[K12OSN] Help: System intrusion through ssh and a weak password
Jim Christiansen
jim.c.christiansen at gmail.com
Fri May 4 21:15:52 UTC 2007
Hello All- I've got a problem here with 3 complaints from our school's
internet provider. All of them have been brute force attacks to other
systems in the world...
Here is a clip from one log sent to me:
Tag Name Status Severity Event Count Source Count
Target Count Object Count Earliest Event Latest Event
SSH_Brute_Force Attack failure (blocked by Proventia appliance) High
128198 1 18723 1 2007-05-03 06:00:00 PDT 2007-05-04 09:00:00
PDT
HTTP_IIS_Unicode_Wide_Encoding Detected attack (vuln not scanned
recently) High 50 1 20 1 2007-05-01 08:00:00
PDT 2007-05-03 14:00:00 PDT
SSH_ChallengeResponse_Bo Attack failure (blocked by Proventia
appliance) High 5 1 5 1 2007-05-03 22:00:00 PDT
2007-05-04 08:00:00 PDT
HTTP_cookieOverflow Detected attack (vuln not scanned recently)
High 2 1 1 1 2007-05-02 14:00:00 PDT 2007-05-02
14:00:00 PDT
SSH_Vulnerable_OpenSSH Detected event Medium 7067 1 235
1 2007-05-03 06:00:00 PDT 2007-05-04 08:00:00 PDT
HTTP_IIS_Double_Eval_Evasion Detected event Medium 112 1
20 1 2007-05-01 08:00:00 PDT 2007-05-04 09:00:00 PDT
HTTP_IIS_Percent_Evasion Detected event Medium 46 1
18 1 2007-05-01 08:00:00 PDT 2007-05-04 09:00:00 PDT
HTTP_Proxy_Cache_Poisoning Attack failure (blocked by Proventia
appliance) Medium 39 1 15 1 2007-05-01 08:00:00 PDT
2007-05-04 08:00:00 PDT
Here is a clip from the first log sent to me:
SSH_Brute_Force | 15690 | 2007-05-03 05:17:37 | 2007-05-03 10:43:27 |
| TCP_Service_Sweep | 471 | 2007-05-03 05:18:10 | 2007-05-03 11:50:14 |
| HTTP_Proxy_Cache_Poisoning | 5 | 2007-05-02 12:42:36 | 2007-05-03 11:39:10
|
+-----------------------------------+--------------+----------------------+----------------------+
Top 20 Events for SSH_Brute_Force Total Count 15690
+-------------------+--------------------+----------+----------+--------------+----------------------+----------------------+
+ Source Address + Dest Address + SPort + DPort + Count + Min Time(PST) +
Max Time(PST) +
+-------------------+--------------------+----------+----------+--------------+----------------------+----------------------+
| 142.26.181.80 | 66.221.9.56 | 0 | 22 | 447 | 2007-05-03 05:28:08 |
2007-05-03 06:16:10 |
| 142.26.181.80 | 66.221.95.3 | 0 | 22 | 421 | 2007-05-03 05:37:05 |
2007-05-03 06:27:41 |
| 142.26.181.80 | 66.221.94.120 | 0 | 22 | 403 | 2007-05-03 05:41:28 |
2007-05-03 06:29:37 |
| 142.26.181.80 | 66.221.95.148 | 0 | 22 | 364 | 2007-05-03 05:29:36 |
2007-05-03 06:28:44 |
| 142.26.181.80 | 66.221.91.216 | 0 | 22 | 325 | 2007-05-03 05:36:06 |
2007-05-03 06:06:58 |
| 142.26.181.80 | 66.221.91.169 | 0 | 22 | 302 | 2007-05-03 05:41:13 |
2007-05-03 06:29:07 |
| 142.26.181.80 | 66.221.91.190 | 0 | 22 | 284 | 2007-05-03 05:28:54 |
2007-05-03 06:04:53 |
| 142.26.181.80 | 66.221.90.87 | 0 | 22 | 258 | 2007-05-03 05:44:23 |
2007-05-03 06:15:11 |
| 142.26.181.80 | 66.221.90.180 | 0 | 22 | 202 | 2007-05-03 05:33:38 |
2007-05-03 05:51:53 |
| 142.26.181.80 | 66.221.92.31 | 0 | 22 | 181 | 2007-05-03 05:30:57 |
2007-05-03 06:09:46 |
| 142.26.181.80 | 66.221.95.24 | 0 | 22 | 180 | 2007-05-03 05:42:34 |
2007-05-03 06:05:13 |
| 142.26.181.80 | 66.221.91.186 | 0 | 22 | 179 | 2007-05-03 06:04:53 |
2007-05-03 06:28:27 |
| 142.26.181.80 | 66.221.94.240 | 0 | 22 | 175 | 2007-05-03 05:42:45 |
2007-05-03 06:11:20 |
| 142.26.181.80 | 66.221.84.109 | 0 | 22 | 163 | 2007-05-03 05:28:01 |
2007-05-03 06:11:30 |
| 142.26.181.80 | 66.221.87.194 | 0 | 22 | 139 | 2007-05-03 05:46:59 |
2007-05-03 06:09:38 |
| 142.26.181.80 | 66.221.91.218 | 0 | 22 | 137 | 2007-05-03 05:33:31 |
2007-05-03 06:01:05 |
| 142.26.181.80 | 66.221.92.112 | 0 | 22 | 136 | 2007-05-03 05:27:47 |
2007-05-03 06:06:57 |
| 142.26.181.80 | 66.221.89.69 | 0 | 22 | 134 | 2007-05-03 05:30:01 |
2007-05-03 06:07:31 |
| 142.26.181.80 | 66.221.95.97 | 0 | 22 | 127 | 2007-05-03 05:45:18 |
2007-05-03 05:59:54 |
| 142.26.181.80 | 66.221.94.204 | 0 | 22 | 125 | 2007-05-03 05:40:19 |
2007-05-03 05:53:41 |
+-------------------+--------------------+----------+----------+--------------+----------------------+----------------------+
Top 20 Events for TCP_Service_Sweep Total Count 471
I found files in /dev/shm/zH and /dev/shm/.info. They don't belong and
didn't have root access?? Standard user access belonging to username
'josh'... I didn't think /dev was writable...???
I've cleaned it out and have had a ton of ports blocked...
Any help would be welcomed.
Thanks, Jim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/k12osn/attachments/20070504/efceddeb/attachment.htm>
More information about the K12OSN
mailing list