More SSH 'trolling'
John Thompson
JohnThompson at new.rr.com
Thu Oct 14 19:18:43 UTC 2004
Brian Fahrlander wrote:
> I just got a notice from LogWatch with the dire warning "POSSIBLE
> BREAKIN ATTEMPT!". Quite a lot of them, too. I'm already disabling the
> root login and have /etc/hosts.allow turning away 'unknown' addresses.
> (This version uses that, right? It's unmodified...)
>
> The typical entry looks like this:
> Oct 13 06:33:14 fahrlander sshd[13361]: warning: /etc/hosts.allow, line 6: can't verify hostname: getaddrinfo(170.67-19-122.reverse.theplanet.com, AF_INET) failed
> Oct 13 06:33:14 fahrlander sshd[13361]: Did not receive identification string from 67.19.122.170
> Oct 13 06:53:08 fahrlander sshd[13468]: warning: /etc/hosts.allow, line 6: can't verify hostname: getaddrinfo(170.67-19-122.reverse.theplanet.com, AF_INET) failed
> Oct 13 06:53:09 fahrlander sshd[13468]: reverse mapping checking getaddrinfo for 170.67-19-122.reverse.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
> Oct 13 06:53:09 fahrlander sshd[13468]: User nobody not allowed because not listed in AllowUsers
> Oct 13 06:53:09 fahrlander sshd[13469]: input_userauth_request: illegal user nobody
>
> And this site hit me 40-50 times trying various usernames, including
> 'root' quite a lot. Other names such as patrick, nobody, wwwrun, www,
> cyrus, horde, iceuser, rolo...it doesn't look like anything that, say,
> Cisco would use on their factory defaults. They also don't look like a
> set of names _I_ would use, so they probably don't know _me_. Times
> range from 0633-0654...
>
> Some questions:
>
> - Anyone else getting this?
Oh, yes; lots of them.
> - Wouldn't these connections just get dumped because their forward
> and reverse addresses don't match?
>
> - Does anyone recognize these usernames?
They appear to be scripted attacks from compromised linux machines:
Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2004-10-14 14:12 CDT
Interesting ports on 170.67-19-122.reverse.theplanet.com (67.19.122.170):
(The 1632 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp filtered smtp
53/tcp filtered domain
80/tcp open http
106/tcp open pop3pw
110/tcp open pop3
111/tcp open rpcbind
139/tcp filtered netbios-ssn
143/tcp open imap
443/tcp open https
445/tcp filtered microsoft-ds
465/tcp open smtps
993/tcp open imaps
995/tcp open pop3s
1027/tcp open IIS
1040/tcp open netsaint
1080/tcp filtered socks
1434/tcp filtered ms-sql-m
2005/tcp open deslogin
2121/tcp open ccproxy-ftp
3128/tcp filtered squid-http
3306/tcp open mysql
6969/tcp filtered acmsoda
8009/tcp open ajp13
8080/tcp open http-proxy
8443/tcp open https-alt
9999/tcp open abyss
Device type: general purpose
Running: Linux 2.4.X
OS details: Linux 2.4.6 - 2.4.21
Uptime 15.359 days (since Wed Sep 29 05:34:57 2004)
Nmap run completed -- 1 IP address (1 host up) scanned in 13.940 seconds
Like I said, I've seen plenty of similar attempts from many different IP
addresses and geographic locations. The similarities between the attacks
(same sequence of user names) leads me to believe that are scripted
attacks rather than somebody sitting at the console directing the attack.
I've taken to forwarding the logs from such attacks to the service
provider, in this case:
OrgName: ThePlanet.com Internet Services, Inc.
OrgID: TPCM
Address: 1333 North Stemmons Freeway
Address: Suite 110
City: Dallas
StateProv: TX
PostalCode: 75207
Country: US
[...]
TechHandle: PP46-ARIN
TechName: Pathos, Peter
TechPhone: +1-214-782-7800
TechEmail: abuse at theplanet.com
OrgAbuseHandle: ABUSE271-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-214-782-7802
OrgAbuseEmail: abuse at theplanet.com
Often I get a response that the owner of the machine in question has
been contacted and taken it off-line.
--
-John (john at os2.dhs.org)
More information about the fedora-list
mailing list