Re: More SSH 'trolling'

[John Thompson <JohnThompson new rr com>]

Brian Fahrlander wrote:
>     I just got a notice from LogWatch with the dire warning "POSSIBLE
> BREAKIN ATTEMPT!".  Quite a lot of them, too.  I'm already disabling the
> root login and have /etc/hosts.allow turning away 'unknown' addresses.
> (This version uses that, right? It's unmodified...)
>
>     The typical entry looks like this:
> Oct 13 06:33:14 fahrlander sshd[13361]: warning: /etc/hosts.allow, line 6: can't verify hostname: getaddrinfo(170.67-19-122.reverse.theplanet.com, AF_INET) failed
> Oct 13 06:33:14 fahrlander sshd[13361]: Did not receive identification string from 67.19.122.170
> Oct 13 06:53:08 fahrlander sshd[13468]: warning: /etc/hosts.allow, line 6: can't verify hostname: getaddrinfo(170.67-19-122.reverse.theplanet.com, AF_INET) failed
> Oct 13 06:53:09 fahrlander sshd[13468]: reverse mapping checking getaddrinfo for 170.67-19-122.reverse.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
> Oct 13 06:53:09 fahrlander sshd[13468]: User nobody not allowed because not listed in AllowUsers
> Oct 13 06:53:09 fahrlander sshd[13469]: input_userauth_request: illegal user nobody
>
>     And this site hit me 40-50 times trying various usernames, including
> 'root' quite a lot. Other names such as patrick, nobody, wwwrun, www,
> cyrus, horde, iceuser, rolo...it doesn't look like anything that, say,
> Cisco would use on their factory defaults.  They also don't look like a
> set of names _I_ would use, so they probably don't know _me_.  Times
> range from 0633-0654...
>
>     Some questions:
>
>     - Anyone else getting this?

Oh, yes; lots of them.

>     - Wouldn't these connections just get dumped because their forward
> and reverse addresses don't match?
>
>     - Does anyone recognize these usernames?

They appear to be scripted attacks from compromised linux machines:

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2004-10-14 14:12 CDT
Interesting ports on 170.67-19-122.reverse.theplanet.com (67.19.122.170):
(The 1632 ports scanned but not shown below are in state: closed)
PORT     STATE    SERVICE
21/tcp   open     ftp
22/tcp   open     ssh
25/tcp   filtered smtp
53/tcp   filtered domain
80/tcp   open     http
106/tcp  open     pop3pw
110/tcp  open     pop3
111/tcp  open     rpcbind
139/tcp  filtered netbios-ssn
143/tcp  open     imap
443/tcp  open     https
445/tcp  filtered microsoft-ds
465/tcp  open     smtps
993/tcp  open     imaps
995/tcp  open     pop3s
1027/tcp open     IIS
1040/tcp open     netsaint
1080/tcp filtered socks
1434/tcp filtered ms-sql-m
2005/tcp open     deslogin
2121/tcp open     ccproxy-ftp
3128/tcp filtered squid-http
3306/tcp open     mysql
6969/tcp filtered acmsoda
8009/tcp open     ajp13
8080/tcp open     http-proxy
8443/tcp open     https-alt
9999/tcp open     abyss
Device type: general purpose
Running: Linux 2.4.X
OS details: Linux 2.4.6 - 2.4.21
Uptime 15.359 days (since Wed Sep 29 05:34:57 2004)

Nmap run completed -- 1 IP address (1 host up) scanned in 13.940 seconds

Like I said, I've seen plenty of similar attempts from many different IP 
addresses and geographic locations. The similarities between the attacks 
(same sequence of user names) leads me to believe that are scripted 
attacks rather than somebody sitting at the console directing the attack.

I've taken to forwarding the logs from such attacks to the service 
provider, in this case:

	OrgName:    ThePlanet.com Internet Services, Inc.
	OrgID:      TPCM
	Address:    1333 North Stemmons Freeway
	Address:    Suite 110
	City:       Dallas
	StateProv:  TX
	PostalCode: 75207
	Country:    US

	[...]

	TechHandle: PP46-ARIN
	TechName:   Pathos, Peter
	TechPhone:  +1-214-782-7800
	TechEmail:  abuse theplanet com

	OrgAbuseHandle: ABUSE271-ARIN
	OrgAbuseName:   Abuse
	OrgAbusePhone:  +1-214-782-7802
	OrgAbuseEmail:  abuse theplanet com

Often I get a response that the owner of the machine in question has 
been contacted and taken it off-line.


--

-John (john os2 dhs org)