Re: Attempt of being hacked -- protection?

From: Unruh (unruh-spam_at_physics.ubc.ca)
Date: 11/08/05 

Date: 8 Nov 2005 17:25:24 GMT

ultimatespamheap@yahoo.com writes:

>Hi all,

>Yesterday evening, I noticed network traffic going over my router and
>netstat showed five parrallel ssh connections to the address
>host52.co.154.isl (different ports).

>I immediately pulled the network cable but was still worried that my
>system had been compromised. I then ran chkrootkit (from a parallel
>installation of another distro) but didn't find anything, but anyway, I
>now use the opportunity to change my passwords and upgrade to a newer
>distro version.

It prossibly had, although you may have just seen those attempts in
progress.
Ie, if those ports changed in a few second timescale, that was probably it.

>Today, I inspected /var/log/messages and found that some guy had
>started to systematically try to login under different user names (see
>below).

Yes. Common occurance.

>My questions now are:

>(1) How can I protect myself from such an attack? Is there a
>possibility to configure the system so that it refuses any login
>attempt for, let's say a couple of hours, when such a systematic attack
>is detected? (at least the detection part should not be too hard).
>Also, a clear message informing the user about the ongoing attack would
>have been nice.

The danger you face is that that person will deny you the possibility of
logging in ( rpeated attempts from a spoofed machine you usually log in
from)
What kind of "clear message". Do you really want all of those messages
showing up on your terminal?

Anyway, it is an attack using simple passwords. Make sure that all
passwords on your system are strong.

>(2) Can/should I report this abuse to the ISP in question? How?
o
You can try. Use whois to find out who the isp is.

>(3) Are there any other security measures I should take now?

>Thanks for your help

>Nov 7 20:09:25 Dtop sshd[9359]: Invalid user linux from
>::ffff:61.63.154.52
>Nov 7 20:09:28 Dtop sshd[9361]: Invalid user unix from
>::ffff:61.63.154.52
>Nov 7 20:09:31 Dtop sshd[9363]: Invalid user webadmin from
>::ffff:61.63.154.52
>Nov 7 20:09:38 Dtop sshd[9367]: Invalid user test from
>::ffff:61.63.154.52
>Nov 7 20:09:44 Dtop sshd[9371]: Invalid user admin from
>::ffff:61.63.154.52
>Nov 7 20:09:47 Dtop sshd[9373]: Invalid user guest from
>::ffff:61.63.154.52
>Nov 7 20:09:50 Dtop sshd[9392]: Invalid user master from
>::ffff:61.63.154.52
>Nov 7 20:09:53 Dtop sshd[9396]: Invalid user apache from
>::ffff:61.63.154.52
>Nov 7 20:10:03 Dtop sshd[9402]: Invalid user network from
>::ffff:61.63.154.52
>Nov 7 20:10:06 Dtop sshd[9404]: Invalid user word from
>::ffff:61.63.154.52
>Nov 7 20:10:09 Dtop sshd[9406]: Invalid user fr from
>::ffff:61.63.154.52
>Nov 7 20:10:12 Dtop sshd[9408]: Invalid user west from
>::ffff:61.63.154.52
> <snip>
>Nov 7 20:21:38 Dtop sshd[10108]: Invalid user annelise from
>::ffff:61.63.154.52
>Nov 7 20:21:41 Dtop sshd[10110]: Invalid user annette from
>::ffff:61.63.154.52
>Nov 7 20:21:44 Dtop sshd[10112]: Invalid user anthony from
>::ffff:61.63.154.52
>Nov 7 20:21:47 Dtop sshd[10114]: Invalid user antoinette from
>::ffff:61.63.154.52
>Nov 7 20:21:50 Dtop sshd[10116]: Invalid user anton from
>::ffff:61.63.154.52
>Nov 7 20:21:53 Dtop sshd[10118]: Invalid user antonia from
>::ffff:61.63.154.52
>Nov 7 20:21:56 Dtop sshd[10120]: Invalid user antonie from
>::ffff:61.63.154.52
>Nov 7 20:21:59 Dtop sshd[10122]: Invalid user apollo from
>::ffff:61.63.154.52
>Nov 7 20:22:02 Dtop sshd[10124]: Invalid user april from
>::ffff:61.63.154.52
>Nov 7 20:24:03 Dtop sshd[10126]: fatal: Timeout before authentication
>for ::ffff:61.63.154.52
>Nov 7 20:28:01 Dtop sshd[7380]: Received signal 15; terminating.

Relevant Pages

  • RE: SHA-1 vs. triple-DES for password encryption?
    ... when you deal with passwords. ... Cryptographers call an attack something that would work on say ... > triple-DES and SHA-1 algorithms available. ... By not using triple-DES there is no need to secure a key ...
    (SecProg)
  • Re: Netowrk Admin. Breach
    ... attack, but at the time it was a little beyond me. ... But my approach to network security is similar to his.....I look at ... no business knowing any of your sensitive passwords. ... demonstrated that using an account with no privs. ...
    (microsoft.public.windows.server.security)
  • Re: pf vs. RST attack question
    ... as changes on your servers expose new attack vectors and as attackers discover ... which blocked any traffic to an IP to any ports other than 53. ... I found 8 or 9 gzip/newsyslog processes running ... any extra load from pflogd and newsyslog from logging denied traffic. ...
    (freebsd-questions)
  • Re: web browser security/hardening
    ... Never reuse any usernames, emails, or passwords ... cross site scripting is something the web sites you visit ... yourself...although disabling scripting anyway can thwart those attack ... The NSA has designated Norwich University a center of Academic ...
    (Security-Basics)
  • Re: confusion in ank.
    ... Because of how salt strings are factored into the key generation ... process, a dictionary attack based on ... passwords is going to have to incorporate specific salt strings -- ... were encrypted in a user's key or a randomized service key. ...
    (comp.protocols.kerberos)