Date: Thu, 28 Oct 2004 14:48:01 -0600 From: Steve Suhre <steve@Antero.com> To: "Kevin D. Kinsey, DaleCo, S.P." <kdk@daleco.biz>, Vulpes Velox <vvelox@vvelox.net> Cc: freebsd-questions@freebsd.org Subject: Re: Hacker activity? Message-ID: <6.0.3.0.2.20041028144313.04baeec0@nano.net> In-Reply-To: <418158BF.2060202@daleco.biz> References: <6.0.3.0.2.20041028102537.04be6ec0@nano.net> <20041028133250.77c30503@vixen42.24-119-122-191.cpe.cableone.net> <418158BF.2060202@daleco.biz>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks, the log looks similar, except that they don't use foo, they use common names and mostly root. We have the servers secured, but it didn't seem like the method they were using had any chance of success, so I was confused... I think the key is that they're surfing for servers with bad security habits. Thanks for your help! At 02:38 PM 10/28/2004, Kevin D. Kinsey, DaleCo, S.P. wrote: >Vulpes Velox wrote: > >>On Thu, 28 Oct 2004 10:39:32 -0600 >>Steve Suhre <steve@Antero.com> wrote: >> >> >> >>>I'm not sure if this is the correct group...but I'm getting some >>>weird activity on the network. The security reports will show 50-100 >>>attempts to login to a server, most as root but some are attempts to >>>login to other seemingly random account names. The login attempts >>>are through ssh or telnet, all come from the same remote server, and >>>all fail. I'm also getting some odd cgi calls to a script on a >>>secure ssl server. There's nothing that this particular script could >>>do for a hacker, but the script is sent a random string, sometimes >>>many times a minute, other times it's every 2 -3 minutes. I grabbed >>>the ip address and blocked it, and about 10 minutes later it had >>>moved to another ip. I'm now blocking a range of ip's. These don't >>>seem like enough iterations to be very successful, the odds are >>>overwhelmingly in favor of the server at this rate... Does anyone >>>have a clue what might be happening or where I should go to find >>>out? >>> >> >>If it all from a common subnet, I would block it. I would then whois >>to see who if there is a abuse addy I could complain to or the like. >> >>Also man login.conf. >> >>Sounds like some jerk singled you out is is possibly is trying it all >>on a subnet. Back in before moving stuff off common ports, I would get >>massive amounts of that crap. It was basically ppl trying any thing in >>the colleges address space. >> > >Since you didn't show a log, Steve, I'm wondering if it looks something >like this: > >auth.log:Oct 11 00:23:29 foobox sshd[44542]: Failed password for root from >61.100.12.92 port 35161 ssh2 >auth.log:Oct 11 00:23:31 foobox sshd[44544]: Failed password for root from >61.100.12.92 port 35193 ssh2 >auth.log:Oct 11 00:23:34 foobox sshd[44546]: Failed password for root from >61.100.12.92 port 35228 ssh2 >auth.log:Oct 11 00:23:36 foobox sshd[44548]: Failed password for root from >61.100.12.92 port 35270 ssh2 >auth.log:Oct 11 00:23:39 foobox sshd[44550]: Failed password for root from >61.100.12.92 port 35309 ssh2 >auth.log:Oct 12 01:50:12 foobox sshd[46231]: Illegal user test from >203.212.4.173 >auth.log:Oct 12 01:50:15 foobox sshd[46233]: Illegal user guest from >203.212.4.173 >auth.log:Oct 12 01:50:17 foobox sshd[46235]: Illegal user admin from >203.212.4.173 >auth.log:Oct 12 01:50:19 foobox sshd[46237]: Illegal user admin from >203.212.4.173 >auth.log:Oct 12 01:50:22 foobox sshd[46239]: Illegal user user from >203.212.4.173 >auth.log:Oct 12 01:50:24 foobox sshd[46241]: Failed password for root from >203.212.4.173 port 55657 ssh2 >auth.log:Oct 12 01:50:27 foobox sshd[46243]: Failed password for root from >203.212.4.173 port 55696 ssh2 >auth.log:Oct 12 01:50:29 foobox sshd[46245]: Failed password for root from >203.212.4.173 port 55734 ssh2 >auth.log:Oct 12 01:50:32 foobox sshd[46247]: Illegal user test from >203.212.4.173 > >I think this has been discussed at some length on security@. Automated >scripts >from compromised machines are banging away at whatever addresses they can find >a telnet or ssh port open on, looking for people who use "foo" or "candy" >as their >passwords .... > >For starters, use good passwords if you use passwords at all. Probably you >should be using key-based authentication, or something beefy like that (I >know nothing of Kerberos, for example, but it might be a possibility ... <?>) > >You can certainly set some things in your sshd_config (AllowUsers and >AllowGroups have been discussed) and there is that note in /etc/hosts.allow: >"wrapping sshd isn't a good idea ...", but I do it on all my boxes except one. >I'm usually on a known subnet, there are no other administrators or remote >users, and in the rare instance when I'm on a box with a "not allowed" >address, >I connect to my other boxes through the one ... > >I guess the next step, then, would be scripting something to parse and delete >this crap from the logs ... > >Kevin Kinsey --- Steve Suhre Antero web technologies 719.634.8161 steve@Antero.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.0.3.0.2.20041028144313.04baeec0>