netcurmudgeon (netcurmudgeon) wrote,
netcurmudgeon
netcurmudgeon

  • Location:
  • Mood:
  • Music:

And the beat goes on...

This morning before I left for work I happened to look at the traffic graphs for the two web servers I maintain. Both of them showed a continuous buzz of traffic starting last night at 7:00 PM. The graph below shows traffic going to (blue) and from (green) one of the two boxes:



It struck me as more than a bit odd, and likely a sign of an active attack. I did some quick poking around and assured myself that both boxes had not been compromised. Then I looked in the system logs. Both were getting hundreds of entries like these:

Jun 20 00:06:51 alpha sshd[6759]: input_userauth_request: illegal user imke
Jun 20 00:06:51 alpha sshd[6759]: Failed password for illegal user imke from 62.233.33.57 port 33815 ssh2
Jun 20 00:06:51 alpha sshd[6759]: Received disconnect from 62.233.33.57: 11: Bye Bye
Jun 20 00:06:51 alpha sshd[6760]: input_userauth_request: illegal user imke
Jun 20 00:06:51 alpha sshd[6760]: Failed password for illegal user imke from 62.233.33.57 port 33867 ssh2
Jun 20 00:06:52 alpha sshd[6760]: Received disconnect from 62.233.33.57: 11: Bye Bye
Jun 20 00:06:52 alpha sshd[6761]: input_userauth_request: illegal user immanuel
Jun 20 00:06:52 alpha sshd[6761]: Failed password for illegal user immanuel from 62.233.33.57 port 33912 ssh2
Jun 20 00:06:52 alpha sshd[6761]: Received disconnect from 62.233.33.57: 11: Bye Bye
Jun 20 00:06:53 alpha sshd[6762]: input_userauth_request: illegal user immanuel
Jun 20 00:06:53 alpha sshd[6762]: Failed password for illegal user immanuel from 62.233.33.57 port 33947 ssh2
Jun 20 00:06:53 alpha sshd[6762]: Received disconnect from 62.233.33.57: 11: Bye Bye


...Some script kiddie was running a 'bot against both servers looking for accounts with either no password or with the password matching the account name. I tracked down the French ISP that owned the IP block that the attacker's address (62.233.33.57) was in and sent an email off to their listed abuse@ address.* About an hour later the traffic stopped cold. Whether the ISP took any action or the attacker got to the end of the alphabet, I don't know.

Having now had servers out on the 'net for several years, I can tell you that this kind of blatant probing goes on all the time. It's no wonder that security types will tell you that the lifespan of an un-patched Windows box on the Internet is something like 3-4 hours before it gets owned. In all fairness, an unprotected Linux box wouldn't fare a whole lot better, but also in fairness, it is a shitload easier to secure a Linux box if you actually take the time to do the job.

ETA: It looks like I won't be giving the ISP any credit for stepping on this twerp. The last entry in the syslog from that attack is: Jun 20 07:20:07 alpha sshd[3289]: Failed password for illegal user zygmund. Oh, and some other twit tried a list of usual system account names shortly after three this afternon. F*ckers, all of 'em.


* Start by going to www.arin.net and pasting the IP into their search box. In this case, the result pointed me to RIPE, the European IP addressing authority. A search on their site turned up the contact info for the ISP in France responsible for the block of IPs which included the attacker's address.
Subscribe
  • Post a new comment

    Error

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 5 comments