ssh2 Jul 27 20:32:03 miles sshd[3425]: Received disconnect from 66.135.33.104: 11: Bye Bye Jul 27 20:32:05 miles sshd[25338]: Failed password for root from 66.135.33.104 port 48318 *ssh2 Jul 27 20:32:05 miles sshd[4389]: Failed password for root from 66.135.33.104 port 48318 s *sh2 Jul 27 20:32:05 miles sshd[4389]: Received disconnect from 66.135.33.104: 11: Bye Bye Jul 27 20:32:06 miles sshd[17104]: Failed password for root from 66.135.33.104 port 48319 *ssh2 Jul 27 20:32:06 miles sshd[16239]: Failed password for root from 66.135.33.104 port 48319 *ssh2 Jul 27 20:32:06 miles sshd[17104]: Received disconnect from 66.135.33.104: 11: Bye Bye Jul 27 20:32:07 miles sshd[20281]: Failed password for root from 66.135.33.104 port 48320 *ssh2 Jul 27 20:32:07 miles sshd[5180]: Failed password for root from 66.135.33.104 port 48320 s *sh2 Jul 27 20:32:07 miles sshd[20281]: Received disconnect from 66.135.33.104: 11: Bye Bye Jul 27 20:32:08 miles sshd[19318]: Failed password for root from 66.135.33.104 port 48322 *ssh2 Jul 27 20:32:08 miles sshd[13083]: Failed password for root from 66.135.33.104 port 48322 *ssh2 Jul 27 20:32:08 miles sshd[19318]: Received disconnect from 66.135.33.104: 11: Bye Bye Jul 27 20:32:09 miles sshd[30920]: Failed password for root from 66.135.33.104 port 48323 *ssh2 Jul 27 20:32:09 miles sshd[13246]: Failed password for root from 66.135.33.104 port 48323 *ssh2 Jul 27 20:32:09 miles sshd[30920]: Received disconnect from 66.135.33.104: 11: Bye Bye Jul 27 20:32:10 miles sshd[12630]: Failed password for root from 66.135.33.104 port 48324 *ssh2 Jul 27 20:32:10 miles sshd[24892]: Failed password for root from 66.135.33.104 port 48324 *ssh2 Jul 27 20:32:10 miles sshd[12630]: Received disconnect from 66.135.33.104: 11: Bye Bye Jul 27 20:32:11 miles sshd[3301]: Failed password for root from 66.135.33.104 port 48325 s *sh2 Jul 27 20:32:11 miles sshd[32760]: Failed password for root from 66.135.33.104 port 48325 *ssh2 Jul 27 20:32:12 miles sshd[3301]: Received disconnect from 66.135.33.104: 11: Bye Bye Jul 27 20:32:13 miles sshd[22980]: Failed password for root from 66.135.33.104 port 48327 *ssh2 Jul 27 20:32:13 miles sshd[11718]: Failed password for root from 66.135.33.104 port 48327 *ssh2 Jul 27 20:32:13 miles sshd[22980]: Received disconnect from 66.135.33.104: 11: Bye Bye Jul 27 20:32:14 miles sshd[8535]: Failed password for root from 66.135.33.104 port 48328 s *sh2 Jul 27 20:32:14 miles sshd[21962]: Failed password for root from 66.135.33.104 port 48328 *ssh2 Jul 27 20:32:14 miles sshd[8535]: Received disconnect from 66.135.33.104: 11: Bye Bye Jul 27 20:32:15 miles sshd[31543]: Failed password for root from 66.135.33.104 port 48329 *ssh2 Jul 27 20:32:15 miles sshd[743]: Failed password for root from 66.135.33.104 port 48329 ss *h2 Jul 27 20:32:15 miles sshd[31543]: Received disconnect from 66.135.33.104: 11: Bye Bye Jul 27 20:32:16 miles sshd[17898]: Failed password for root from 66.135.33.104 port 48330 *ssh2 Jul 27 20:32:16 miles sshd[24704]: Failed password for root from 66.135.33.104 port 48330 *ssh2 Jul 27 20:32:16 miles sshd[17898]: Received disconnect from 66.135.33.104: 11: Bye Bye Jul 27 20:32:17 miles sshd[29542]: Failed password for root from 66.135.33.104 port 48332 *ssh2 Jul 27 20:32:17 miles sshd[26705]: Failed password for root from 66.135.33.104 port 48332 *ssh2 Jul 27 20:32:17 miles sshd[29542]: Received disconnect from 66.135.33.104: 11: Bye Bye Jul 27 20:32:18 miles sshd[25446]: Failed password for root from 66.135.33.104 port 48333 *ssh2 Jul 27 20:32:18 miles sshd[26185]: Failed password for root from 66.135.33.104 port 48333 *ssh2 Jul 27 20:32:19 miles sshd[25446]: Received disconnect from 66.135.33.104: 11: Bye Bye Jul 27 20:32:20 miles sshd[30490]: Illegal user noc from 66.135.33.104 Jul 27 20:32:20 miles sshd[10176]: input_userauth_request: illegal user noc Jul 27 20:32:20 miles sshd[30490]: Failed password for illegal user noc from 66.135.33.104 * port 48334 ssh2 Jul 27 20:32:20 miles sshd[10176]: Failed password for illegal user noc from 66.135.33.104 * port 48334 ssh2 Jul 27 20:32:20 miles sshd[10176]: Received disconnect from 66.135.33.104: 11: Bye Bye Jul 27 20:32:21 miles sshd[28136]: Illegal user web from 66.135.33.104 Jul 27 20:32:21 miles sshd[8053]: input_userauth_request: illegal user web Jul 27 20:32:21 miles sshd[28136]: Failed password for illegal user web from 66.135.33.104 * port 48336 ssh2 Jul 27 20:32:21 miles sshd[8053]: Failed password for illegal user web from 66.135.33.104 *port 48336 ssh2 Jul 27 20:32:21 miles sshd[8053]: Received disconnect from 66.135.33.104: 11: Bye Bye Jul 27 20:32:22 miles sshd[7904]: Illegal user sybase from 66.135.33.104 Jul 27 20:32:22 miles sshd[21707]: input_userauth_request: illegal user sybase Jul 27 20:32:22 miles sshd[7904]: Failed password for illegal user sybase from 66.135.33.1 *04 port 48337 ssh2 Jul 27 20:32:22 miles sshd[21707]: Failed password for illegal user sybase from 66.135.33. *104 port 48337 ssh2 Jul 27 20:32:22 miles sshd[21707]: Received disconnect from 66.135.33.104: 11: Bye Bye Jul 27 20:32:23 miles sshd[31994]: Illegal user master from 66.135.33.104 Jul 27 20:32:23 miles sshd[2830]: input_userauth_request: illegal user master Jul 27 20:32:23 miles sshd[31994]: Failed password for illegal user master from 66.135.33. *104 port 48338 ssh2 Jul 27 20:32:23 miles sshd[2830]: Failed password for illegal user master from 66.135.33.1 *04 port 48338 ssh2 Jul 27 20:32:23 miles sshd[2830]: Received disconnect from 66.135.33.104: 11: Bye Bye Jul 27 20:32:24 miles sshd[11756]: Illegal user account from 66.135.33.104 Jul 27 20:32:24 miles sshd[421]: input_userauth_request: illegal user account Jul 27 20:32:24 miles sshd[11756]: Failed password for illegal user account from 66.135.33 *.104 port 48340 ssh2 Jul 27 20:32:24 miles sshd[421]: Failed password for illegal user account from 66.135.33.1 *04 port 48340 ssh2 Jul 27 20:32:24 miles sshd[421]: Received disconnect from 66.135.33.104: 11: Bye Bye
(*) WARNING 78 long line(s) split
|
· actions · 2004-Jul-28 3:09 am · (locked) |
| |
to devrandom
Your entries say "failed password for illegal user test". Other people's entries simply say "illegal user test". This is one post below where it says "failed password..." for root, but merely "illegal user" for test and guest.
Do you have accounts 'test' and 'guest' on your system? |
· actions · 2004-Jul-28 3:19 am · (locked) |
devrandomI got a pot, full of random stuff here Premium Member join:2003-06-28 |
Accounting is different for some people. Read other posts: said by w6bi:
Jul 27 19:06:00 fw sshd[31336]: Illegal user test from 66.63.168.131 Jul 27 19:06:03 fw sshd[31336]: Failed password for illegal user test from 66.63.168.131 port 37193 ssh2
|
· actions · 2004-Jul-28 5:54 am · (locked) |
| |
Alexander Kuznetsov
Anon
2004-Jul-28 8:20 am
First attempt: Jul 16 02:06:30 Users: root, admin, guest, test, user IP's : 192.83.184.18 211.182.241.194 61.221.196.181 62.100.21.188 62.67.45.4 63.166.192.149 66.165.234.7 81.8.206.35
Now, i started logging tcp-packets for this situations.
Logs: Jul 16 02:06:30 iserver sshd[13407]: Illegal user test from 62.67.45.4 Jul 16 02:06:30 iserver sshd[13407]: error: Could not get shadow information for NOUSER Jul 16 02:06:30 iserver sshd[13407]: Failed password for illegal user test from 62.67.45.4 port 51881 ssh2 Jul 16 02:06:31 iserver sshd[13409]: Illegal user guest from 62.67.45.4 Jul 16 02:06:31 iserver sshd[13409]: error: Could not get shadow information for NOUSER Jul 16 02:06:31 iserver sshd[13409]: Failed password for illegal user guest from 62.67.45.4 port 51913 ssh2 Jul 16 02:06:32 iserver sshd[13411]: Illegal user admin from 62.67.45.4 Jul 16 02:06:32 iserver sshd[13411]: error: Could not get shadow information for NOUSER Jul 16 02:06:32 iserver sshd[13411]: Failed password for illegal user admin from 62.67.45.4 port 51951 ssh2 Jul 16 02:06:32 iserver sshd[13413]: Illegal user admin from 62.67.45.4 Jul 16 02:06:32 iserver sshd[13413]: error: Could not get shadow information for NOUSER Jul 16 02:06:32 iserver sshd[13413]: Failed password for illegal user admin from 62.67.45.4 port 51990 ssh2 Jul 16 02:06:33 iserver sshd[13415]: Illegal user user from 62.67.45.4 Jul 16 02:06:33 iserver sshd[13415]: error: Could not get shadow information for NOUSER Jul 16 02:06:33 iserver sshd[13415]: Failed password for illegal user user from 62.67.45.4 port 52028 ssh2 Jul 16 02:06:34 iserver sshd[13417]: Failed password for root from 62.67.45.4 port 52067 ssh2 Jul 16 02:06:35 iserver sshd[13419]: Failed password for root from 62.67.45.4 port 52112 ssh2 Jul 16 02:06:35 iserver sshd[13421]: Failed password for root from 62.67.45.4 port 52136 ssh2 Jul 16 02:06:36 iserver sshd[13423]: Illegal user test from 62.67.45.4 Jul 16 02:06:36 iserver sshd[13423]: error: Could not get shadow information for NOUSER Jul 16 02:06:36 iserver sshd[13423]: Failed password for illegal user test from 62.67.45.4 port 52161 ssh2 Jul 16 21:17:00 iserver sshd[31327]: Illegal user test from 62.100.21.188 Jul 16 21:17:00 iserver sshd[31327]: error: Could not get shadow information for NOUSER Jul 16 21:17:00 iserver sshd[31327]: Failed password for illegal user test from 62.100.21.188 port 52313 ssh2 Jul 16 21:17:01 iserver sshd[31329]: Illegal user guest from 62.100.21.188 Jul 16 21:17:01 iserver sshd[31329]: error: Could not get shadow information for NOUSER Jul 16 21:17:01 iserver sshd[31329]: Failed password for illegal user guest from 62.100.21.188 port 52321 ssh2 Jul 19 09:18:40 iserver sshd[26466]: Illegal user test from 66.165.234.7 Jul 19 09:18:40 iserver sshd[26466]: error: Could not get shadow information for NOUSER Jul 19 09:18:40 iserver sshd[26466]: Failed password for illegal user test from 66.165.234.7 port 54838 ssh2 Jul 19 09:18:42 iserver sshd[26468]: Illegal user guest from 66.165.234.7 Jul 19 09:18:42 iserver sshd[26468]: error: Could not get shadow information for NOUSER Jul 19 09:18:42 iserver sshd[26468]: Failed password for illegal user guest from 66.165.234.7 port 54852 ssh2 Jul 23 20:27:13 iserver sshd[29038]: Illegal user test from 63.166.192.149 Jul 23 20:27:13 iserver sshd[29038]: error: Could not get shadow information for NOUSER Jul 23 20:27:13 iserver sshd[29038]: Failed password for illegal user test from 63.166.192.149 port 2998 ssh2 Jul 23 20:27:14 iserver sshd[29040]: Illegal user guest from 63.166.192.149 Jul 23 20:27:14 iserver sshd[29040]: error: Could not get shadow information for NOUSER Jul 23 20:27:14 iserver sshd[29040]: Failed password for illegal user guest from 63.166.192.149 port 3010 ssh2 Jul 24 15:34:50 iserver sshd[6361]: Illegal user test from 81.8.206.35 Jul 24 15:34:50 iserver sshd[6361]: error: Could not get shadow information for NOUSER Jul 24 15:34:50 iserver sshd[6361]: Failed password for illegal user test from 81.8.206.35 port 55389 ssh2 Jul 24 15:34:51 iserver sshd[6363]: Illegal user guest from 81.8.206.35 Jul 24 15:34:51 iserver sshd[6363]: error: Could not get shadow information for NOUSER Jul 24 15:34:51 iserver sshd[6363]: Failed password for illegal user guest from 81.8.206.35 port 55448 ssh2 Jul 26 04:22:11 iserver sshd[21279]: Illegal user test from 211.182.241.194 Jul 26 04:22:11 iserver sshd[21279]: error: Could not get shadow information for NOUSER Jul 26 04:22:12 iserver sshd[21279]: Failed password for illegal user test from 211.182.241.194 port 59215 ssh2 Jul 26 04:22:15 iserver sshd[21281]: Illegal user guest from 211.182.241.194 Jul 26 04:22:15 iserver sshd[21281]: error: Could not get shadow information for NOUSER Jul 26 04:22:15 iserver sshd[21281]: Failed password for illegal user guest from 211.182.241.194 port 59238 ssh2 Jul 27 04:41:01 iserver sshd[9741]: Illegal user test from 61.221.196.181 Jul 27 04:41:01 iserver sshd[9741]: error: Could not get shadow information for NOUSER Jul 27 04:41:01 iserver sshd[9741]: Failed password for illegal user test from 61.221.196.181 port 3495 ssh2 Jul 27 04:41:04 iserver sshd[9743]: Illegal user guest from 61.221.196.181 Jul 27 04:41:04 iserver sshd[9743]: error: Could not get shadow information for NOUSER Jul 27 04:41:04 iserver sshd[9743]: Failed password for illegal user guest from 61.221.196.181 port 3503 ssh2 Jul 27 14:58:05 iserver sshd[22505]: Illegal user test from 192.83.184.18 Jul 27 14:58:05 iserver sshd[22505]: error: Could not get shadow information for NOUSER Jul 27 14:58:05 iserver sshd[22505]: Failed password for illegal user test from 192.83.184.18 port 32779 ssh2 Jul 27 14:58:08 iserver sshd[22507]: Illegal user guest from 192.83.184.18 Jul 27 14:58:08 iserver sshd[22507]: error: Could not get shadow information for NOUSER Jul 27 14:58:08 iserver sshd[22507]: Failed password for illegal user guest from 192.83.184.18 port 32845 ssh2 |
· actions · 2004-Jul-28 8:20 am · (locked) |
1 edit |
to sporkme
In response to sporkme's log above:
Out of curiosity I did a whois on the 210.98.189.73 address you gave and this is what turned up:
inetnum: 210.98.189.0 - 210.98.189.255 netname: KOREAOTZCA22525D-KR descr: Korea Otzca Medicine descr: Samkwang bldge.,317-7 Shinchun4-dong Dong-gu descr: TAEGU descr: 701-024 country: KR admin-c: DE28-AP tech-c: DE28-AP mnt-by: MAINT-KR-DACOM status: ASSIGNED NON-PORTABLE remarks: imported from KRNIC changed: hm-changed@apnic.net 20021023 source: APNIC
person: Daeshik Eom address: Korea Otzca Medicine address: Samkwang bldge.,317-7 Shinchun4-dong Dong-gu address: TAEGU address: 701-024 country: KR phone: +82-53-743-3248 e-mail: b0022525@users.bora.net nic-hdl: DE28-AP mnt-by: MAINT-KR-DACOM remarks: imported from KRNIC changed: hm-changed@apnic.net 20021022 source: APNIC
just thought you would like to know
*******BTW********* I tried a few of the IPs given in the post, and they all respond with a key when you try to ssh them - meaning that they are all active as well. |
· actions · 2004-Jul-28 8:51 am · (locked) |
JohnInSJ Premium Member join:2003-09-22 Aptos, CA |
to BeesTea
Here's today's attempts in my log (after a couple days w/o any) Failed logins from these: guest/password from 216.23.163.25: 4 Time(s) guest/password from 66.63.168.131: 2 Time(s) test/password from 216.23.163.25: 4 Time(s) test/password from 66.63.168.131: 2 Time(s)
Illegal users from these: guest/none from 216.23.163.25: 4 Time(s) guest/none from 66.63.168.131: 2 Time(s) guest/password from 216.23.163.25: 4 Time(s) guest/password from 66.63.168.131: 2 Time(s) test/none from 216.23.163.25: 4 Time(s) test/none from 66.63.168.131: 2 Time(s) test/password from 216.23.163.25: 4 Time(s) test/password from 66.63.168.131: 2 Time(s)
Still not a massive flood, but annoying. |
· actions · 2004-Jul-28 10:13 am · (locked) |
BeesTeaInternet Janitor Premium Member join:2003-03-08 00000 1 edit |
BeesTea
Premium Member
2004-Jul-28 10:56 am
Greetings folks,
Here's a summary of the scanning.
Hosts are scanned randomly for weak accounts (test, user, etc). When one is discovered the attacker grabs a few local exploits and as mentioned above also an emech bot kit with a bnc. The bots are pointed at the undernet and set to join 2 seperate channels.
The tools and botkits are coming from the following IP's
195.110.124.188 81.196.20.134 64.251.5.10
IRC operators and abuse@ for the providers have been contacted. We'll see how it goes.
Things you can do to mitigate this threat are fairly obvious.
Filter packets to your sshd or run the sshd on a non-standard port. Set your sshd_config to "PasswordAuthentication no", forcing users to use key authentication.
Additionally, you can filter or null route the above listed IP's. That will only be effective for however long the tools stay at that location.
I think we've solved the mystery, now it's time to notify providers of the hosts scanning everyone.
Cheers, -BeesT
EDIT: Added an additional IP. |
· actions · 2004-Jul-28 10:56 am · (locked) |
| |
mindfunk to loconet6
Anon
2004-Jul-28 10:58 am
to loconet6
So, I don't get it. What is the exploit? How did it get into the root account? Did it guess the password, or was it some exploit in openssh?
My first assumption is that this was some default account on a dsl router/hub running linux (ala linksys, buffalo, etc...) and a worm was just trolling through ips to find them. But... this appears to be different. |
· actions · 2004-Jul-28 10:58 am · (locked) |
BeesTeaInternet Janitor Premium Member join:2003-03-08 00000 |
BeesTea
Premium Member
2004-Jul-28 11:03 am
said by mindfunk: So, I don't get it. What is the exploit? How did it get into the root account? Did it guess the password, or was it some exploit in openssh?
The initial attack vector is weak login/password combinations.. test/test guest/guest etc. From there, one of the 3 most recent kernel vulnerabilities for Linux are exploited. There is not a new exploit for OpenSSH in the wild. Cheers, -BeesT |
· actions · 2004-Jul-28 11:03 am · (locked) |
| |
to pflog
Hi! said by pflog: This is disconcerting. The machine that scanned you is running an open OpenSSH daemon:
Or, it's an OpenBSD firewall doing NAT, and the host from which the scans come from is behind that firewall.  - Jyri |
· actions · 2004-Jul-28 1:32 pm · (locked) |
| |
stak_o to pflog
Anon
2004-Jul-28 2:14 pm
to pflog
It is probably just looking for the headers that you are looking for, and doesnt care about the account names. I am thinking that someone has been working on a mass SSH scanning tool and is putting it through its running legs now. |
· actions · 2004-Jul-28 2:14 pm · (locked) |
| |
Hi! I collect logs from a bunch of OpenBSD hosts. Below is what I found (sorry about the messy format). Most of the hosts doing the scans seem to be running sshd. I'm afraid this could mean there is a new SSH exploit out in the wild. I don't believe the scans have anything to do with brute force attacks - it's more probable that scans are used to locate hosts with vulnerable SSH daemon. I think admins would do wisely restricting SSH logins to known IP addresses (or subnets) when possible. - Jyri ------------------------------------------------------------------------ Total of 166 records
First record: Jul 17th 17.27 EET (GMT +2)
Addresses, geological area, banners and usernames tested:
* = host appears more than once
Jul 17
212.65.244.xxx RIPE \ SSH-1.99-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3 \ admin, guest, user, test
Jul 20
61.60.51.xxx APNIC (no response) \ guest, test 66.250.111.xxx ARIN SSH-1.99-OpenSSH_3.1p1 \ admin, guest, user, test
Jul 21
195.113.17.xxx RIPE (no response) \ guest, test
Jul 23
63.166.192.xxx ARIN (no response) \ guest, test 211.119.136.xxx APNIC (no response) \ guest, test 216.20.112.xxx ARIN SSH-1.99-OpenSSH_2.3.0p1 \ guest, test
Jul 24
* 61.109.156.xxx APNIC SSH-1.99-OpenSSH_3.5p1 \ guest, test
64.8.171.xxx ARIN (no response) \ admin, guest, user, test
Jul 25
* 61.109.156.xxx APNIC SSH-1.99-OpenSSH_3.5p1 \ guest, test 80.53.236.xxx RIPE (connection refused) \ guest, test * 81.8.206.xxx RIPE SSH-1.99-OpenSSH_3.6.1p2 \ guest, test 210.101.234.xxx APNIC (no response) guest, test
Jul 26
* 61.109.156.xxx APNIC SSH-1.99-OpenSSH_3.5p1 \ guest, test 67.68.231.xxx ARIN SSH-1.99-OpenSSH_3.5p1 \ guest, test * 81.8.206.xxx RIPE SSH-1.99-OpenSSH_3.6.1p2 \ guest, test 202.134.73.xxx APNIC SSH-1.99-OpenSSH_3.1p1 \ guest, test
Jul 27
* 81.8.206.xxx RIPE SSH-1.99-OpenSSH_3.6.1p2 \ guest, test 194.204.17.xxx RIPE SSH-1.99-OpenSSH_3.5p1 \ guest, test 208.30.184.xxx ARIN (connection refused) \ guest, test 210.0.186.xxx APNIC SSH-2.0-OpenSSH_3.5p1 \ guest, test 210.83.203.xxx APNIC SSH-1.99-OpenSSH_2.5.2p2 \ guest, test
Jul 28
64.69.77.xxx ARIN (connection refused) \ guest, test 69.0.134.xxx ARIN SSH-1.99-OpenSSH_2.9p2 \ admin, user, guest, test 209.176.248.xxx ARIN SSH-1.99-OpenSSH_2.3.0p1 \ guest, test 211.184.226.xxx APNIC (connection refused) \ guest, test
------------------------------------------------------------------------ |
· actions · 2004-Jul-28 2:48 pm · (locked) |
BeesTeaInternet Janitor Premium Member join:2003-03-08 00000 |
BeesTea
Premium Member
2004-Jul-28 2:55 pm
said by jhovila: Hi!
I collect logs from a bunch of OpenBSD hosts. Below is what I found (sorry about the messy format).
Most of the hosts doing the scans seem to be running sshd. I'm afraid this could mean there is a new SSH exploit out in the wild. I don't believe the scans have anything to do with brute force attacks - it's more probable that scans are used to locate hosts with vulnerable SSH daemon.
I think admins would do wisely restricting SSH logins to known IP addresses (or subnets) when possible.
- Jyri
I would disagree. Not only because the purpose of the scanning has been figured out, but because it's not necessary to make a login to get version information from an sshd. A simple netcat script could do this and not get the attention the scanning has attracted. It is however good to filter what hosts can access your sshd. Authorization is just as important as authentication. Cheers, -BeesT |
· actions · 2004-Jul-28 2:55 pm · (locked) |
| |
to mindfunk
Hi! said by mindfunk: So, I don't get it. What is the exploit? How did it get into the root account? Did it guess the password, or was it some exploit in openssh?
I'm pretty sure there is a new SSH exploit around. This clearly isn't a brute force attack. As we are seeing lots of scans, but only few r00ted hosts, it really doesn't look like a worm either. Someone seems to be scanning for vulnerable SSH daemons, obviously using already r00ted hosts, and then roots vulnerable hosts of his/her choice manually. - Jyri |
· actions · 2004-Jul-28 2:58 pm · (locked) |
BeesTeaInternet Janitor Premium Member join:2003-03-08 00000 |
BeesTea
Premium Member
2004-Jul-28 3:31 pm
Below is a summarized list of SSH scanners should you want to filer them and be done with seeing the log entries.
61.19.194.13 61.109.156.5 61.109.250.92 61.193.179.162 61.222.98.114 61.250.212.180 63.166.192.149 64.230.97.170 66.28.238.195 66.172.158.2 66.250.111.33 67.19.66.132 80.81.38.77 80.242.100.55 81.8.206.35 134.21.2.227 195.145.50.98 195.225.129.20 202.71.136.123 202.154.208.50 203.141.151.156 208.14.142.3 208.226.76.251 210.40.224.10 210.92.210.67 211.22.117.121 211.63.129.131 211.184.226.193 211.222.102.29 212.89.103.132 216.55.164.10 218.103.33.212 218.244.240.195 219.103.193.130 219.120.54.178 220.80.108.73
Cheers, -BeesT |
· actions · 2004-Jul-28 3:31 pm · (locked) |
MBC0 join:2001-06-06 Huntington Beach, CA |
MBC0
Member
2004-Jul-28 5:08 pm
Here are a few more I have been getting hit for approx. 2 weeks now: Illegal user test from 65.38.161.50 Illegal user test from 204.66.79.13 Illegal user test from 204.167.145.92 Illegal user test from 217.160.129.166 Illegal user guest from 217.58.140.2 |
· actions · 2004-Jul-28 5:08 pm · (locked) |
pflogBueller? Bueller? MVM join:2001-09-01 El Dorado Hills, CA |
to BeesTea
Only one I have in common with you is:
81.8.206.35
Then again I only have four total:
62.129.173.135 81.8.206.35 195.90.13.134 219.120.54.179 |
· actions · 2004-Jul-28 10:06 pm · (locked) |
| |
to BeesTea
Jul 27 07:28:08 webber sshd[29992]: Illegal user test from 195.200.122.82 Jul 27 07:28:08 webber sshd[29992]: Failed password for illegal user test from 195.200.122.82 port 48935 ssh2 Jul 27 07:28:09 webber sshd[29994]: Illegal user guest from 195.200.122.82 Jul 27 07:28:09 webber sshd[29994]: Failed password for illegal user guest from 195.200.122.82 port 48936 ssh2 Jul 28 10:16:04 webber sshd[30852]: Illegal user test from 65.61.98.16 Jul 28 10:16:04 webber sshd[30852]: Failed password for illegal user test from 65.61.98.16 port 49621 ssh2 Jul 28 10:16:05 webber sshd[30854]: Illegal user guest from 65.61.98.16 Jul 28 10:16:05 webber sshd[30854]: Failed password for llegal user guest from 65.61.98.16 port 49657 ssh2 |
· actions · 2004-Jul-28 10:52 pm · (locked) |
| |
Jimvin to pflog
Anon
2004-Jul-29 4:35 am
to pflog
The version banner can be misleading. Trojaned sshd binaries are common and often the attacker will change the banner to read the same as the current version on the box in question.
Anyone tried using the suspicious userids on a scanning machine?
Jimvin |
· actions · 2004-Jul-29 4:35 am · (locked) |
| |
jmnbrokenarm to pflog
Anon
2004-Jul-29 6:47 am
to pflog
actually it's just some lame tool trying to bruteforce 2 accounts, being guest and test, as far as I was given the opportunity to investigate the case with a honeypot.
the toolkit uploaded on the honeypot system I used to investigate was made of the SSH bruteforcer (some warez by a team known as haitateam), a syn scanner (posted lately on packetstorm by the same team), and a ./hack.sh for the kid not to have to type a more_then_10_chars_long_cmdline.
I'd rather not post IP adresses of probing hosts in public forums and mailing list archives, since mosts of the probing hosts are compromised ones, and the kids don't seem to bother changing the passwords and covering their tracks. |
· actions · 2004-Jul-29 6:47 am · (locked) |
ghost16825Use security metrics Premium Member join:2003-08-26 |
to BeesTea
|
· actions · 2004-Jul-29 6:57 am · (locked) |
| |
to BeesTea
Woke up this morning, 3rd set of tries for this week:
Failed logins from these: guest/password from ::ffff:203.85.183.10: 1 Time(s) guest/password from ::ffff:208.145.229.70: 1 Time(s) test/password from ::ffff:203.85.183.10: 1 Time(s) test/password from ::ffff:208.145.229.70: 1 Time(s)
Illegal users from these: guest/none from ::ffff:203.85.183.10: 1 Time(s) guest/none from ::ffff:208.145.229.70: 1 Time(s) guest/password from ::ffff:203.85.183.10: 1 Time(s) guest/password from ::ffff:208.145.229.70: 1 Time(s) test/none from ::ffff:203.85.183.10: 1 Time(s) test/none from ::ffff:208.145.229.70: 1 Time(s) test/password from ::ffff:203.85.183.10: 1 Time(s) test/password from ::ffff:208.145.229.70: 1 Time(s) |
· actions · 2004-Jul-29 10:12 am · (locked) |
MBC0 join:2001-06-06 Huntington Beach, CA |
to jmnbrokenarm
said by jmnbrokenarm: actually it's just some lame tool trying to bruteforce 2 accounts, being guest and test, as far as I was given the opportunity to investigate the case with a honeypot.
I am getting some other account attempts other than the two now: Failed logins from these: account/password from 66.135.33.104: 5 Time(s) apache/password from 66.135.33.104: 5 Time(s) master/password from 66.135.33.104: 5 Time(s) matt/password from 66.135.33.104: 5 Time(s) nobody/password from 66.135.33.104: 5 Time(s) noc/password from 66.135.33.104: 5 Time(s) patrick/password from 66.135.33.104: 10 Time(s) root/password from 66.135.33.104: 100 Time(s) sybase/password from 66.135.33.104: 5 Time(s) test/password from 66.135.33.104: 20 Time(s) web/password from 66.135.33.104: 5 Time(s) www-data/password from 66.135.33.104: 5 Time(s) www/password from 66.135.33.104: 5 Time(s) wwwrun/password from 66.135.33.104: 5 Time(s) |
· actions · 2004-Jul-29 10:17 am · (locked) |
PetePumaHow many lumps do you want MVM join:2002-06-13 Arlington, VA |
My first ones: Jul 28 20:07:41 turbinium sshd[25586]: Illegal user test from 141.35.26.170 Jul 28 20:07:44 turbinium sshd[25586]: Failed password for illegal user test from 141.35.2 *6.170 port 41156 ssh2 Jul 28 20:07:45 turbinium sshd[25588]: Illegal user guest from 141.35.26.170 Jul 28 20:07:47 turbinium sshd[25588]: Failed password for illegal user guest from 141.35. *26.170 port 41157 ssh2
(*) WARNING 2 long line(s) split
|
· actions · 2004-Jul-29 10:54 am · (locked) |