Attempted SSH Logins (from Fedora thread)

Wed Aug 4 19:31:46 UTC 2004

On Tue, 03 Aug 2004 11:45:54 -0500, James Marcinek wrote:
> This was the last thread from the Fedora list covering this same
> issue...
>
>
> Am Fr, den 30.07.2004 schrieb Brian Fahrlander um 11:45:
>
>
>> From last night's LogWatch:
>> ------------------------------------------------------------------
>> --------
>>
>>
>> sshd:
>> Invalid Users:
>> Unknown Account: 7 Time(s)
>> Unknown Entries:
>> authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
>> rhost=johnstongrain.com  : 2 Time(s)
>> authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
>> rhost=smms-mriley09d.chemistry.uq.edu.au  : 2 Time(s)
>> authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
>> rhost=211.117.191.70  : 1 Time(s)
>> authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
>> rhost=216.97.110.1  : 1 Time(s)
>> authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
>> rhost=ccia-062-204-197-193.uned.es  : 1 Time(s)
>>
>> su:
>> Sessions Opened:
>> brian(uid=500) -> root: 1 Time(s)
>>
>>
>> ------------------------------------------------------------------
>> ------
>>
>>
>> Ok, guys- what do we do with this?  Should we be writing down the
>> addresses from which these attempts were made? They're probably
>> all 'stooge' addresses, I know, but it might help authorities to
>> know what other machines have been compromised...
>>
>> I'll go save the log somewhere...
>>
>>
>> ------------------------------------------------------------------
>> ------
>>
>
> Just got these SSH login attempts from a machine which is obviously
> hacked! I did a portscan immediately after the messages occured in
> my log:
>
> $ nmap -vvvv -sS -sV -P0 -O 64.86.78.209
>
>
> Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2004-08-03
> 16:53 CEST Host 64.86.78.209 appears to be up ... good. Initiating
> SYN Stealth Scan against 64.86.78.209 at 16:53 Adding open port
> 5101/tcp Adding open port 23/tcp
> adjust_timeout: packet supposedly had rtt of 11522743 microseconds.
> Ignoring time.
> adjust_timeout: packet supposedly had rtt of 11516952 microseconds.
> Ignoring time.
> adjust_timeout: packet supposedly had rtt of 12503503 microseconds.
> Ignoring time.
> adjust_timeout: packet supposedly had rtt of 25062938 microseconds.
> Ignoring time. Adding open port 818/tcp
> adjust_timeout: packet supposedly had rtt of 25019107 microseconds.
> Ignoring time.
> adjust_timeout: packet supposedly had rtt of 25985784 microseconds.
> Ignoring time. Adding open port 111/tcp Adding open port 22/tcp
> Adding open port 1984/tcp Adding open port 3001/tcp Adding open
> port 21/tcp Adding open port 443/tcp Adding open port 3000/tcp
> adjust_timeout: packet supposedly had rtt of 11461759 microseconds.
> Ignoring time. Adding open port 5102/tcp Adding open port 32770/tcp
> Adding open port 5100/tcp Adding open port 80/tcp Adding open port
> 3306/tcp
> adjust_timeout: packet supposedly had rtt of 11455679 microseconds.
> Ignoring time. The SYN Stealth Scan took 54 seconds to scan 1657
> ports.
> Initiating service scan against 15 services on 1 host at 16:54 The
> service scan took 27 seconds to scan 15 services on 1 host.
> Initiating RPCGrind Scan against 64.86.78.209 at 16:54 The RPCGrind
> Scan took 7 seconds to scan 3 ports.
> For OSScan assuming that port 21 is open and port 1 is closed and
> neither are firewalled Interesting ports on 64.86.78.209:
> (The 1642 ports scanned but not shown below are in state: closed)
> PORT      STATE SERVICE  VERSION 21/tcp    open  ftp      vsFTPd
> 1.1.0 22/tcp    open  ssh      OpenSSH 3.4p1 (protocol 1.99) 23/tcp
>    open  telnet   Linux telnetd
>
> Telnet is open!
>
>
> 80/tcp    open  http     Apache httpd 2.0.40 ((Red Hat Linux))
> 111/tcp   open  rpcbind  2 (rpc #100000)
> 443/tcp   open  ssl/http Apache httpd 2.0.40 ((Red Hat Linux))
> 818/tcp   open  rquotad  1-2 (rpc #100011) 1984/tcp  open  ssh
>
> See below for port 1984!
>
>
> 3000/tcp  open  ppp?
> 3001/tcp  open  nessusd?
> 3306/tcp  open  mysql?
> 5100/tcp  open  http     Apache httpd 1.3.27 ((Unix) Sun-ONE-
> ASP/4.0.0) 5101/tcp  open  admdog? 5102/tcp  open  admeng?
> 32770/tcp open  mountd   1-3 (rpc #100005)
> 1 service unrecognized despite returning data. If you know the
> service/version, please submit the following fingerprint at
> http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
> SF-Port1984-TCP:V=3.48%D=8/3%Time=410FA725%r(NULL,20,"SSH-1\.5-
> FucKiT\x20R SF:ootKit\x20by\x20Cyrax\n");
>
> ON PORT 1984 THE ROOTKIT SSH IS LISTENING!
>
>
> Device type: general purpose
> Running: Linux 2.4.X|2.5.X
> OS details: Linux Kernel 2.4.0 - 2.5.20
>
>
> The kernel is a Redhat 2.4.18-4 one - so highly vulnerable. No
> question why a rootkit is on this box.
>
> OS Fingerprint:
> TSeq(Class=RI%gcd=1%SI=22816B%IPID=Z)
> T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
> T2(Resp=N)
> T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
> T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
> T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
> T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
> T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
> PU(Resp=Y%DF=N%TOS=0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%
> DAT=E)
>
>
> TCP Sequence Prediction: Class=random positive increments
> Difficulty=2261355 (Good luck!)
> TCP ISN Seq. Numbers: 33A1C699 33236160 334D5B86 32FCC75A
> IPID Sequence Generation: All zeros
>
>
> Nmap run completed -- 1 IP address (1 host up) scanned in 119.684
> seconds
>
> I mailed the responsible person according whois data. We'll see...
>
>
> Alexander
>
>
> General Red Hat Linux discussion list <redhat-
> list at redhat.com> wrote:
>
>> If you do a dig -x, and then check some of the websites, you see
>> that a lot of these are coming out of Korea and China.  I've had
>> the same attempts on my systems and got curious.  Some were
>> coming from the Chemistry department of one of the Universities
>> in China.
>>
>> Also, one of the accounts being tried here is "guest" which is a
>> common Microsoft account.  Makes me wonder if they aren't looking
>> to hack Windows systems.
>>
>> -Bob
>>
>>
>> Jenkins, Jeremiah wrote:
>>
>>
>>> There are some script kiddies out there running automated
>>> attacks.  If you look at your secure log /var/log/secure, you
>>> will see that they try for a few times then move on.  if you
>>> google on the error message you will find numerous threads on
>>> the subject.
>>>
>>> -----Original Message-----
>>> From: Nathaniel Hall [mailto:halln at otc.edu]
>>> Sent: Tuesday, August 03, 2004 12:23 PM
>>> To: redhat-list at redhat.com
>>> Subject: Attempted SSH Logins
>>>
>>>
>>> Hi all.
>>>
>>>
>>> I have been monitoring our logs over the past several weeks
>>> using logwatch and have noticed several of these entries (known
>>> entries omitted):
>>>
>>>
>>> sshd:
>>>
>>>
>>> Invalid Users:
>>>
>>>
>>> Unknown Account: 5 Time(s)
>>>
>>>
>>> Authentication Failures:
>>>
>>>
>>> test (server.bes1.com ): 2 Time(s)
>>>
>>>
>>> root (server.bes1.com ): 3 Time(s)
>>>
>>>
>>> unknown (server.bes1.com ): 4 Time(s)
>>>
>>>
>>> The source addresses vary.  I always see the same accounts from
>>> different addresses with a different number of tries.  When I
>>> see these, there is only one source, never a mix of sources.
>>> The next day, it might be a different source, but it is the
>>> only one.
>>>
>>>
>>> Is anybody else seeing this in their logs where I shouldn't be
>>> as worried or is this directed at us?
>>>
>>>
>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>

I think this guy has been going a bit mad...all of my linux boxes show failed login attempts from this IP.

My solution: blacklist 'em on the firewalls ;P