dslreports logo
Search similar:


uniqs
46266
loconet6
join:2004-07-27
Richmond Hill, ON

loconet6 to pflog

Member

to pflog

Re: SSH scanning.

Finally I found some info on this. Great thread guys.

One of the boxes at work actually got rooted through a successful attempt at the account test:

Jul 12 22:26:51 server sshd[12868]: Accepted password for test from 130.15.15.239 port 1954 ssh2
Jul 12 22:42:35 server sshd[13998]: Accepted password for test from 216.55.164.10 port 56454 ssh2

...

These were followed by more attempts at user test/guest/admin/root

Our ISP shut us down as some other admins reported that this box was now attempting brute force logins on other boxes within the same network space. This actually included one of our other boxes which luckly was not rooted.

Anyways, once we managed to bring our box back up we noticed that after the successful login, it proceeded to install a rootkit. In this case we detected SuckIt.

After various attempts, we were able to remove SuckIt:

[root@server .sk12]# ./sk u
/dev/null
Detected version: 1.3b
Suckit uninstalled sucesfully!

As usual for this rootkit, it had installed an exploited sshd , a password sniffer and infected initd and telinetd.

More info on sk:
»www.phrack.org/show.php?p=58&a=7

Up to this day, we get atleast 10 brute force attempts a day on most of our boxes.

CodeMaker16
The Code Hacker
join:2003-04-08
Brookline, MA

1 edit

CodeMaker16 to BeesTea

Member

to BeesTea
Whoaa...got ANOTHER attach attempt 2 days later:

Jul 26 19:30:15 codewarz sshd[2567]: Illegal user test from ::ffff:211.117.66.166
Jul 26 19:30:17 codewarz sshd[2567]: Failed password for illegal user test from ::ffff:211
*.117.66.166 port 59659 ssh2
Jul 26 19:30:19 codewarz sshd[2569]: Illegal user guest from ::ffff:211.117.66.166
Jul 26 19:30:22 codewarz sshd[2569]: Failed password for illegal user guest from ::ffff:21
*1.117.66.166 port 59677 ssh2

(*) WARNING 2 long line(s) split

Here's how it came in my email:
--------------------- SSHD Begin ------------------------

Failed logins from these:
guest/password from ::ffff:211.117.66.166: 1 Time(s)
test/password from ::ffff:211.117.66.166: 1 Time(s)

Illegal users from these:
guest/none from ::ffff:211.117.66.166: 1 Time(s)
guest/password from ::ffff:211.117.66.166: 1 Time(s)
test/none from ::ffff:211.117.66.166: 1 Time(s)
test/password from ::ffff:211.117.66.166: 1 Time(s)

Here's the ip: 211.117.66.166

Here's the nmap -sV of 211.117.66.166

Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at 2004-07-27 11:35 EDT
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
Interesting ports on 211.117.66.166:
(The 1641 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE VERSION
20/tcp open ssh OpenSSH 2.9.2 (protocol 1.5)
22/tcp open ssh OpenSSH 3.4p1 (protocol 1.99)
23/tcp open telnet Linux telnetd
25/tcp open smtp Sendmail 8.12.5/8.12.5
111/tcp open rpcbind 2 (rpc #100000)
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1521/tcp open oracle-tns Oracle DB Listener 9.2.0.1.0 (for Linux)
1720/tcp filtered H.323/Q.931
3128/tcp filtered squid-http
4444/tcp filtered krb524
6000/tcp open X11 (access denied)
8080/tcp open http Oracle XML DB webserver 9.2.0.1.0 (Oracle9i Enterprise
*Edition Release)
17300/tcp filtered kuang2
32771/tcp open sometimes-rpc5?
1 service unrecognized despite returning data. If you know the service/version, please sub
*mit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port32771-TCP:V=3.55%D=7/27%Time=4106767A%P=powerpc-apple-darwin7.4.0%r
SF:(oracle-tns,20,"\0\x20\0\0\x02\0\0\0\x016\0\0\x08\0\x7f\xff\x01\0\0\0\0
SF:\x20A\0\0\0\0\0\0\0\0\0");

(*) WARNING 2 long line(s) split
(I even coppied the unfound one :)) heh

pflog
Bueller? Bueller?
MVM
join:2001-09-01
El Dorado Hills, CA

pflog to loconet6

MVM

to loconet6
Ok, that's what we guessed initially, that the sshd was a compromised one, hence the regularity of the accounts being tried.

So the sshd's are used as a "botnet" of sorts between infected hosts? The real question is, how was the box exploited to begin with which led to the trojan'd sshd?
pflog

pflog to CodeMaker16

MVM

to CodeMaker16
Vigilante counter-security is anything but productive.

silarsis
@netspace.net.au

silarsis to BeesTea

Anon

to BeesTea
We had the same attack - the person in question got in, got root on the box. They then proceeded to download a kernel vulnerability (the mremap one for 2.4.24 and below) from www.hertza.ro and use it to get root, and attempt to create a user "sirzion". The hertza.ro site has been suspended, the creation of the user "sirzion" is interesting because there's a user registered on www.linux.ro with name "sirzion" who claims to be the director of hertza (a computer store). It's not conclusive, but it's interesting.

They also installed an irc bounce program. We spotted them while they were installing things, kicked them off, they logged back in and cleaned up after themselves before we could drop the box. We've since replaced the system with a new box.

w6bi
Premium Member
join:2001-03-11
Simi Valley, CA

w6bi to BeesTea

Premium Member

to BeesTea
I found these in my firewall logs tonight:
Jul 27 19:06:00 fw sshd[31336]: Illegal user test from 66.63.168.131
Jul 27 19:06:03 fw sshd[31336]: Failed password for illegal user test from 66.63.168.131 port 37193 ssh2
Jul 27 19:06:04 fw sshd[31338]: Illegal user guest from 66.63.168.131
Jul 27 19:06:06 fw sshd[31338]: Failed password for illegal user guest from 66.63.168.131 port 37400 ssh2

That resolves to msmtrack.com. It has an apache test page there, and msmtrack.com/usage shows the vanilla webalyzer graphs. Looks like an older Linux box, rooted somehow.

bee-aye
gbroiles
join:2001-03-02
San Jose, CA

gbroiles to BeesTea

Member

to BeesTea
I also found a lot of entries from this afternoon and evening:

Jul 27 12:59:39 miles newsyslog[21445]: logfile turned over
Jul 27 14:59:01 miles sshd[14433]: Illegal user test from 204.167.145.92
Jul 27 14:59:01 miles sshd[14433]: Failed password for illegal user test from 204.167.145.
*92 port 51689 ssh2
Jul 27 14:59:01 miles sshd[7787]: input_userauth_request: illegal user test
Jul 27 14:59:01 miles sshd[7787]: Failed password for illegal user test from 204.167.145.9
*2 port 51689 ssh2
Jul 27 14:59:01 miles sshd[7787]: Received disconnect from 204.167.145.92: 11: Bye Bye
Jul 27 14:59:03 miles sshd[1148]: Illegal user guest from 204.167.145.92
Jul 27 14:59:03 miles sshd[26698]: input_userauth_request: illegal user guest
Jul 27 14:59:03 miles sshd[1148]: Failed password for illegal user guest from 204.167.145.
*92 port 51751 ssh2
Jul 27 14:59:03 miles sshd[26698]: Failed password for illegal user guest from 204.167.145
*.92 port 51751 ssh2
Jul 27 14:59:03 miles sshd[26698]: Received disconnect from 204.167.145.92: 11: Bye Bye
Jul 27 20:31:42 miles sshd[9444]: Failed password for nobody from 66.135.33.104 port 48293
* ssh2
Jul 27 20:31:42 miles sshd[9061]: Failed password for nobody from 66.135.33.104 port 48293
* ssh2
Jul 27 20:31:42 miles sshd[9444]: Received disconnect from 66.135.33.104: 11: Bye Bye
Jul 27 20:31:43 miles sshd[2079]: Illegal user patrick from 66.135.33.104
Jul 27 20:31:43 miles sshd[18326]: input_userauth_request: illegal user patrick
Jul 27 20:31:43 miles sshd[2079]: Failed password for illegal user patrick from 66.135.33.
*104 port 48295 ssh2
Jul 27 20:31:43 miles sshd[18326]: Failed password for illegal user patrick from 66.135.33
*.104 port 48295 ssh2
Jul 27 20:31:43 miles sshd[18326]: Received disconnect from 66.135.33.104: 11: Bye Bye
Jul 27 20:31:44 miles sshd[13442]: Illegal user patrick from 66.135.33.104
Jul 27 20:31:44 miles sshd[23970]: input_userauth_request: illegal user patrick
Jul 27 20:31:44 miles sshd[13442]: Failed password for illegal user patrick from 66.135.33
*.104 port 48296 ssh2
Jul 27 20:31:44 miles sshd[23970]: Failed password for illegal user patrick from 66.135.33
*.104 port 48296 ssh2
Jul 27 20:31:44 miles sshd[23970]: Received disconnect from 66.135.33.104: 11: Bye Bye
Jul 27 20:31:45 miles sshd[30976]: Failed password for root from 66.135.33.104 port 48297
*ssh2
Jul 27 20:31:45 miles sshd[24751]: Failed password for root from 66.135.33.104 port 48297
*ssh2
Jul 27 20:31:45 miles sshd[30976]: Received disconnect from 66.135.33.104: 11: Bye Bye
Jul 27 20:31:47 miles sshd[7045]: Failed password for root from 66.135.33.104 port 48299 s
*sh2
Jul 27 20:31:47 miles sshd[32712]: Failed password for root from 66.135.33.104 port 48299
*ssh2
Jul 27 20:31:47 miles sshd[32712]: Received disconnect from 66.135.33.104: 11: Bye Bye
Jul 27 20:31:48 miles sshd[21440]: Failed password for www from 66.135.33.104 port 48300 s
*sh2
Jul 27 20:31:48 miles sshd[22890]: Failed password for www from 66.135.33.104 port 48300 s
*sh2
Jul 27 20:31:48 miles sshd[21440]: Received disconnect from 66.135.33.104: 11: Bye Bye
Jul 27 20:31:50 miles sshd[17814]: Illegal user wwwrun from 66.135.33.104
Jul 27 20:31:50 miles sshd[29238]: input_userauth_request: illegal user wwwrun
Jul 27 20:31:50 miles sshd[17814]: Failed password for illegal user wwwrun from 66.135.33.
*104 port 48301 ssh2
Jul 27 20:31:50 miles sshd[29238]: Failed password for illegal user wwwrun from 66.135.33.
*104 port 48301 ssh2
Jul 27 20:31:50 miles sshd[29238]: Received disconnect from 66.135.33.104: 11: Bye Bye
Jul 27 20:31:51 miles sshd[4941]: Illegal user matt from 66.135.33.104
Jul 27 20:31:51 miles sshd[26159]: input_userauth_request: illegal user matt
Jul 27 20:31:51 miles sshd[4941]: Failed password for illegal user matt from 66.135.33.104
* port 48303 ssh2
Jul 27 20:31:51 miles sshd[26159]: Failed password for illegal user matt from 66.135.33.10
*4 port 48303 ssh2
Jul 27 20:31:51 miles sshd[26159]: Received disconnect from 66.135.33.104: 11: Bye Bye
Jul 27 20:31:52 miles sshd[6398]: Illegal user test from 66.135.33.104
Jul 27 20:31:52 miles sshd[21975]: input_userauth_request: illegal user test
Jul 27 20:31:52 miles sshd[6398]: Failed password for illegal user test from 66.135.33.104
* port 48304 ssh2
Jul 27 20:31:52 miles sshd[21975]: Failed password for illegal user test from 66.135.33.10
*4 port 48304 ssh2
Jul 27 20:31:52 miles sshd[21975]: Received disconnect from 66.135.33.104: 11: Bye Bye
Jul 27 20:31:53 miles sshd[16834]: Illegal user test from 66.135.33.104
Jul 27 20:31:53 miles sshd[16466]: input_userauth_request: illegal user test
Jul 27 20:31:53 miles sshd[16834]: Failed password for illegal user test from 66.135.33.10
*4 port 48305 ssh2
Jul 27 20:31:53 miles sshd[16466]: Failed password for illegal user test from 66.135.33.10
*4 port 48305 ssh2
Jul 27 20:31:53 miles sshd[16466]: Received disconnect from 66.135.33.104: 11: Bye Bye
Jul 27 20:31:54 miles sshd[11793]: Illegal user test from 66.135.33.104
Jul 27 20:31:54 miles sshd[25816]: input_userauth_request: illegal user test
Jul 27 20:31:54 miles sshd[11793]: Failed password for illegal user test from 66.135.33.10
*4 port 48307 ssh2
Jul 27 20:31:54 miles sshd[25816]: Failed password for illegal user test from 66.135.33.10
*4 port 48307 ssh2
Jul 27 20:31:54 miles sshd[25816]: Received disconnect from 66.135.33.104: 11: Bye Bye
Jul 27 20:31:55 miles sshd[29596]: Illegal user test from 66.135.33.104
Jul 27 20:31:55 miles sshd[23294]: input_userauth_request: illegal user test
Jul 27 20:31:55 miles sshd[29596]: Failed password for illegal user test from 66.135.33.10
*4 port 48308 ssh2
Jul 27 20:31:55 miles sshd[23294]: Failed password for illegal user test from 66.135.33.10
*4 port 48308 ssh2
Jul 27 20:31:55 miles sshd[23294]: Received disconnect from 66.135.33.104: 11: Bye Bye
Jul 27 20:31:56 miles sshd[21765]: Illegal user www-data from 66.135.33.104
Jul 27 20:31:56 miles sshd[11975]: input_userauth_request: illegal user www-data
Jul 27 20:31:56 miles sshd[21765]: Failed password for illegal user www-data from 66.135.3
*3.104 port 48309 ssh2
Jul 27 20:31:56 miles sshd[11975]: Failed password for illegal user www-data from 66.135.3
*3.104 port 48309 ssh2
Jul 27 20:31:56 miles sshd[11975]: Received disconnect from 66.135.33.104: 11: Bye Bye
Jul 27 20:31:57 miles sshd[17267]: Illegal user apache from 66.135.33.104
Jul 27 20:31:57 miles sshd[28817]: input_userauth_request: illegal user apache
Jul 27 20:31:57 miles sshd[17267]: Failed password for illegal user apache from 66.135.33.
*104 port 48311 ssh2
Jul 27 20:31:57 miles sshd[28817]: Failed password for illegal user apache from 66.135.33.
*104 port 48311 ssh2
Jul 27 20:31:57 miles sshd[28817]: Received disconnect from 66.135.33.104: 11: Bye Bye
Jul 27 20:31:59 miles sshd[31025]: Failed password for root from 66.135.33.104 port 48312
*ssh2
Jul 27 20:31:59 miles sshd[7773]: Failed password for root from 66.135.33.104 port 48312 s
*sh2
Jul 27 20:31:59 miles sshd[31025]: Received disconnect from 66.135.33.104: 11: Bye Bye
Jul 27 20:32:00 miles sshd[6038]: Failed password for root from 66.135.33.104 port 48313 s
*sh2
Jul 27 20:32:00 miles sshd[30345]: Failed password for root from 66.135.33.104 port 48313
*ssh2
Jul 27 20:32:00 miles sshd[6038]: Received disconnect from 66.135.33.104: 11: Bye Bye
Jul 27 20:32:01 miles sshd[27679]: Failed password for root from 66.135.33.104 port 48315
*ssh2
Jul 27 20:32:01 miles sshd[20614]: Failed password for root from 66.135.33.104 port 48315
*ssh2
Jul 27 20:32:01 miles sshd[27679]: Received disconnect from 66.135.33.104: 11: Bye Bye
Jul 27 20:32:02 miles sshd[19236]: Failed password for root from 66.135.33.104 port 48316
*ssh2
Jul 27 20:32:02 miles sshd[9414]: Failed password for root from 66.135.33.104 port 48316 s
*sh2
Jul 27 20:32:02 miles sshd[19236]: Received disconnect from 66.135.33.104: 11: Bye Bye
Jul 27 20:32:03 miles sshd[3425]: Failed password for root from 66.135.33.104 port 48317 s
*sh2
Jul 27 20:32:03 miles sshd[15323]: Failed password for root from 66.135.33.104 port 48317
*ssh2
Jul 27 20:32:03 miles sshd[3425]: Received disconnect from 66.135.33.104: 11: Bye Bye
Jul 27 20:32:05 miles sshd[25338]: Failed password for root from 66.135.33.104 port 48318
*ssh2
Jul 27 20:32:05 miles sshd[4389]: Failed password for root from 66.135.33.104 port 48318 s
*sh2
Jul 27 20:32:05 miles sshd[4389]: Received disconnect from 66.135.33.104: 11: Bye Bye
Jul 27 20:32:06 miles sshd[17104]: Failed password for root from 66.135.33.104 port 48319
*ssh2
Jul 27 20:32:06 miles sshd[16239]: Failed password for root from 66.135.33.104 port 48319
*ssh2
Jul 27 20:32:06 miles sshd[17104]: Received disconnect from 66.135.33.104: 11: Bye Bye
Jul 27 20:32:07 miles sshd[20281]: Failed password for root from 66.135.33.104 port 48320
*ssh2
Jul 27 20:32:07 miles sshd[5180]: Failed password for root from 66.135.33.104 port 48320 s
*sh2
Jul 27 20:32:07 miles sshd[20281]: Received disconnect from 66.135.33.104: 11: Bye Bye
Jul 27 20:32:08 miles sshd[19318]: Failed password for root from 66.135.33.104 port 48322
*ssh2
Jul 27 20:32:08 miles sshd[13083]: Failed password for root from 66.135.33.104 port 48322
*ssh2
Jul 27 20:32:08 miles sshd[19318]: Received disconnect from 66.135.33.104: 11: Bye Bye
Jul 27 20:32:09 miles sshd[30920]: Failed password for root from 66.135.33.104 port 48323
*ssh2
Jul 27 20:32:09 miles sshd[13246]: Failed password for root from 66.135.33.104 port 48323
*ssh2
Jul 27 20:32:09 miles sshd[30920]: Received disconnect from 66.135.33.104: 11: Bye Bye
Jul 27 20:32:10 miles sshd[12630]: Failed password for root from 66.135.33.104 port 48324
*ssh2
Jul 27 20:32:10 miles sshd[24892]: Failed password for root from 66.135.33.104 port 48324
*ssh2
Jul 27 20:32:10 miles sshd[12630]: Received disconnect from 66.135.33.104: 11: Bye Bye
Jul 27 20:32:11 miles sshd[3301]: Failed password for root from 66.135.33.104 port 48325 s
*sh2
Jul 27 20:32:11 miles sshd[32760]: Failed password for root from 66.135.33.104 port 48325
*ssh2
Jul 27 20:32:12 miles sshd[3301]: Received disconnect from 66.135.33.104: 11: Bye Bye
Jul 27 20:32:13 miles sshd[22980]: Failed password for root from 66.135.33.104 port 48327
*ssh2
Jul 27 20:32:13 miles sshd[11718]: Failed password for root from 66.135.33.104 port 48327
*ssh2
Jul 27 20:32:13 miles sshd[22980]: Received disconnect from 66.135.33.104: 11: Bye Bye
Jul 27 20:32:14 miles sshd[8535]: Failed password for root from 66.135.33.104 port 48328 s
*sh2
Jul 27 20:32:14 miles sshd[21962]: Failed password for root from 66.135.33.104 port 48328
*ssh2
Jul 27 20:32:14 miles sshd[8535]: Received disconnect from 66.135.33.104: 11: Bye Bye
Jul 27 20:32:15 miles sshd[31543]: Failed password for root from 66.135.33.104 port 48329
*ssh2
Jul 27 20:32:15 miles sshd[743]: Failed password for root from 66.135.33.104 port 48329 ss
*h2
Jul 27 20:32:15 miles sshd[31543]: Received disconnect from 66.135.33.104: 11: Bye Bye
Jul 27 20:32:16 miles sshd[17898]: Failed password for root from 66.135.33.104 port 48330
*ssh2
Jul 27 20:32:16 miles sshd[24704]: Failed password for root from 66.135.33.104 port 48330
*ssh2
Jul 27 20:32:16 miles sshd[17898]: Received disconnect from 66.135.33.104: 11: Bye Bye
Jul 27 20:32:17 miles sshd[29542]: Failed password for root from 66.135.33.104 port 48332
*ssh2
Jul 27 20:32:17 miles sshd[26705]: Failed password for root from 66.135.33.104 port 48332
*ssh2
Jul 27 20:32:17 miles sshd[29542]: Received disconnect from 66.135.33.104: 11: Bye Bye
Jul 27 20:32:18 miles sshd[25446]: Failed password for root from 66.135.33.104 port 48333
*ssh2
Jul 27 20:32:18 miles sshd[26185]: Failed password for root from 66.135.33.104 port 48333
*ssh2
Jul 27 20:32:19 miles sshd[25446]: Received disconnect from 66.135.33.104: 11: Bye Bye
Jul 27 20:32:20 miles sshd[30490]: Illegal user noc from 66.135.33.104
Jul 27 20:32:20 miles sshd[10176]: input_userauth_request: illegal user noc
Jul 27 20:32:20 miles sshd[30490]: Failed password for illegal user noc from 66.135.33.104
* port 48334 ssh2
Jul 27 20:32:20 miles sshd[10176]: Failed password for illegal user noc from 66.135.33.104
* port 48334 ssh2
Jul 27 20:32:20 miles sshd[10176]: Received disconnect from 66.135.33.104: 11: Bye Bye
Jul 27 20:32:21 miles sshd[28136]: Illegal user web from 66.135.33.104
Jul 27 20:32:21 miles sshd[8053]: input_userauth_request: illegal user web
Jul 27 20:32:21 miles sshd[28136]: Failed password for illegal user web from 66.135.33.104
* port 48336 ssh2
Jul 27 20:32:21 miles sshd[8053]: Failed password for illegal user web from 66.135.33.104
*port 48336 ssh2
Jul 27 20:32:21 miles sshd[8053]: Received disconnect from 66.135.33.104: 11: Bye Bye
Jul 27 20:32:22 miles sshd[7904]: Illegal user sybase from 66.135.33.104
Jul 27 20:32:22 miles sshd[21707]: input_userauth_request: illegal user sybase
Jul 27 20:32:22 miles sshd[7904]: Failed password for illegal user sybase from 66.135.33.1
*04 port 48337 ssh2
Jul 27 20:32:22 miles sshd[21707]: Failed password for illegal user sybase from 66.135.33.
*104 port 48337 ssh2
Jul 27 20:32:22 miles sshd[21707]: Received disconnect from 66.135.33.104: 11: Bye Bye
Jul 27 20:32:23 miles sshd[31994]: Illegal user master from 66.135.33.104
Jul 27 20:32:23 miles sshd[2830]: input_userauth_request: illegal user master
Jul 27 20:32:23 miles sshd[31994]: Failed password for illegal user master from 66.135.33.
*104 port 48338 ssh2
Jul 27 20:32:23 miles sshd[2830]: Failed password for illegal user master from 66.135.33.1
*04 port 48338 ssh2
Jul 27 20:32:23 miles sshd[2830]: Received disconnect from 66.135.33.104: 11: Bye Bye
Jul 27 20:32:24 miles sshd[11756]: Illegal user account from 66.135.33.104
Jul 27 20:32:24 miles sshd[421]: input_userauth_request: illegal user account
Jul 27 20:32:24 miles sshd[11756]: Failed password for illegal user account from 66.135.33
*.104 port 48340 ssh2
Jul 27 20:32:24 miles sshd[421]: Failed password for illegal user account from 66.135.33.1
*04 port 48340 ssh2
Jul 27 20:32:24 miles sshd[421]: Received disconnect from 66.135.33.104: 11: Bye Bye

(*) WARNING 78 long line(s) split

ngps
@singnet.com.sg

ngps to devrandom

Anon

to devrandom
Your entries say "failed password for illegal user test".
Other people's entries simply say "illegal user test".
This is one post below where it says "failed password..." for root, but merely "illegal user" for test and guest.

Do you have accounts 'test' and 'guest' on your system?

devrandom
I got a pot, full of random stuff here
Premium Member
join:2003-06-28

devrandom

Premium Member

Accounting is different for some people.

Read other posts:
said by w6bi:

Jul 27 19:06:00 fw sshd[31336]: Illegal user test from 66.63.168.131
Jul 27 19:06:03 fw sshd[31336]: Failed password for illegal user test from 66.63.168.131 port 37193 ssh2

Alexander Kuznetsov

Anon

First attempt: Jul 16 02:06:30
Users: root, admin, guest, test, user
IP's :
192.83.184.18
211.182.241.194
61.221.196.181
62.100.21.188
62.67.45.4
63.166.192.149
66.165.234.7
81.8.206.35

Now, i started logging tcp-packets for this situations.

Logs:
Jul 16 02:06:30 iserver sshd[13407]: Illegal user test from 62.67.45.4
Jul 16 02:06:30 iserver sshd[13407]: error: Could not get shadow information for NOUSER
Jul 16 02:06:30 iserver sshd[13407]: Failed password for illegal user test from 62.67.45.4 port 51881 ssh2
Jul 16 02:06:31 iserver sshd[13409]: Illegal user guest from 62.67.45.4
Jul 16 02:06:31 iserver sshd[13409]: error: Could not get shadow information for NOUSER
Jul 16 02:06:31 iserver sshd[13409]: Failed password for illegal user guest from 62.67.45.4 port 51913 ssh2
Jul 16 02:06:32 iserver sshd[13411]: Illegal user admin from 62.67.45.4
Jul 16 02:06:32 iserver sshd[13411]: error: Could not get shadow information for NOUSER
Jul 16 02:06:32 iserver sshd[13411]: Failed password for illegal user admin from 62.67.45.4 port 51951 ssh2
Jul 16 02:06:32 iserver sshd[13413]: Illegal user admin from 62.67.45.4
Jul 16 02:06:32 iserver sshd[13413]: error: Could not get shadow information for NOUSER
Jul 16 02:06:32 iserver sshd[13413]: Failed password for illegal user admin from 62.67.45.4 port 51990 ssh2
Jul 16 02:06:33 iserver sshd[13415]: Illegal user user from 62.67.45.4
Jul 16 02:06:33 iserver sshd[13415]: error: Could not get shadow information for NOUSER
Jul 16 02:06:33 iserver sshd[13415]: Failed password for illegal user user from 62.67.45.4 port 52028 ssh2
Jul 16 02:06:34 iserver sshd[13417]: Failed password for root from 62.67.45.4 port 52067 ssh2
Jul 16 02:06:35 iserver sshd[13419]: Failed password for root from 62.67.45.4 port 52112 ssh2
Jul 16 02:06:35 iserver sshd[13421]: Failed password for root from 62.67.45.4 port 52136 ssh2
Jul 16 02:06:36 iserver sshd[13423]: Illegal user test from 62.67.45.4
Jul 16 02:06:36 iserver sshd[13423]: error: Could not get shadow information for NOUSER
Jul 16 02:06:36 iserver sshd[13423]: Failed password for illegal user test from 62.67.45.4 port 52161 ssh2
Jul 16 21:17:00 iserver sshd[31327]: Illegal user test from 62.100.21.188
Jul 16 21:17:00 iserver sshd[31327]: error: Could not get shadow information for NOUSER
Jul 16 21:17:00 iserver sshd[31327]: Failed password for illegal user test from 62.100.21.188 port 52313 ssh2
Jul 16 21:17:01 iserver sshd[31329]: Illegal user guest from 62.100.21.188
Jul 16 21:17:01 iserver sshd[31329]: error: Could not get shadow information for NOUSER
Jul 16 21:17:01 iserver sshd[31329]: Failed password for illegal user guest from 62.100.21.188 port 52321 ssh2
Jul 19 09:18:40 iserver sshd[26466]: Illegal user test from 66.165.234.7
Jul 19 09:18:40 iserver sshd[26466]: error: Could not get shadow information for NOUSER
Jul 19 09:18:40 iserver sshd[26466]: Failed password for illegal user test from 66.165.234.7 port 54838 ssh2
Jul 19 09:18:42 iserver sshd[26468]: Illegal user guest from 66.165.234.7
Jul 19 09:18:42 iserver sshd[26468]: error: Could not get shadow information for NOUSER
Jul 19 09:18:42 iserver sshd[26468]: Failed password for illegal user guest from 66.165.234.7 port 54852 ssh2
Jul 23 20:27:13 iserver sshd[29038]: Illegal user test from 63.166.192.149
Jul 23 20:27:13 iserver sshd[29038]: error: Could not get shadow information for NOUSER
Jul 23 20:27:13 iserver sshd[29038]: Failed password for illegal user test from 63.166.192.149 port 2998 ssh2
Jul 23 20:27:14 iserver sshd[29040]: Illegal user guest from 63.166.192.149
Jul 23 20:27:14 iserver sshd[29040]: error: Could not get shadow information for NOUSER
Jul 23 20:27:14 iserver sshd[29040]: Failed password for illegal user guest from 63.166.192.149 port 3010 ssh2
Jul 24 15:34:50 iserver sshd[6361]: Illegal user test from 81.8.206.35
Jul 24 15:34:50 iserver sshd[6361]: error: Could not get shadow information for NOUSER
Jul 24 15:34:50 iserver sshd[6361]: Failed password for illegal user test from 81.8.206.35 port 55389 ssh2
Jul 24 15:34:51 iserver sshd[6363]: Illegal user guest from 81.8.206.35
Jul 24 15:34:51 iserver sshd[6363]: error: Could not get shadow information for NOUSER
Jul 24 15:34:51 iserver sshd[6363]: Failed password for illegal user guest from 81.8.206.35 port 55448 ssh2
Jul 26 04:22:11 iserver sshd[21279]: Illegal user test from 211.182.241.194
Jul 26 04:22:11 iserver sshd[21279]: error: Could not get shadow information for NOUSER
Jul 26 04:22:12 iserver sshd[21279]: Failed password for illegal user test from 211.182.241.194 port 59215 ssh2
Jul 26 04:22:15 iserver sshd[21281]: Illegal user guest from 211.182.241.194
Jul 26 04:22:15 iserver sshd[21281]: error: Could not get shadow information for NOUSER
Jul 26 04:22:15 iserver sshd[21281]: Failed password for illegal user guest from 211.182.241.194 port 59238 ssh2
Jul 27 04:41:01 iserver sshd[9741]: Illegal user test from 61.221.196.181
Jul 27 04:41:01 iserver sshd[9741]: error: Could not get shadow information for NOUSER
Jul 27 04:41:01 iserver sshd[9741]: Failed password for illegal user test from 61.221.196.181 port 3495 ssh2
Jul 27 04:41:04 iserver sshd[9743]: Illegal user guest from 61.221.196.181
Jul 27 04:41:04 iserver sshd[9743]: error: Could not get shadow information for NOUSER
Jul 27 04:41:04 iserver sshd[9743]: Failed password for illegal user guest from 61.221.196.181 port 3503 ssh2
Jul 27 14:58:05 iserver sshd[22505]: Illegal user test from 192.83.184.18
Jul 27 14:58:05 iserver sshd[22505]: error: Could not get shadow information for NOUSER
Jul 27 14:58:05 iserver sshd[22505]: Failed password for illegal user test from 192.83.184.18 port 32779 ssh2
Jul 27 14:58:08 iserver sshd[22507]: Illegal user guest from 192.83.184.18
Jul 27 14:58:08 iserver sshd[22507]: error: Could not get shadow information for NOUSER
Jul 27 14:58:08 iserver sshd[22507]: Failed password for illegal user guest from 192.83.184.18 port 32845 ssh2

sledge_he
join:2004-03-24
/ga/conyers

1 edit

sledge_he to sporkme

Member

to sporkme
In response to sporkme's log above:

Out of curiosity I did a whois on the 210.98.189.73 address you gave and this is what turned up:

inetnum: 210.98.189.0 - 210.98.189.255
netname: KOREAOTZCA22525D-KR
descr: Korea Otzca Medicine
descr: Samkwang bldge.,317-7 Shinchun4-dong Dong-gu
descr: TAEGU
descr: 701-024
country: KR
admin-c: DE28-AP
tech-c: DE28-AP
mnt-by: MAINT-KR-DACOM
status: ASSIGNED NON-PORTABLE
remarks: imported from KRNIC
changed: hm-changed@apnic.net 20021023
source: APNIC

person: Daeshik Eom
address: Korea Otzca Medicine
address: Samkwang bldge.,317-7 Shinchun4-dong Dong-gu
address: TAEGU
address: 701-024
country: KR
phone: +82-53-743-3248
e-mail: b0022525@users.bora.net
nic-hdl: DE28-AP
mnt-by: MAINT-KR-DACOM
remarks: imported from KRNIC
changed: hm-changed@apnic.net 20021022
source: APNIC

just thought you would like to know

*******BTW********* I tried a few of the IPs given in the post, and they all respond with a key when you try to ssh them - meaning that they are all active as well.

JohnInSJ
Premium Member
join:2003-09-22
Aptos, CA

JohnInSJ to BeesTea

Premium Member

to BeesTea
Here's today's attempts in my log (after a couple days w/o any)

Failed logins from these:
guest/password from 216.23.163.25: 4 Time(s)
guest/password from 66.63.168.131: 2 Time(s)
test/password from 216.23.163.25: 4 Time(s)
test/password from 66.63.168.131: 2 Time(s)

Illegal users from these:
guest/none from 216.23.163.25: 4 Time(s)
guest/none from 66.63.168.131: 2 Time(s)
guest/password from 216.23.163.25: 4 Time(s)
guest/password from 66.63.168.131: 2 Time(s)
test/none from 216.23.163.25: 4 Time(s)
test/none from 66.63.168.131: 2 Time(s)
test/password from 216.23.163.25: 4 Time(s)
test/password from 66.63.168.131: 2 Time(s)

Still not a massive flood, but annoying.

BeesTea
Internet Janitor
Premium Member
join:2003-03-08
00000

1 edit

BeesTea

Premium Member

Greetings folks,

Here's a summary of the scanning.

Hosts are scanned randomly for weak accounts (test, user, etc). When one is discovered the attacker grabs a few local exploits and as mentioned above also an emech bot kit with a bnc. The bots are pointed at the undernet and set to join 2 seperate channels.

The tools and botkits are coming from the following IP's

195.110.124.188
81.196.20.134
64.251.5.10

IRC operators and abuse@ for the providers have been contacted. We'll see how it goes.

Things you can do to mitigate this threat are fairly obvious.

Filter packets to your sshd or run the sshd on a non-standard port. Set your sshd_config to "PasswordAuthentication no", forcing users to use key authentication.

Additionally, you can filter or null route the above listed IP's. That will only be effective for however long the tools stay at that location.

I think we've solved the mystery, now it's time to notify providers of the hosts scanning everyone.

Cheers,
-BeesT

EDIT: Added an additional IP.

mindfunk
@ti.com

mindfunk to loconet6

Anon

to loconet6
So, I don't get it. What is the exploit? How did it get into the root account? Did it guess the password, or was it some exploit in openssh?

My first assumption is that this was some default account on a dsl router/hub running linux (ala linksys, buffalo, etc...) and a worm was just trolling through ips to find them. But... this appears to be different.

BeesTea
Internet Janitor
Premium Member
join:2003-03-08
00000

BeesTea

Premium Member

said by mindfunk:
So, I don't get it. What is the exploit? How did it get into the root account? Did it guess the password, or was it some exploit in openssh?

The initial attack vector is weak login/password combinations.. test/test guest/guest etc. From there, one of the 3 most recent kernel vulnerabilities for Linux are exploited.

There is not a new exploit for OpenSSH in the wild.

Cheers,
-BeesT
jhovila
join:2004-07-28

jhovila to pflog

Member

to pflog
Hi!
said by pflog:
This is disconcerting. The machine that scanned you is running an open OpenSSH daemon:
Or, it's an OpenBSD firewall doing NAT, and the host from which the scans come from is behind that firewall.

- Jyri

stak_o
@lanl.gov

stak_o to pflog

Anon

to pflog
It is probably just looking for the headers that you are looking for, and doesnt care about the account names. I am thinking that someone has been working on a mass SSH scanning tool and is putting it through its running legs now.
jhovila
join:2004-07-28

jhovila

Member

Hi!

I collect logs from a bunch of OpenBSD hosts. Below is what I found (sorry about the messy format).

Most of the hosts doing the scans seem to be running sshd. I'm afraid this could mean there is a new SSH exploit out in the wild. I don't believe the scans have anything to do with brute force attacks - it's more probable that scans are used to locate hosts with vulnerable SSH daemon.

I think admins would do wisely restricting SSH logins to known IP addresses (or subnets) when possible.

- Jyri

------------------------------------------------------------------------

Total of 166 records

First record: Jul 17th 17.27 EET (GMT +2)

Addresses, geological area, banners and usernames tested:

* = host appears more than once

Jul 17

212.65.244.xxx RIPE \
SSH-1.99-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3 \
admin, guest, user, test

Jul 20

61.60.51.xxx APNIC (no response) \
guest, test
66.250.111.xxx ARIN SSH-1.99-OpenSSH_3.1p1 \
admin, guest, user, test

Jul 21

195.113.17.xxx RIPE (no response) \
guest, test

Jul 23

63.166.192.xxx ARIN (no response) \
guest, test
211.119.136.xxx APNIC (no response) \
guest, test
216.20.112.xxx ARIN SSH-1.99-OpenSSH_2.3.0p1 \
guest, test

Jul 24

* 61.109.156.xxx APNIC SSH-1.99-OpenSSH_3.5p1 \
guest, test

64.8.171.xxx ARIN (no response) \
admin, guest, user, test

Jul 25

* 61.109.156.xxx APNIC SSH-1.99-OpenSSH_3.5p1 \
guest, test
80.53.236.xxx RIPE (connection refused) \
guest, test
* 81.8.206.xxx RIPE SSH-1.99-OpenSSH_3.6.1p2 \
guest, test
210.101.234.xxx APNIC (no response)
guest, test

Jul 26

* 61.109.156.xxx APNIC SSH-1.99-OpenSSH_3.5p1 \
guest, test
67.68.231.xxx ARIN SSH-1.99-OpenSSH_3.5p1 \
guest, test
* 81.8.206.xxx RIPE SSH-1.99-OpenSSH_3.6.1p2 \
guest, test
202.134.73.xxx APNIC SSH-1.99-OpenSSH_3.1p1 \
guest, test

Jul 27

* 81.8.206.xxx RIPE SSH-1.99-OpenSSH_3.6.1p2 \
guest, test
194.204.17.xxx RIPE SSH-1.99-OpenSSH_3.5p1 \
guest, test
208.30.184.xxx ARIN (connection refused) \
guest, test
210.0.186.xxx APNIC SSH-2.0-OpenSSH_3.5p1 \
guest, test
210.83.203.xxx APNIC SSH-1.99-OpenSSH_2.5.2p2 \
guest, test

Jul 28

64.69.77.xxx ARIN (connection refused) \
guest, test
69.0.134.xxx ARIN SSH-1.99-OpenSSH_2.9p2 \
admin, user, guest, test
209.176.248.xxx ARIN SSH-1.99-OpenSSH_2.3.0p1 \
guest, test
211.184.226.xxx APNIC (connection refused) \
guest, test

------------------------------------------------------------------------

BeesTea
Internet Janitor
Premium Member
join:2003-03-08
00000

BeesTea

Premium Member

said by jhovila:
Hi!

I collect logs from a bunch of OpenBSD hosts. Below is what I found (sorry about the messy format).

Most of the hosts doing the scans seem to be running sshd. I'm afraid this could mean there is a new SSH exploit out in the wild. I don't believe the scans have anything to do with brute force attacks - it's more probable that scans are used to locate hosts with vulnerable SSH daemon.

I think admins would do wisely restricting SSH logins to known IP addresses (or subnets) when possible.

- Jyri

I would disagree. Not only because the purpose of the scanning has been figured out, but because it's not necessary to make a login to get version information from an sshd.

A simple netcat script could do this and not get the attention the scanning has attracted.

It is however good to filter what hosts can access your sshd. Authorization is just as important as authentication.

Cheers,
-BeesT
jhovila
join:2004-07-28

jhovila to mindfunk

Member

to mindfunk
Hi!
said by mindfunk:
So, I don't get it. What is the exploit? How did it get into the root account? Did it guess the password, or was it some exploit in openssh?
I'm pretty sure there is a new SSH exploit around. This clearly isn't a brute force attack. As we are seeing lots of scans, but only few r00ted hosts, it really doesn't look like a worm either. Someone seems to be scanning for vulnerable SSH daemons, obviously using already r00ted hosts, and then roots vulnerable hosts of his/her choice manually.

- Jyri

BeesTea
Internet Janitor
Premium Member
join:2003-03-08
00000

BeesTea

Premium Member

Below is a summarized list of SSH scanners should you want to filer them and be done with seeing the log entries.

61.19.194.13
61.109.156.5
61.109.250.92
61.193.179.162
61.222.98.114
61.250.212.180
63.166.192.149
64.230.97.170
66.28.238.195
66.172.158.2
66.250.111.33
67.19.66.132
80.81.38.77
80.242.100.55
81.8.206.35
134.21.2.227
195.145.50.98
195.225.129.20
202.71.136.123
202.154.208.50
203.141.151.156
208.14.142.3
208.226.76.251
210.40.224.10
210.92.210.67
211.22.117.121
211.63.129.131
211.184.226.193
211.222.102.29
212.89.103.132
216.55.164.10
218.103.33.212
218.244.240.195
219.103.193.130
219.120.54.178
220.80.108.73

Cheers,
-BeesT
MBC0
join:2001-06-06
Huntington Beach, CA

MBC0

Member

Here are a few more I have been getting hit for approx. 2 weeks now:
Illegal user test from 65.38.161.50
Illegal user test from 204.66.79.13
Illegal user test from 204.167.145.92
Illegal user test from 217.160.129.166
Illegal user guest from 217.58.140.2

pflog
Bueller? Bueller?
MVM
join:2001-09-01
El Dorado Hills, CA

pflog to BeesTea

MVM

to BeesTea
Only one I have in common with you is:

81.8.206.35

Then again I only have four total:

62.129.173.135
81.8.206.35
195.90.13.134
219.120.54.179

No_Strings

join:2001-11-22
The OC

No_Strings to BeesTea

to BeesTea
Jul 27 07:28:08 webber sshd[29992]: Illegal user test from 195.200.122.82
Jul 27 07:28:08 webber sshd[29992]: Failed password for illegal user test from 195.200.122.82 port 48935 ssh2
Jul 27 07:28:09 webber sshd[29994]: Illegal user guest from 195.200.122.82
Jul 27 07:28:09 webber sshd[29994]: Failed password for illegal user guest from 195.200.122.82 port 48936 ssh2
Jul 28 10:16:04 webber sshd[30852]: Illegal user test from 65.61.98.16
Jul 28 10:16:04 webber sshd[30852]: Failed password for illegal user test from 65.61.98.16 port 49621 ssh2
Jul 28 10:16:05 webber sshd[30854]: Illegal user guest from 65.61.98.16
Jul 28 10:16:05 webber sshd[30854]: Failed password for llegal user guest from 65.61.98.16 port 49657 ssh2

Jimvin
@baplc.com

Jimvin to pflog

Anon

to pflog
The version banner can be misleading. Trojaned sshd binaries are common and often the attacker will change the banner to read the same as the current version on the box in question.

Anyone tried using the suspicious userids on a scanning machine?

Jimvin

jmnbrokenarm
@80.65.x.x

jmnbrokenarm to pflog

Anon

to pflog
actually it's just some lame tool trying to bruteforce 2 accounts, being guest and test, as far as I was given the opportunity to investigate the case with a honeypot.

the toolkit uploaded on the honeypot system I used to investigate was made of the SSH bruteforcer (some warez by a team known as haitateam), a syn scanner (posted lately on packetstorm by the same team), and a ./hack.sh for the kid not to have to type a more_then_10_chars_long_cmdline.

I'd rather not post IP adresses of probing hosts in public forums and mailing list archives, since mosts of the probing hosts are compromised ones, and the kids don't seem to bother changing the passwords and covering their tracks.
ghost16825
Use security metrics
Premium Member
join:2003-08-26

ghost16825 to BeesTea

Premium Member

to BeesTea
Some are picking up the scraps:
»isc.sans.org/diary.php?d ··· 04-07-28

CodeMaker16
The Code Hacker
join:2003-04-08
Brookline, MA

CodeMaker16 to BeesTea

Member

to BeesTea
Woke up this morning, 3rd set of tries for this week:

Failed logins from these:
guest/password from ::ffff:203.85.183.10: 1 Time(s)
guest/password from ::ffff:208.145.229.70: 1 Time(s)
test/password from ::ffff:203.85.183.10: 1 Time(s)
test/password from ::ffff:208.145.229.70: 1 Time(s)

Illegal users from these:
guest/none from ::ffff:203.85.183.10: 1 Time(s)
guest/none from ::ffff:208.145.229.70: 1 Time(s)
guest/password from ::ffff:203.85.183.10: 1 Time(s)
guest/password from ::ffff:208.145.229.70: 1 Time(s)
test/none from ::ffff:203.85.183.10: 1 Time(s)
test/none from ::ffff:208.145.229.70: 1 Time(s)
test/password from ::ffff:203.85.183.10: 1 Time(s)
test/password from ::ffff:208.145.229.70: 1 Time(s)
MBC0
join:2001-06-06
Huntington Beach, CA

MBC0 to jmnbrokenarm

Member

to jmnbrokenarm
said by jmnbrokenarm:
actually it's just some lame tool trying to bruteforce 2 accounts, being guest and test, as far as I was given the opportunity to investigate the case with a honeypot.

I am getting some other account attempts other than the two now:

Failed logins from these:
account/password from 66.135.33.104: 5 Time(s)
apache/password from 66.135.33.104: 5 Time(s)
master/password from 66.135.33.104: 5 Time(s)
matt/password from 66.135.33.104: 5 Time(s)
nobody/password from 66.135.33.104: 5 Time(s)
noc/password from 66.135.33.104: 5 Time(s)
patrick/password from 66.135.33.104: 10 Time(s)
root/password from 66.135.33.104: 100 Time(s)
sybase/password from 66.135.33.104: 5 Time(s)
test/password from 66.135.33.104: 20 Time(s)
web/password from 66.135.33.104: 5 Time(s)
www-data/password from 66.135.33.104: 5 Time(s)
www/password from 66.135.33.104: 5 Time(s)
wwwrun/password from 66.135.33.104: 5 Time(s)

PetePuma
How many lumps do you want
MVM
join:2002-06-13
Arlington, VA

PetePuma

MVM

My first ones:
Jul 28 20:07:41 turbinium sshd[25586]: Illegal user test from 141.35.26.170
Jul 28 20:07:44 turbinium sshd[25586]: Failed password for illegal user test from 141.35.2
*6.170 port 41156 ssh2
Jul 28 20:07:45 turbinium sshd[25588]: Illegal user guest from 141.35.26.170
Jul 28 20:07:47 turbinium sshd[25588]: Failed password for illegal user guest from 141.35.
*26.170 port 41157 ssh2

(*) WARNING 2 long line(s) split