Security Incidents mailing list archives
Re: SSH attacks?
From: Steve Schuster <sjs74 () cornell edu>
Date: Thu, 29 Jul 2004 12:53:30 -0400
We have also been seeing similar scanning with the same accounts being tested. I will share some preliminary analysis of a system for which the scanning was successful.
OS: Redhat 7.0Initial scanning for the 'test' account occurred on July 25th. User 'test' logged in successfully and then logged out almost immediately.
No additional logins occurred until July 28 when three successful logins occurred within a five minute window from three different domains.
After these three logins the following system modifications where identified. Unfortunately, we do not have extremely good knowledge of the state of the system prior to this time so some of this information may be a little suspect.
/etc/shadow and /etc/passwd were modified with password changes for 'root' and 'test'.
/dev/log ** /dev/log suid-root, user: root, group: test Some potentially new files include '/usr/sbin/,fbi/ /' 'bios.txt go.sh ss sshfc uniq.txtvuln.txt -- this appears to be a list of IP addresses and usernames of successful connections.
User 'test' logged out after 6 minutes and 'root' then logged in remaining for 3 hours and 40 minutes.
Scanning for port 22 began from this system right after 'root' logged in and continued until 'root' logged out as described above.
I hope this helps and as we gain additional relevant information I'll share appropriately.
sjs At 04:19 AM 7/28/2004, Christine Kronberg wrote:
On Tue, 27 Jul 2004, Adam Young wrote: > On Tue, 27 Jul 2004 10:59:07 +1200 > Robin <robin () kallisti net nz> wrote: >> > accounts. The big ones are going over a large list, the pairs seem to be just> > hitting test and guest: > > Jul 26 23:05:59 kallisti sshd[12314]: Illegal user test > > from ::ffff:64.246.56.44> > Jul 26 23:05:59 kallisti sshd[12314]: Failed password for illegal user test> > from ::ffff:64.246.56.44 port 41920 ssh2 > > Jul 26 23:06:01 kallisti sshd[12320]: Illegal user guest > > from ::ffff:64.246.56.44> > Jul 26 23:06:01 kallisti sshd[12320]: Failed password for illegal user guest> > from ::ffff:64.246.56.44 port 41967 ssh2 > > > > Does anyone know why this would appear all of a sudden? >> I've noticed this myself. It has been happening for roughly one week, two at> maximum. Heaven, I'm glad you are seeing that, too. It really gave me headaches. In the last four weeks I had (privately) two ssh "incidents": one originating from Korea, one from Germany. The first was clearly a person trying to get in, taking a deliberate taste in the (existing) test account (without success). The other one was "next door", someone trying to get in as root (no success either). I only reported the second one. Only after the first playround the test/guest attempts started so I was starting to think that whoever was probing my host from Korea was probably going with that. Now that my host is out of focus, I'm really relieved. :-)> I think someone has either caught wind of some sort of information about loosely > configured proprietary hardware which has an empty password on test/guest, or a> worm sets up these accounts with some preset password that it checks other > machines for to see if they're also infected. Has anyone tried to capture that with an honeypot? I'm considering that for my own but lack the proper enviroment. Cheers, Chris Kronberg. -- GeNUA mbH
--------------------------------------------------------------------------------------------------------------------- Steve Schuster IT Security Office Cornell University Work -- (607)255-8825 Cell -- (607)351-1386 ---------------------------------------------------------------------------------------------------------------------
Current thread:
- Re: SSH attacks?, (continued)
- Re: SSH attacks? Chris Brown (Jul 27)
- Re: SSH attacks? Adam Young (Jul 27)
- Re: SSH attacks? Christine Kronberg (Jul 29)
- Re: SSH attacks? Pieter-Bas IJdens (Jul 29)
- Re: SSH attacks? Christine Kronberg (Jul 29)
- Re: SSH attacks? Pieter-Bas IJdens (Jul 30)
- Re: SSH attacks? Frank Knobbe (Jul 30)
- Re: SSH attacks? Jay D. Dyson (Jul 30)
- Re: SSH attacks? Frank Knobbe (Jul 31)
- Re: SSH attacks? mgotts (Jul 31)
- Re: SSH attacks? Christine Kronberg (Jul 29)
- Re: SSH attacks? Steve Schuster (Jul 29)
- Re: SSH attacks? Merlijn Tishauser (Jul 30)
- Re: SSH attacks? Jyri Hovila (Jul 29)
- Re: SSH attacks? Chris Brenton (Jul 29)
- Re: SSH attacks? Valdis . Kletnieks (Jul 30)
- Re: SSH attacks? Thomas Hochstein (Jul 30)
- Re: SSH attacks? Matt Beland (Jul 30)
- Re: SSH attacks? Jyri Hovila (Jul 29)