Re: Rep:[Lilux-help] cracking attempts - warning

Two things would be interessent to try out with a test server exposed to the internet: - Will the attacks be already done when the ping packets would be ignored from the net? - What commands would be executed when they get access with a "stupid" root passwort (perhaps root)? Regards, Michel At 10:46 14.10.2004, Thierry Coutelier wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Those ssh attacks are permanent on our server. At least 3 attempts/day >from different >IP addresses. It seems to be some standard script (nessus ?) as mostly >the pattern of >tests are the same. > > >Vincent Bremaud wrote: >| Oh yes, I jumped on my logs :-D >| Not surprisingly I found the same kind of attack, but the 3 october, >| including, of course, several attempts on root account ;-) Since it is >| deactivated for ssh, good luck for the attacker :-P >| I found also attacks the 25 september. Same kind of pattern and >| usernames. Could it be a Unix-type worm? Interresting specimen, I hadn't >| seen such thing as a Unix-type worm until now ;-P >| >| -----Message d'origine----- >| De: Eric Dondelinger <aim(a)vis.ethz.ch> >| A: lilux-help(a)linux.lu >| Date: 12/10/04 >| Objet: [Lilux-help] cracking attempts - warning >| >| Hi, >| >| I've noticed yesterday evening and this morning (very shortly after >| turning on my router at home - on P&T ADSL) that there were attacks >| against my SSH server running - quite probably brute-force dictionary >| attacks. >| >| I've got quite some entries in my auth.log (extract): >| >| this morning: >| ---------------------------------------- >| Oct 12 09:13:08 hermes sshd[543]: Failed password for illegal user >| wwwrun from 216.173.46.164 port 55039 ssh2 >| Oct 12 09:13:09 hermes sshd[545]: Illegal user matt from 216.173.46.164 >| Oct 12 09:13:09 hermes sshd[545]: error: Could not get shadow >| information for NOUSER >| Oct 12 09:13:09 hermes sshd[545]: Failed password for illegal user matt >| from 216 >| .173.46.164 port 55067 ssh2 >| Oct 12 09:13:11 hermes sshd[547]: Illegal user test from 216.173.46.164 >| Oct 12 09:13:11 hermes sshd[547]: error: Could not get shadow >| information for NOUSER >| Oct 12 09:13:11 hermes sshd[547]: Failed password for illegal user test >| from 216 >| .173.46.164 port 55100 ssh2 >| Oct 12 09:13:13 hermes sshd[549]: Illegal user test from 216.173.46.164 >| Oct 12 09:13:13 hermes sshd[549]: error: Could not get shadow >| information for NOUSER >| Oct 12 09:13:13 hermes sshd[549]: Failed password for illegal user test >| from 216 >| .173.46.164 port 55134 ssh2 >| Oct 12 09:13:15 hermes sshd[551]: Illegal user test from 216.173.46.164 >| >| yesterday evening: >| ---------------------------------------- >| Oct 11 19:38:44 hermes sshd[2051]: Illegal user frank from >| 213.240.168.200 >| Oct 11 19:38:44 hermes sshd[2051]: error: Could not get shadow >| information for NOUSER >| Oct 11 19:38:44 hermes sshd[2051]: Failed password for illegal user >| frank from 2 >| 13.240.168.200 port 40686 ssh2 >| Oct 11 19:38:45 hermes sshd[2053]: Illegal user george from >| 213.240.168.200 >| Oct 11 19:38:45 hermes sshd[2053]: error: Could not get shadow >| information for NOUSER >| Oct 11 19:38:45 hermes sshd[2053]: Failed password for illegal user >| george from >| 213.240.168.200 port 40710 ssh2 >| Oct 11 19:38:46 hermes sshd[2055]: Illegal user henry from >| 213.240.168.200 >| Oct 11 19:38:46 hermes sshd[2055]: error: Could not get shadow >| information for NOUSER >| Oct 11 19:38:46 hermes sshd[2055]: Failed password for illegal user >| henry from 2 >| 13.240.168.200 port 40737 ssh2 >| Oct 11 19:38:47 hermes sshd[2057]: Illegal user john from >| 213.240.168.200 >| Oct 11 19:38:47 hermes sshd[2057]: error: Could not get shadow >| information for NOUSER >| Oct 11 19:38:47 hermes sshd[2057]: Failed password for illegal user john >| from 213.240.168.200 port 40757 ssh2 >| >| ---------------------------------------- >| >| I suspect these attempts are run from compromised machines, anyway I >| did try contacting the admin from yesterday evening's incident. >| >| I suppose all of you will want to check their logs, certainly if you're >| running an SSH server. >| >| I've reconfigured my own SSH server to listen on a non-standard >| port for now (check /etc/ssh/sshd_config), in addition to my >| relatively hard-to-crack passwords (designed not to fall prey to >| "normal" dictionary attacks). >| >| I guess "they" are out there... >| >| Greets Eric >| >| _______________________________________________ >| Lilux-help mailing list >| Lilux-help(a)lilux.lu >| http://lilux.lu/mailman/listinfo/lilux-help >| >| ___[ Pub ]____________________________________________________________ >| Inscrivez-vous gratuitement sur Tandaime, Le site de rencontres ! >| http://rencontre.rencontres.com/index.php?origine=4 >| >| >| _____________________________________________________________________ >| Un mot doux à envoyer? Une sortie ciné à organiser? Faites le en temps >| réel avec MSN Messenger! C'est gratuit! http://ifrance.com/_reloc/m >| >| >| _______________________________________________ >| Lilux-help mailing list >| Lilux-help(a)lilux.lu >| http://lilux.lu/mailman/listinfo/lilux-help > > >- -- >Thierry Coutelier Président LiLux asbl >7, Rue Jacques Sturm L-2556 Luxembourg >Office:+352 710725 608 Home:+352 406776 >http://www.lilux.lu/ > >_______________________________________________ >Lilux-help mailing list >Lilux-help(a)lilux.lu >http://lilux.lu/mailman/listinfo/lilux-help