Re: SSH attacks?

From: Bulgaro (bulgaro76_at_yahoo.it)
Date: 07/29/04

Next message: David Block: "Re: SSH attacks?"

Previous message: Hossein Rafighi: "Re: Anyone else seeing SSH scans?"
Maybe in reply to: Robin: "SSH attacks?"
Next in thread: John Bossert: "Re: SSH attacks?"
Reply: John Bossert: "Re: SSH attacks?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 29 Jul 2004 11:11:12 +0200 (CEST)
To: incidents@securityfocus.com

> While looking through the logs after someone ran
> over my system with Nessus, I
> noticed some odd ones from sshd (that don't seem to
> be related to the nessus
> scan):
> Jul 27 03:12:25 kallisti sshd[16471]: error: Could
> not get shadow information
> for NOUSER
>
> They usually, although not always occur in pairs, a
> few seconds apart. They
> don't seem to be very random, which suggests maybe
> that there is someone at
> the other end, rather than a worm.
>
> The first sighting was Jun 4 04:22:15 (all times
> NZST), with 153 instances
> going to 04:47:03 (this is fairly constant, and not
> in pairs). It isn't seen
> again until Jun 17 08:39:54-08:58:20 (75 instances
> this time, again not in
> pairs). Since then, there have been a few on the
> 21st and 25th, followed by a
> lot on the 26th and into the 27th, where we now see
> the pairs coming up.
>
> Looking a bit closer (and in other log files), I see
> it's people trying random
> accounts. The big ones are going over a large list,
> the pairs seem to be just
> hitting test and guest:
> Jul 26 23:05:59 kallisti sshd[12314]: Illegal user
> test
> from ::ffff:64.246.56.44
> Jul 26 23:05:59 kallisti sshd[12314]: Failed
> password for illegal user test
> from ::ffff:64.246.56.44 port 41920 ssh2
> Jul 26 23:06:01 kallisti sshd[12320]: Illegal user
> guest
> from ::ffff:64.246.56.44
> Jul 26 23:06:01 kallisti sshd[12320]: Failed
> password for illegal user guest
> from ::ffff:64.246.56.44 port 41967 ssh2
>
> Does anyone know why this would appear all of a
> sudden?
> - --
> Robin <robin@kallisti.net.nz> JabberID:
> <eythian@jabber.org>
>
> Hostes alienigeni me abduxerunt. Qui annus est?
>
> PGP Key 0x776DB663 = DD10 5C62 1E29 A385 9866 0853
> CD38 E07A 776D B663

I've got some logs very similar from auth.log:

Jul 26 18:01:17 cabernet sshd[12014]: Illegal user
test from 163.32.62.4
Jul 26 18:01:17 cabernet sshd[12014]: error: Could not
get shadow information for NOUSER
Jul 26 18:01:17 cabernet sshd[12014]: Failed password
for illegal user test from 163.32.62.4 port 46707 ssh2
Jul 26 18:01:20 cabernet sshd[12016]: Illegal user
guest from 163.32.62.4
Jul 26 18:01:20 cabernet sshd[12016]: error: Could not
get shadow information for NOUSER
Jul 26 18:01:20 cabernet sshd[12016]: Failed password
for illegal user guest from 163.32.62.4 port 46818
ssh2
Jul 26 18:01:23 cabernet sshd[12018]: Illegal user
admin from 163.32.62.4
Jul 26 18:01:23 cabernet sshd[12018]: error: Could not
get shadow information for NOUSER
Jul 26 18:01:23 cabernet sshd[12018]: Failed password
for illegal user admin from 163.32.62.4 port 46899
ssh2
Jul 26 18:01:26 cabernet sshd[12020]: Illegal user
admin from 163.32.62.4
Jul 26 18:01:26 cabernet sshd[12020]: error: Could not
get shadow information for NOUSER
Jul 26 18:01:26 cabernet sshd[12020]: Failed password
for illegal user admin from 163.32.62.4 port 46974
ssh2
Jul 26 18:01:29 cabernet sshd[12022]: Illegal user
user from 163.32.62.4
Jul 26 18:01:29 cabernet sshd[12022]: error: Could not
get shadow information for NOUSER
Jul 26 18:01:29 cabernet sshd[12022]: Failed password
for illegal user user from 163.32.62.4 port 47049 ssh2
Jul 26 18:01:32 cabernet sshd[12024]: Failed password
for root from 163.32.62.4 port 47132 ssh2
Jul 26 18:01:35 cabernet sshd[12026]: Failed password
for root from 163.32.62.4 port 47235 ssh2
Jul 26 18:01:37 cabernet sshd[12028]: Failed password
for root from 163.32.62.4 port 47295 ssh2
Jul 26 18:01:40 cabernet sshd[12030]: Illegal user
test from 163.32.62.4
Jul 26 18:01:40 cabernet sshd[12030]: error: Could not
get shadow information for NOUSER
Jul 26 18:01:40 cabernet sshd[12030]: Failed password
for illegal user test from 163.32.62.4 port 47388 ssh2
Jul 26 18:17:01 cabernet CRON[12117]: (pam_unix)
session opened for user root by (uid=0)
Jul 26 18:17:01 cabernet CRON[12117]: (pam_unix)
session closed for user root
Jul 26 18:50:30 cabernet sshd[12599]: Illegal user
test from 163.32.62.4
Jul 26 18:50:31 cabernet sshd[12599]: error: Could not
get shadow information for NOUSER
Jul 26 18:50:31 cabernet sshd[12599]: Failed password
for illegal user test from 163.32.62.4 port 52670 ssh2
Jul 26 18:50:34 cabernet sshd[12601]: Illegal user
guest from 163.32.62.4
Jul 26 18:50:34 cabernet sshd[12601]: error: Could not
get shadow information for NOUSER
Jul 26 18:50:34 cabernet sshd[12601]: Failed password
for illegal user guest from 163.32.62.4 port 52797
ssh2
Jul 26 18:50:36 cabernet sshd[12603]: Illegal user
admin from 163.32.62.4
Jul 26 18:50:37 cabernet sshd[12603]: error: Could not
get shadow information for NOUSER
Jul 26 18:50:37 cabernet sshd[12603]: Failed password
for illegal user admin from 163.32.62.4 port 52887
ssh2
Jul 26 18:50:39 cabernet sshd[12605]: Illegal user
admin from 163.32.62.4
Jul 26 18:50:39 cabernet sshd[12605]: error: Could not
get shadow information for NOUSER
Jul 26 18:50:39 cabernet sshd[12605]: Failed password
for illegal user admin from 163.32.62.4 port 52965
ssh2
Jul 26 18:50:42 cabernet sshd[12607]: Illegal user
user from 163.32.62.4
Jul 26 18:50:42 cabernet sshd[12607]: error: Could not
get shadow information for NOUSER
Jul 26 18:50:42 cabernet sshd[12607]: Failed password
for illegal user user from 163.32.62.4 port 53045 ssh2
Jul 26 18:50:45 cabernet sshd[12609]: Failed password
for root from 163.32.62.4 port 53129 ssh2
Jul 26 18:50:48 cabernet sshd[12612]: Failed password
for root from 163.32.62.4 port 53229 ssh2
...

I've checked the origin of this connection attempts
and i discovered that the "guilty" host (163.32.62.4)
is a
box called mail.cshs.kh.edu.tw. I think that this host
is affected by a worm but i don't know anything about
the kind of virus. I noticed that the spread of the
worm last only the 26 of July. Maybe there's a spread
controlled by the date.
Sorry for my english
Alessandro Bulgarelli

____________________________________________________________
Yahoo! Companion - Scarica gratis la toolbar di Ricerca di Yahoo!
http://companion.yahoo.it

Next message: David Block: "Re: SSH attacks?"

Previous message: Hossein Rafighi: "Re: Anyone else seeing SSH scans?"
Maybe in reply to: Robin: "SSH attacks?"
Next in thread: John Bossert: "Re: SSH attacks?"
Reply: John Bossert: "Re: SSH attacks?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Grafting a SSH auto-drop chain onto Arnos 1.8.3-RC1
... Mar 21 13:16:06 gateway sshd: Failed password for illegal user ... anonymous from 213.64.252.243 port 59768 ssh2 ...
(comp.os.linux.security)
Re: hack attempt on my server...What do you do about this?
... port 50491 ssh2 ... Jul 15 13:03:55 mallard sshd: Failed password for illegal user guest from ...
(Fedora)
[SLE] Think Ive been cracked... not certain
... port 55657 ssh2 ... Jul 29 05:30:59 linux sshd: Failed password for illegal user guest from ...
(SuSE)
Re: MORE SSH Hacking: heads-up
... Aug 3 16:55:10 www sshd: Failed password for illegal user guest ... from 67.101.243.147 port 3400 ssh2 ...
(Fedora)
Recommended Web Server Ports Open?
... I am running a small website on my home computer for my Blog and a few ... Aug 5 14:02:05 resco sshd: Failed password for illegal user shell ...
(Debian-User)