[K12OSN] Help: System intrusion through ssh and a weak password

Jim Christiansen jim.c.christiansen at gmail.com
Fri May 4 21:15:52 UTC 2007 

Hello All-  I've got a problem here with 3 complaints from our school's
internet provider.  All of them have been brute force attacks to other
systems in the world...

Here is a clip from one log sent to me:
Tag Name        Status  Severity        Event Count     Source Count
Target Count    Object Count    Earliest Event  Latest Event
SSH_Brute_Force Attack failure (blocked by Proventia appliance) High
128198  1       18723   1       2007-05-03 06:00:00 PDT 2007-05-04 09:00:00
PDT
HTTP_IIS_Unicode_Wide_Encoding  Detected attack (vuln not scanned
recently)     High    50      1       20      1       2007-05-01 08:00:00
PDT 2007-05-03 14:00:00 PDT
SSH_ChallengeResponse_Bo        Attack failure (blocked by Proventia
appliance) High    5       1       5       1       2007-05-03 22:00:00 PDT
2007-05-04 08:00:00 PDT
HTTP_cookieOverflow     Detected attack (vuln not scanned recently)
High    2       1       1       1       2007-05-02 14:00:00 PDT 2007-05-02
14:00:00 PDT
SSH_Vulnerable_OpenSSH  Detected event  Medium  7067    1       235
1       2007-05-03 06:00:00 PDT 2007-05-04 08:00:00 PDT
HTTP_IIS_Double_Eval_Evasion    Detected event  Medium  112     1
20      1       2007-05-01 08:00:00 PDT 2007-05-04 09:00:00 PDT
HTTP_IIS_Percent_Evasion        Detected event  Medium  46      1
18      1       2007-05-01 08:00:00 PDT 2007-05-04 09:00:00 PDT
HTTP_Proxy_Cache_Poisoning      Attack failure (blocked by Proventia
appliance) Medium  39      1       15      1       2007-05-01 08:00:00 PDT
2007-05-04 08:00:00 PDT

Here is a clip from the first log sent to me:

SSH_Brute_Force | 15690 | 2007-05-03 05:17:37 | 2007-05-03 10:43:27 |
| TCP_Service_Sweep | 471 | 2007-05-03 05:18:10 | 2007-05-03 11:50:14 |
| HTTP_Proxy_Cache_Poisoning | 5 | 2007-05-02 12:42:36 | 2007-05-03 11:39:10
|
+-----------------------------------+--------------+----------------------+----------------------+
Top 20 Events for SSH_Brute_Force Total Count 15690
+-------------------+--------------------+----------+----------+--------------+----------------------+----------------------+

+ Source Address + Dest Address + SPort + DPort + Count + Min Time(PST) +
Max Time(PST) +
+-------------------+--------------------+----------+----------+--------------+----------------------+----------------------+

| 142.26.181.80 | 66.221.9.56 | 0 | 22 | 447 | 2007-05-03 05:28:08 |
2007-05-03 06:16:10 |
| 142.26.181.80 | 66.221.95.3 | 0 | 22 | 421 | 2007-05-03 05:37:05 |
2007-05-03 06:27:41 |
| 142.26.181.80 | 66.221.94.120 | 0 | 22 | 403 | 2007-05-03 05:41:28 |
2007-05-03 06:29:37 |
| 142.26.181.80 | 66.221.95.148 | 0 | 22 | 364 | 2007-05-03 05:29:36 |
2007-05-03 06:28:44 |
| 142.26.181.80 | 66.221.91.216 | 0 | 22 | 325 | 2007-05-03 05:36:06 |
2007-05-03 06:06:58 |
| 142.26.181.80 | 66.221.91.169 | 0 | 22 | 302 | 2007-05-03 05:41:13 |
2007-05-03 06:29:07 |
| 142.26.181.80 | 66.221.91.190 | 0 | 22 | 284 | 2007-05-03 05:28:54 |
2007-05-03 06:04:53 |
| 142.26.181.80 | 66.221.90.87 | 0 | 22 | 258 | 2007-05-03 05:44:23 |
2007-05-03 06:15:11 |
| 142.26.181.80 | 66.221.90.180 | 0 | 22 | 202 | 2007-05-03 05:33:38 |
2007-05-03 05:51:53 |
| 142.26.181.80 | 66.221.92.31 | 0 | 22 | 181 | 2007-05-03 05:30:57 |
2007-05-03 06:09:46 |
| 142.26.181.80 | 66.221.95.24 | 0 | 22 | 180 | 2007-05-03 05:42:34 |
2007-05-03 06:05:13 |
| 142.26.181.80 | 66.221.91.186 | 0 | 22 | 179 | 2007-05-03 06:04:53 |
2007-05-03 06:28:27 |
| 142.26.181.80 | 66.221.94.240 | 0 | 22 | 175 | 2007-05-03 05:42:45 |
2007-05-03 06:11:20 |
| 142.26.181.80 | 66.221.84.109 | 0 | 22 | 163 | 2007-05-03 05:28:01 |
2007-05-03 06:11:30 |
| 142.26.181.80 | 66.221.87.194 | 0 | 22 | 139 | 2007-05-03 05:46:59 |
2007-05-03 06:09:38 |
| 142.26.181.80 | 66.221.91.218 | 0 | 22 | 137 | 2007-05-03 05:33:31 |
2007-05-03 06:01:05 |
| 142.26.181.80 | 66.221.92.112 | 0 | 22 | 136 | 2007-05-03 05:27:47 |
2007-05-03 06:06:57 |
| 142.26.181.80 | 66.221.89.69 | 0 | 22 | 134 | 2007-05-03 05:30:01 |
2007-05-03 06:07:31 |
| 142.26.181.80 | 66.221.95.97 | 0 | 22 | 127 | 2007-05-03 05:45:18 |
2007-05-03 05:59:54 |
| 142.26.181.80 | 66.221.94.204 | 0 | 22 | 125 | 2007-05-03 05:40:19 |
2007-05-03 05:53:41 |
+-------------------+--------------------+----------+----------+--------------+----------------------+----------------------+

Top 20 Events for TCP_Service_Sweep Total Count 471

I found files in /dev/shm/zH and /dev/shm/.info.  They don't belong and
didn't have root access??  Standard user access belonging to username
'josh'...  I didn't think /dev was writable...???

I've cleaned it out and have had a ton of ports blocked...
Any help would be welcomed.

Thanks,  Jim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/k12osn/attachments/20070504/efceddeb/attachment.htm>

More information about the K12OSN mailing list