[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: More SSH 'trolling'

Brian Fahrlander wrote:
    I just got a notice from LogWatch with the dire warning "POSSIBLE
BREAKIN ATTEMPT!".  Quite a lot of them, too.  I'm already disabling the
root login and have /etc/hosts.allow turning away 'unknown' addresses.
(This version uses that, right? It's unmodified...)

    The typical entry looks like this:
Oct 13 06:33:14 fahrlander sshd[13361]: warning: /etc/hosts.allow, line 6: can't verify hostname: getaddrinfo(170.67-19-122.reverse.theplanet.com, AF_INET) failed
Oct 13 06:33:14 fahrlander sshd[13361]: Did not receive identification string from
Oct 13 06:53:08 fahrlander sshd[13468]: warning: /etc/hosts.allow, line 6: can't verify hostname: getaddrinfo(170.67-19-122.reverse.theplanet.com, AF_INET) failed
Oct 13 06:53:09 fahrlander sshd[13468]: reverse mapping checking getaddrinfo for 170.67-19-122.reverse.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
Oct 13 06:53:09 fahrlander sshd[13468]: User nobody not allowed because not listed in AllowUsers
Oct 13 06:53:09 fahrlander sshd[13469]: input_userauth_request: illegal user nobody

    And this site hit me 40-50 times trying various usernames, including
'root' quite a lot. Other names such as patrick, nobody, wwwrun, www,
cyrus, horde, iceuser, rolo...it doesn't look like anything that, say,
Cisco would use on their factory defaults.  They also don't look like a
set of names _I_ would use, so they probably don't know _me_.  Times
range from 0633-0654...

Some questions:

- Anyone else getting this?

Oh, yes; lots of them.

    - Wouldn't these connections just get dumped because their forward
and reverse addresses don't match?

- Does anyone recognize these usernames?

They appear to be scripted attacks from compromised linux machines:

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2004-10-14 14:12 CDT
Interesting ports on 170.67-19-122.reverse.theplanet.com (
(The 1632 ports scanned but not shown below are in state: closed)
21/tcp   open     ftp
22/tcp   open     ssh
25/tcp   filtered smtp
53/tcp   filtered domain
80/tcp   open     http
106/tcp  open     pop3pw
110/tcp  open     pop3
111/tcp  open     rpcbind
139/tcp  filtered netbios-ssn
143/tcp  open     imap
443/tcp  open     https
445/tcp  filtered microsoft-ds
465/tcp  open     smtps
993/tcp  open     imaps
995/tcp  open     pop3s
1027/tcp open     IIS
1040/tcp open     netsaint
1080/tcp filtered socks
1434/tcp filtered ms-sql-m
2005/tcp open     deslogin
2121/tcp open     ccproxy-ftp
3128/tcp filtered squid-http
3306/tcp open     mysql
6969/tcp filtered acmsoda
8009/tcp open     ajp13
8080/tcp open     http-proxy
8443/tcp open     https-alt
9999/tcp open     abyss
Device type: general purpose
Running: Linux 2.4.X
OS details: Linux 2.4.6 - 2.4.21
Uptime 15.359 days (since Wed Sep 29 05:34:57 2004)

Nmap run completed -- 1 IP address (1 host up) scanned in 13.940 seconds

Like I said, I've seen plenty of similar attempts from many different IP addresses and geographic locations. The similarities between the attacks (same sequence of user names) leads me to believe that are scripted attacks rather than somebody sitting at the console directing the attack.

I've taken to forwarding the logs from such attacks to the service provider, in this case:

	OrgName:    ThePlanet.com Internet Services, Inc.
	OrgID:      TPCM
	Address:    1333 North Stemmons Freeway
	Address:    Suite 110
	City:       Dallas
	StateProv:  TX
	PostalCode: 75207
	Country:    US


	TechHandle: PP46-ARIN
	TechName:   Pathos, Peter
	TechPhone:  +1-214-782-7800
	TechEmail:  abuse theplanet com

	OrgAbuseHandle: ABUSE271-ARIN
	OrgAbuseName:   Abuse
	OrgAbusePhone:  +1-214-782-7802
	OrgAbuseEmail:  abuse theplanet com

Often I get a response that the owner of the machine in question has been contacted and taken it off-line.


-John (john os2 dhs org)

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]