?

Log in

No account? Create an account

Previous Entry | Next Entry

And the beat goes on...

This morning before I left for work I happened to look at the traffic graphs for the two web servers I maintain. Both of them showed a continuous buzz of traffic starting last night at 7:00 PM. The graph below shows traffic going to (blue) and from (green) one of the two boxes:



It struck me as more than a bit odd, and likely a sign of an active attack. I did some quick poking around and assured myself that both boxes had not been compromised. Then I looked in the system logs. Both were getting hundreds of entries like these:

Jun 20 00:06:51 alpha sshd[6759]: input_userauth_request: illegal user imke
Jun 20 00:06:51 alpha sshd[6759]: Failed password for illegal user imke from 62.233.33.57 port 33815 ssh2
Jun 20 00:06:51 alpha sshd[6759]: Received disconnect from 62.233.33.57: 11: Bye Bye
Jun 20 00:06:51 alpha sshd[6760]: input_userauth_request: illegal user imke
Jun 20 00:06:51 alpha sshd[6760]: Failed password for illegal user imke from 62.233.33.57 port 33867 ssh2
Jun 20 00:06:52 alpha sshd[6760]: Received disconnect from 62.233.33.57: 11: Bye Bye
Jun 20 00:06:52 alpha sshd[6761]: input_userauth_request: illegal user immanuel
Jun 20 00:06:52 alpha sshd[6761]: Failed password for illegal user immanuel from 62.233.33.57 port 33912 ssh2
Jun 20 00:06:52 alpha sshd[6761]: Received disconnect from 62.233.33.57: 11: Bye Bye
Jun 20 00:06:53 alpha sshd[6762]: input_userauth_request: illegal user immanuel
Jun 20 00:06:53 alpha sshd[6762]: Failed password for illegal user immanuel from 62.233.33.57 port 33947 ssh2
Jun 20 00:06:53 alpha sshd[6762]: Received disconnect from 62.233.33.57: 11: Bye Bye


...Some script kiddie was running a 'bot against both servers looking for accounts with either no password or with the password matching the account name. I tracked down the French ISP that owned the IP block that the attacker's address (62.233.33.57) was in and sent an email off to their listed abuse@ address.* About an hour later the traffic stopped cold. Whether the ISP took any action or the attacker got to the end of the alphabet, I don't know.

Having now had servers out on the 'net for several years, I can tell you that this kind of blatant probing goes on all the time. It's no wonder that security types will tell you that the lifespan of an un-patched Windows box on the Internet is something like 3-4 hours before it gets owned. In all fairness, an unprotected Linux box wouldn't fare a whole lot better, but also in fairness, it is a shitload easier to secure a Linux box if you actually take the time to do the job.

ETA: It looks like I won't be giving the ISP any credit for stepping on this twerp. The last entry in the syslog from that attack is: Jun 20 07:20:07 alpha sshd[3289]: Failed password for illegal user zygmund. Oh, and some other twit tried a list of usual system account names shortly after three this afternon. F*ckers, all of 'em.


* Start by going to www.arin.net and pasting the IP into their search box. In this case, the result pointed me to RIPE, the European IP addressing authority. A search on their site turned up the contact info for the ISP in France responsible for the block of IPs which included the attacker's address.

Comments

( 5 comments — Leave a comment )
also_huey
Jun. 21st, 2006 02:48 am (UTC)
Load http://62.233.33.57/.
- proxyserv.cust.azuria.net. I'm guessing a web proxy for their users.
rDNS says 62.233.33.57 PTR record: noisettine.noisettine.com. [TTL 3600s] [A=213.251.169.215], which is interestingly broken.
azuria's WHOIS record says "Please report any spam, hack, etc. to abuse@azuria.net".
I've never heard of them, which either means that they're pretty good about dealing with abuse issues, or they're too small to be much of a problem.
netcurmudgeon
Jun. 21st, 2006 10:18 am (UTC)
...I had noticed the busted PTR / A-record relationship. I haven't heard anything back from azuria.net.
half_elf_lost
Jun. 21st, 2006 04:36 am (UTC)
Or they couldn't understand your email, unless you wrote it in French.
netcurmudgeon
Jun. 21st, 2006 10:11 am (UTC)
...Certainly possible, which is one of the reasons I always paste in a nice big chunk of log file to illustrate the problem. Though, with pun intended, English is the lingua franca of computer science.

I had contemplated running my text through Systran to generate a French copy, but I was too affraid of what an automatic translator would do to technical English!
(Anonymous)
Jun. 22nd, 2006 03:47 pm (UTC)
one word: sshdfilter
I used to get these attempts pretty regularly. Then I installed sshdfilter. They get ZERO attempts if the ssh client doesn't identify itself. They then get ONE chance if the user name is no good. If that's all OK, they get three chances to enter a password properly. (Root doesn't count because they can't log in as root even with the right password.)

Then the iptables are adjusted so all traffic from them is discarded for three days.

Highly recommended.

http://www.csc.liv.ac.uk/~greg/sshdfilter/
( 5 comments — Leave a comment )

Latest Month

January 2017
S M T W T F S
1234567
891011121314
15161718192021
22232425262728
293031    

Tags

Powered by LiveJournal.com
Designed by Lilia Ahner