Hacker activity?

Kevin D. Kinsey, DaleCo, S.P. kdk at daleco.biz
Thu Oct 28 13:38:30 PDT 2004


Vulpes Velox wrote:

>On Thu, 28 Oct 2004 10:39:32 -0600
>Steve Suhre <steve at Antero.com> wrote:
>
>  
>
>>I'm not sure if this is the correct group...but I'm getting some
>>weird activity on the network. The security reports will show 50-100
>>attempts to login to a server, most as root but some are attempts to
>>login to other seemingly random account names. The login attempts
>>are through ssh or telnet, all come from the same remote server, and
>>all fail. I'm also getting some odd cgi calls to a script on a
>>secure ssl server. There's nothing that this particular script could
>>do for a hacker, but the script is sent a random string, sometimes
>>many times a minute, other times it's every 2 -3 minutes. I grabbed
>>the ip address and blocked it, and about 10 minutes later it had
>>moved to another ip. I'm now blocking a range of ip's. These don't
>>seem like enough iterations to be very successful, the odds are
>>overwhelmingly in favor of the server at this rate... Does anyone
>>have a clue what might be happening or where I should go to find
>>out?
>>    
>>
>
>If it all from a common subnet, I would block it. I would then whois
>to see who if there is a abuse addy I could complain to or the like.
>
>Also man login.conf.
>
>Sounds like some jerk singled you out is is possibly is trying it all
>on a subnet. Back in before moving stuff off common ports, I would get
>massive amounts of that crap. It was basically ppl trying any thing in
>the colleges address space.
>  
>

Since you didn't show a log, Steve, I'm wondering if it looks something
like this:

auth.log:Oct 11 00:23:29 foobox sshd[44542]: Failed password for root 
from 61.100.12.92 port 35161 ssh2
auth.log:Oct 11 00:23:31 foobox sshd[44544]: Failed password for root 
from 61.100.12.92 port 35193 ssh2
auth.log:Oct 11 00:23:34 foobox sshd[44546]: Failed password for root 
from 61.100.12.92 port 35228 ssh2
auth.log:Oct 11 00:23:36 foobox sshd[44548]: Failed password for root 
from 61.100.12.92 port 35270 ssh2
auth.log:Oct 11 00:23:39 foobox sshd[44550]: Failed password for root 
from 61.100.12.92 port 35309 ssh2
auth.log:Oct 12 01:50:12 foobox sshd[46231]: Illegal user test from 
203.212.4.173
auth.log:Oct 12 01:50:15 foobox sshd[46233]: Illegal user guest from 
203.212.4.173
auth.log:Oct 12 01:50:17 foobox sshd[46235]: Illegal user admin from 
203.212.4.173
auth.log:Oct 12 01:50:19 foobox sshd[46237]: Illegal user admin from 
203.212.4.173
auth.log:Oct 12 01:50:22 foobox sshd[46239]: Illegal user user from 
203.212.4.173
auth.log:Oct 12 01:50:24 foobox sshd[46241]: Failed password for root 
from 203.212.4.173 port 55657 ssh2
auth.log:Oct 12 01:50:27 foobox sshd[46243]: Failed password for root 
from 203.212.4.173 port 55696 ssh2
auth.log:Oct 12 01:50:29 foobox sshd[46245]: Failed password for root 
from 203.212.4.173 port 55734 ssh2
auth.log:Oct 12 01:50:32 foobox sshd[46247]: Illegal user test from 
203.212.4.173

I think this has been discussed at some length on security at .  Automated 
scripts
from compromised machines are banging away at whatever addresses they 
can find
a telnet or ssh port open on, looking for people who use "foo" or 
"candy" as their
passwords ....

For starters, use good passwords if you use passwords at all.  Probably you
should be using key-based authentication, or something beefy like that (I
know nothing of Kerberos, for example, but it might be a possibility ... 
<?>)

You can certainly set some things in your sshd_config (AllowUsers and
AllowGroups have been discussed) and there is that note in /etc/hosts.allow:
"wrapping sshd isn't a good idea ...", but I do it on all my boxes 
except one.
I'm usually on a known subnet, there are no other administrators or remote
users, and in the rare instance when I'm on a box with a "not allowed" 
address,
I connect to my other boxes through the one ...

I guess the next step, then, would be scripting something to parse and 
delete
this crap from the logs ...

Kevin Kinsey


More information about the freebsd-questions mailing list