Re: SSH attacks?

From: Bulgaro (bulgaro76_at_yahoo.it)
Date: 07/29/04

  • Next message: David Block: "Re: SSH attacks?"
    Date: Thu, 29 Jul 2004 11:11:12 +0200 (CEST)
    To: incidents@securityfocus.com
    
    

    > While looking through the logs after someone ran
    > over my system with Nessus, I
    > noticed some odd ones from sshd (that don't seem to
    > be related to the nessus
    > scan):
    > Jul 27 03:12:25 kallisti sshd[16471]: error: Could
    > not get shadow information
    > for NOUSER
    >
    > They usually, although not always occur in pairs, a
    > few seconds apart. They
    > don't seem to be very random, which suggests maybe
    > that there is someone at
    > the other end, rather than a worm.
    >
    > The first sighting was Jun 4 04:22:15 (all times
    > NZST), with 153 instances
    > going to 04:47:03 (this is fairly constant, and not
    > in pairs). It isn't seen
    > again until Jun 17 08:39:54-08:58:20 (75 instances
    > this time, again not in
    > pairs). Since then, there have been a few on the
    > 21st and 25th, followed by a
    > lot on the 26th and into the 27th, where we now see
    > the pairs coming up.
    >
    > Looking a bit closer (and in other log files), I see
    > it's people trying random
    > accounts. The big ones are going over a large list,
    > the pairs seem to be just
    > hitting test and guest:
    > Jul 26 23:05:59 kallisti sshd[12314]: Illegal user
    > test
    > from ::ffff:64.246.56.44
    > Jul 26 23:05:59 kallisti sshd[12314]: Failed
    > password for illegal user test
    > from ::ffff:64.246.56.44 port 41920 ssh2
    > Jul 26 23:06:01 kallisti sshd[12320]: Illegal user
    > guest
    > from ::ffff:64.246.56.44
    > Jul 26 23:06:01 kallisti sshd[12320]: Failed
    > password for illegal user guest
    > from ::ffff:64.246.56.44 port 41967 ssh2
    >
    > Does anyone know why this would appear all of a
    > sudden?
    > - --
    > Robin <robin@kallisti.net.nz> JabberID:
    > <eythian@jabber.org>
    >
    > Hostes alienigeni me abduxerunt. Qui annus est?
    >
    > PGP Key 0x776DB663 = DD10 5C62 1E29 A385 9866 0853
    > CD38 E07A 776D B663

    I've got some logs very similar from auth.log:

    Jul 26 18:01:17 cabernet sshd[12014]: Illegal user
    test from 163.32.62.4
    Jul 26 18:01:17 cabernet sshd[12014]: error: Could not
    get shadow information for NOUSER
    Jul 26 18:01:17 cabernet sshd[12014]: Failed password
    for illegal user test from 163.32.62.4 port 46707 ssh2
    Jul 26 18:01:20 cabernet sshd[12016]: Illegal user
    guest from 163.32.62.4
    Jul 26 18:01:20 cabernet sshd[12016]: error: Could not
    get shadow information for NOUSER
    Jul 26 18:01:20 cabernet sshd[12016]: Failed password
    for illegal user guest from 163.32.62.4 port 46818
    ssh2
    Jul 26 18:01:23 cabernet sshd[12018]: Illegal user
    admin from 163.32.62.4
    Jul 26 18:01:23 cabernet sshd[12018]: error: Could not
    get shadow information for NOUSER
    Jul 26 18:01:23 cabernet sshd[12018]: Failed password
    for illegal user admin from 163.32.62.4 port 46899
    ssh2
    Jul 26 18:01:26 cabernet sshd[12020]: Illegal user
    admin from 163.32.62.4
    Jul 26 18:01:26 cabernet sshd[12020]: error: Could not
    get shadow information for NOUSER
    Jul 26 18:01:26 cabernet sshd[12020]: Failed password
    for illegal user admin from 163.32.62.4 port 46974
    ssh2
    Jul 26 18:01:29 cabernet sshd[12022]: Illegal user
    user from 163.32.62.4
    Jul 26 18:01:29 cabernet sshd[12022]: error: Could not
    get shadow information for NOUSER
    Jul 26 18:01:29 cabernet sshd[12022]: Failed password
    for illegal user user from 163.32.62.4 port 47049 ssh2
    Jul 26 18:01:32 cabernet sshd[12024]: Failed password
    for root from 163.32.62.4 port 47132 ssh2
    Jul 26 18:01:35 cabernet sshd[12026]: Failed password
    for root from 163.32.62.4 port 47235 ssh2
    Jul 26 18:01:37 cabernet sshd[12028]: Failed password
    for root from 163.32.62.4 port 47295 ssh2
    Jul 26 18:01:40 cabernet sshd[12030]: Illegal user
    test from 163.32.62.4
    Jul 26 18:01:40 cabernet sshd[12030]: error: Could not
    get shadow information for NOUSER
    Jul 26 18:01:40 cabernet sshd[12030]: Failed password
    for illegal user test from 163.32.62.4 port 47388 ssh2
    Jul 26 18:17:01 cabernet CRON[12117]: (pam_unix)
    session opened for user root by (uid=0)
    Jul 26 18:17:01 cabernet CRON[12117]: (pam_unix)
    session closed for user root
    Jul 26 18:50:30 cabernet sshd[12599]: Illegal user
    test from 163.32.62.4
    Jul 26 18:50:31 cabernet sshd[12599]: error: Could not
    get shadow information for NOUSER
    Jul 26 18:50:31 cabernet sshd[12599]: Failed password
    for illegal user test from 163.32.62.4 port 52670 ssh2
    Jul 26 18:50:34 cabernet sshd[12601]: Illegal user
    guest from 163.32.62.4
    Jul 26 18:50:34 cabernet sshd[12601]: error: Could not
    get shadow information for NOUSER
    Jul 26 18:50:34 cabernet sshd[12601]: Failed password
    for illegal user guest from 163.32.62.4 port 52797
    ssh2
    Jul 26 18:50:36 cabernet sshd[12603]: Illegal user
    admin from 163.32.62.4
    Jul 26 18:50:37 cabernet sshd[12603]: error: Could not
    get shadow information for NOUSER
    Jul 26 18:50:37 cabernet sshd[12603]: Failed password
    for illegal user admin from 163.32.62.4 port 52887
    ssh2
    Jul 26 18:50:39 cabernet sshd[12605]: Illegal user
    admin from 163.32.62.4
    Jul 26 18:50:39 cabernet sshd[12605]: error: Could not
    get shadow information for NOUSER
    Jul 26 18:50:39 cabernet sshd[12605]: Failed password
    for illegal user admin from 163.32.62.4 port 52965
    ssh2
    Jul 26 18:50:42 cabernet sshd[12607]: Illegal user
    user from 163.32.62.4
    Jul 26 18:50:42 cabernet sshd[12607]: error: Could not
    get shadow information for NOUSER
    Jul 26 18:50:42 cabernet sshd[12607]: Failed password
    for illegal user user from 163.32.62.4 port 53045 ssh2
    Jul 26 18:50:45 cabernet sshd[12609]: Failed password
    for root from 163.32.62.4 port 53129 ssh2
    Jul 26 18:50:48 cabernet sshd[12612]: Failed password
    for root from 163.32.62.4 port 53229 ssh2
    ...

    I've checked the origin of this connection attempts
    and i discovered that the "guilty" host (163.32.62.4)
    is a
    box called mail.cshs.kh.edu.tw. I think that this host
    is affected by a worm but i don't know anything about
    the kind of virus. I noticed that the spread of the
    worm last only the 26 of July. Maybe there's a spread
    controlled by the date.
    Sorry for my english
    Alessandro Bulgarelli

            

            
                    
    ____________________________________________________________
    Yahoo! Companion - Scarica gratis la toolbar di Ricerca di Yahoo!
    http://companion.yahoo.it


  • Next message: David Block: "Re: SSH attacks?"

    Relevant Pages