Hacker activity?

Steve Suhre steve at Antero.com
Thu Oct 28 13:50:03 PDT 2004 


Thanks, the log looks similar, except that they don't use foo, they use 
common names and mostly root. We have the servers secured, but it didn't 
seem like the method they were using had any chance of success, so I was 
confused... I think the key is that they're surfing for servers with bad 
security habits. Thanks for your help!




At 02:38 PM 10/28/2004, Kevin D. Kinsey, DaleCo, S.P. wrote:
>Vulpes Velox wrote:
>
>>On Thu, 28 Oct 2004 10:39:32 -0600
>>Steve Suhre <steve at Antero.com> wrote:
>>
>>
>>
>>>I'm not sure if this is the correct group...but I'm getting some
>>>weird activity on the network. The security reports will show 50-100
>>>attempts to login to a server, most as root but some are attempts to
>>>login to other seemingly random account names. The login attempts
>>>are through ssh or telnet, all come from the same remote server, and
>>>all fail. I'm also getting some odd cgi calls to a script on a
>>>secure ssl server. There's nothing that this particular script could
>>>do for a hacker, but the script is sent a random string, sometimes
>>>many times a minute, other times it's every 2 -3 minutes. I grabbed
>>>the ip address and blocked it, and about 10 minutes later it had
>>>moved to another ip. I'm now blocking a range of ip's. These don't
>>>seem like enough iterations to be very successful, the odds are
>>>overwhelmingly in favor of the server at this rate... Does anyone
>>>have a clue what might be happening or where I should go to find
>>>out?
>>>
>>
>>If it all from a common subnet, I would block it. I would then whois
>>to see who if there is a abuse addy I could complain to or the like.
>>
>>Also man login.conf.
>>
>>Sounds like some jerk singled you out is is possibly is trying it all
>>on a subnet. Back in before moving stuff off common ports, I would get
>>massive amounts of that crap. It was basically ppl trying any thing in
>>the colleges address space.
>>
>
>Since you didn't show a log, Steve, I'm wondering if it looks something
>like this:
>
>auth.log:Oct 11 00:23:29 foobox sshd[44542]: Failed password for root from 
>61.100.12.92 port 35161 ssh2
>auth.log:Oct 11 00:23:31 foobox sshd[44544]: Failed password for root from 
>61.100.12.92 port 35193 ssh2
>auth.log:Oct 11 00:23:34 foobox sshd[44546]: Failed password for root from 
>61.100.12.92 port 35228 ssh2
>auth.log:Oct 11 00:23:36 foobox sshd[44548]: Failed password for root from 
>61.100.12.92 port 35270 ssh2
>auth.log:Oct 11 00:23:39 foobox sshd[44550]: Failed password for root from 
>61.100.12.92 port 35309 ssh2
>auth.log:Oct 12 01:50:12 foobox sshd[46231]: Illegal user test from 
>203.212.4.173
>auth.log:Oct 12 01:50:15 foobox sshd[46233]: Illegal user guest from 
>203.212.4.173
>auth.log:Oct 12 01:50:17 foobox sshd[46235]: Illegal user admin from 
>203.212.4.173
>auth.log:Oct 12 01:50:19 foobox sshd[46237]: Illegal user admin from 
>203.212.4.173
>auth.log:Oct 12 01:50:22 foobox sshd[46239]: Illegal user user from 
>203.212.4.173
>auth.log:Oct 12 01:50:24 foobox sshd[46241]: Failed password for root from 
>203.212.4.173 port 55657 ssh2
>auth.log:Oct 12 01:50:27 foobox sshd[46243]: Failed password for root from 
>203.212.4.173 port 55696 ssh2
>auth.log:Oct 12 01:50:29 foobox sshd[46245]: Failed password for root from 
>203.212.4.173 port 55734 ssh2
>auth.log:Oct 12 01:50:32 foobox sshd[46247]: Illegal user test from 
>203.212.4.173
>
>I think this has been discussed at some length on security at .  Automated 
>scripts
>from compromised machines are banging away at whatever addresses they can find
>a telnet or ssh port open on, looking for people who use "foo" or "candy" 
>as their
>passwords ....
>
>For starters, use good passwords if you use passwords at all.  Probably you
>should be using key-based authentication, or something beefy like that (I
>know nothing of Kerberos, for example, but it might be a possibility ... <?>)
>
>You can certainly set some things in your sshd_config (AllowUsers and
>AllowGroups have been discussed) and there is that note in /etc/hosts.allow:
>"wrapping sshd isn't a good idea ...", but I do it on all my boxes except one.
>I'm usually on a known subnet, there are no other administrators or remote
>users, and in the rare instance when I'm on a box with a "not allowed" 
>address,
>I connect to my other boxes through the one ...
>
>I guess the next step, then, would be scripting something to parse and delete
>this crap from the logs ...
>
>Kevin Kinsey



---
Steve Suhre
Antero web technologies
719.634.8161
steve at Antero.com

More information about the freebsd-questions mailing list