[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[K12OSN] Help: System intrusion through ssh and a weak password



Hello All-  I've got a problem here with 3 complaints from our school's internet provider.  All of them have been brute force attacks to other systems in the world...

Here is a clip from one log sent to me:
Tag Name        Status  Severity        Event Count     Source Count    Target Count    Object Count    Earliest Event  Latest Event   
SSH_Brute_Force Attack failure (blocked by Proventia appliance) High    128198  1       18723   1       2007-05-03 06:00:00 PDT 2007-05-04 09:00:00 PDT
HTTP_IIS_Unicode_Wide_Encoding  Detected attack (vuln not scanned recently)     High    50      1       20      1       2007-05-01 08:00:00 PDT 2007-05-03 14:00:00 PDT
SSH_ChallengeResponse_Bo        Attack failure (blocked by Proventia appliance) High    5       1       5       1       2007-05-03 22:00:00 PDT 2007-05-04 08:00:00 PDT
HTTP_cookieOverflow     Detected attack (vuln not scanned recently)     High    2       1       1       1       2007-05-02 14:00:00 PDT 2007-05-02 14:00:00 PDT
SSH_Vulnerable_OpenSSH  Detected event  Medium  7067    1       235     1       2007-05-03 06:00:00 PDT 2007-05-04 08:00:00 PDT
HTTP_IIS_Double_Eval_Evasion    Detected event  Medium  112     1       20      1       2007-05-01 08:00:00 PDT 2007-05-04 09:00:00 PDT
HTTP_IIS_Percent_Evasion        Detected event  Medium  46      1       18      1       2007-05-01 08:00:00 PDT 2007-05-04 09:00:00 PDT
HTTP_Proxy_Cache_Poisoning      Attack failure (blocked by Proventia appliance) Medium  39      1       15      1       2007-05-01 08:00:00 PDT 2007-05-04 08:00:00 PDT

Here is a clip from the first log sent to me:

SSH_Brute_Force | 15690 | 2007-05-03 05:17:37 | 2007-05-03 10:43:27 |
| TCP_Service_Sweep | 471 | 2007-05-03 05:18:10 | 2007-05-03 11:50:14 |
| HTTP_Proxy_Cache_Poisoning | 5 | 2007-05-02 12:42:36 | 2007-05-03 11:39:10 |
+-----------------------------------+--------------+----------------------+----------------------+
Top 20 Events for SSH_Brute_Force Total Count 15690
+-------------------+--------------------+----------+----------+--------------+----------------------+----------------------+

+ Source Address + Dest Address + SPort + DPort + Count + Min Time(PST) + Max Time(PST) +
+-------------------+--------------------+----------+----------+--------------+----------------------+----------------------+

| 142.26.181.80 | 66.221.9.56 | 0 | 22 | 447 | 2007-05-03 05:28:08 | 2007-05-03 06:16:10 |
| 142.26.181.80 | 66.221.95.3 | 0 | 22 | 421 | 2007-05-03 05:37:05 | 2007-05-03 06:27:41 |
| 142.26.181.80 | 66.221.94.120 | 0 | 22 | 403 | 2007-05-03 05:41:28 | 2007-05-03 06:29:37 |
| 142.26.181.80 | 66.221.95.148 | 0 | 22 | 364 | 2007-05-03 05:29:36 | 2007-05-03 06:28:44 |
| 142.26.181.80 | 66.221.91.216 | 0 | 22 | 325 | 2007-05-03 05:36:06 | 2007-05-03 06:06:58 |
| 142.26.181.80 | 66.221.91.169 | 0 | 22 | 302 | 2007-05-03 05:41:13 | 2007-05-03 06:29:07 |
| 142.26.181.80 | 66.221.91.190 | 0 | 22 | 284 | 2007-05-03 05:28:54 | 2007-05-03 06:04:53 |
| 142.26.181.80 | 66.221.90.87 | 0 | 22 | 258 | 2007-05-03 05:44:23 | 2007-05-03 06:15:11 |
| 142.26.181.80 | 66.221.90.180 | 0 | 22 | 202 | 2007-05-03 05:33:38 | 2007-05-03 05:51:53 |
| 142.26.181.80 | 66.221.92.31 | 0 | 22 | 181 | 2007-05-03 05:30:57 | 2007-05-03 06:09:46 |
| 142.26.181.80 | 66.221.95.24 | 0 | 22 | 180 | 2007-05-03 05:42:34 | 2007-05-03 06:05:13 |
| 142.26.181.80 | 66.221.91.186 | 0 | 22 | 179 | 2007-05-03 06:04:53 | 2007-05-03 06:28:27 |
| 142.26.181.80 | 66.221.94.240 | 0 | 22 | 175 | 2007-05-03 05:42:45 | 2007-05-03 06:11:20 |
| 142.26.181.80 | 66.221.84.109 | 0 | 22 | 163 | 2007-05-03 05:28:01 | 2007-05-03 06:11:30 |
| 142.26.181.80 | 66.221.87.194 | 0 | 22 | 139 | 2007-05-03 05:46:59 | 2007-05-03 06:09:38 |
| 142.26.181.80 | 66.221.91.218 | 0 | 22 | 137 | 2007-05-03 05:33:31 | 2007-05-03 06:01:05 |
| 142.26.181.80 | 66.221.92.112 | 0 | 22 | 136 | 2007-05-03 05:27:47 | 2007-05-03 06:06:57 |
| 142.26.181.80 | 66.221.89.69 | 0 | 22 | 134 | 2007-05-03 05:30:01 | 2007-05-03 06:07:31 |
| 142.26.181.80 | 66.221.95.97 | 0 | 22 | 127 | 2007-05-03 05:45:18 | 2007-05-03 05:59:54 |
| 142.26.181.80 | 66.221.94.204 | 0 | 22 | 125 | 2007-05-03 05:40:19 | 2007-05-03 05:53:41 |
+-------------------+--------------------+----------+----------+--------------+----------------------+----------------------+

Top 20 Events for TCP_Service_Sweep Total Count 471


I found files in /dev/shm/zH and /dev/shm/.info.  They don't belong and didn't have root access??  Standard user access belonging to username 'josh'...  I didn't think /dev was writable...???

I've cleaned it out and have had a ton of ports blocked... 

Any help would be welcomed.

Thanks,  Jim

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]