Attempted SSH Logins (from Fedora thread)

James Marcinek jmarc1 at jemconsult.biz
Tue Aug 3 16:45:54 UTC 2004 

This was the last thread from the Fedora list covering this same issue...

Am Fr, den 30.07.2004 schrieb Brian Fahrlander um 11:45:

>     From last night's LogWatch:
> --------------------------------------------------------------------------
> 
> sshd:
>    Invalid Users:
>       Unknown Account: 7 Time(s)
>    Unknown Entries:
>       authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
> rhost=johnstongrain.com  : 2 Time(s)
>       authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
> rhost=smms-mriley09d.chemistry.uq.edu.au  : 2 Time(s)
>       authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
> rhost=211.117.191.70  : 1 Time(s)
>       authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
> rhost=216.97.110.1  : 1 Time(s)
>       authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
> rhost=ccia-062-204-197-193.uned.es  : 1 Time(s)
> 
> su:
>    Sessions Opened:
>       brian(uid=500) -> root: 1 Time(s)
> 
> ------------------------------------------------------------------------
> 
>     Ok, guys- what do we do with this?  Should we be writing down the
> addresses from which these attempts were made? They're probably all
> 'stooge' addresses, I know, but it might help authorities to know what
> other machines have been compromised...
> 
>     I'll go save the log somewhere...
> 
> ------------------------------------------------------------------------

Just got these SSH login attempts from a machine which is obviously
hacked! I did a portscan immediately after the messages occured in my
log:

$ nmap -vvvv -sS -sV -P0 -O 64.86.78.209
 
Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2004-08-03 16:53
CEST
Host 64.86.78.209 appears to be up ... good.
Initiating SYN Stealth Scan against 64.86.78.209 at 16:53
Adding open port 5101/tcp
Adding open port 23/tcp
adjust_timeout: packet supposedly had rtt of 11522743 microseconds. 
Ignoring time.
adjust_timeout: packet supposedly had rtt of 11516952 microseconds. 
Ignoring time.
adjust_timeout: packet supposedly had rtt of 12503503 microseconds. 
Ignoring time.
adjust_timeout: packet supposedly had rtt of 25062938 microseconds. 
Ignoring time.
Adding open port 818/tcp
adjust_timeout: packet supposedly had rtt of 25019107 microseconds. 
Ignoring time.
adjust_timeout: packet supposedly had rtt of 25985784 microseconds. 
Ignoring time.
Adding open port 111/tcp
Adding open port 22/tcp
Adding open port 1984/tcp
Adding open port 3001/tcp
Adding open port 21/tcp
Adding open port 443/tcp
Adding open port 3000/tcp
adjust_timeout: packet supposedly had rtt of 11461759 microseconds. 
Ignoring time.
Adding open port 5102/tcp
Adding open port 32770/tcp
Adding open port 5100/tcp
Adding open port 80/tcp
Adding open port 3306/tcp
adjust_timeout: packet supposedly had rtt of 11455679 microseconds. 
Ignoring time.
The SYN Stealth Scan took 54 seconds to scan 1657 ports.
Initiating service scan against 15 services on 1 host at 16:54
The service scan took 27 seconds to scan 15 services on 1 host.
Initiating RPCGrind Scan against 64.86.78.209 at 16:54
The RPCGrind Scan took 7 seconds to scan 3 ports.
For OSScan assuming that port 21 is open and port 1 is closed and
neither are firewalled
Interesting ports on 64.86.78.209:
(The 1642 ports scanned but not shown below are in state: closed)
PORT      STATE SERVICE  VERSION
21/tcp    open  ftp      vsFTPd 1.1.0
22/tcp    open  ssh      OpenSSH 3.4p1 (protocol 1.99)
23/tcp    open  telnet   Linux telnetd

Telnet is open!

80/tcp    open  http     Apache httpd 2.0.40 ((Red Hat Linux))
111/tcp   open  rpcbind  2 (rpc #100000)
443/tcp   open  ssl/http Apache httpd 2.0.40 ((Red Hat Linux))
818/tcp   open  rquotad  1-2 (rpc #100011)
1984/tcp  open  ssh

See below for port 1984!

3000/tcp  open  ppp?
3001/tcp  open  nessusd?
3306/tcp  open  mysql?
5100/tcp  open  http     Apache httpd 1.3.27 ((Unix) Sun-ONE-ASP/4.0.0)
5101/tcp  open  admdog?
5102/tcp  open  admeng?
32770/tcp open  mountd   1-3 (rpc #100005)
1 service unrecognized despite returning data. If you know the
service/version, please submit the following fingerprint at
http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port1984-TCP:V=3.48%D=8/3%Time=410FA725%r(NULL,20,"SSH-1\.5-FucKiT\x20R
SF:ootKit\x20by\x20Cyrax\n");

ON PORT 1984 THE ROOTKIT SSH IS LISTENING!

Device type: general purpose
Running: Linux 2.4.X|2.5.X
OS details: Linux Kernel 2.4.0 - 2.5.20

The kernel is a Redhat 2.4.18-4 one - so highly vulnerable. No question
why a rootkit is on this box.

OS Fingerprint:
TSeq(Class=RI%gcd=1%SI=22816B%IPID=Z)
T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
 
TCP Sequence Prediction: Class=random positive increments
                         Difficulty=2261355 (Good luck!)
TCP ISN Seq. Numbers: 33A1C699 33236160 334D5B86 32FCC75A
IPID Sequence Generation: All zeros
 
Nmap run completed -- 1 IP address (1 host up) scanned in 119.684
seconds

I mailed the responsible person according whois data. We'll see...

Alexander



General Red Hat Linux discussion list <redhat-list at redhat.com> wrote: 
> If you do a dig -x, and then check some of the websites, you see that a 
> lot of these are coming out of Korea and China.  I've had the same 
> attempts on my systems and got curious.  Some were coming from the 
> Chemistry department of one of the Universities in China.
> 
> Also, one of the accounts being tried here is "guest" which is a common 
> Microsoft account.  Makes me wonder if they aren't looking to hack 
> Windows systems.
> 
> -Bob
> 
> Jenkins, Jeremiah wrote:
> 
> >There are some script kiddies out there running automated attacks.  If you
> >look at your secure log /var/log/secure, you will see that they try for a
> >few times then move on.  if you google on the error message you will find
> >numerous threads on the subject.
> >
> >-----Original Message-----
> >From: Nathaniel Hall [mailto:halln at otc.edu]
> >Sent: Tuesday, August 03, 2004 12:23 PM
> >To: redhat-list at redhat.com
> >Subject: Attempted SSH Logins
> >
> >
> >Hi all.
> >
> > 
> >
> >I have been monitoring our logs over the past several weeks using logwatch
> >and have noticed several of these entries (known entries omitted):
> >
> > 
> >
> >sshd:
> >
> >   Invalid Users:
> >
> >      Unknown Account: 5 Time(s)
> >
> >   Authentication Failures:
> >
> >      test (server.bes1.com ): 2 Time(s)
> >
> >      root (server.bes1.com ): 3 Time(s)
> >
> >      unknown (server.bes1.com ): 4 Time(s)
> >
> > 
> >
> >The source addresses vary.  I always see the same accounts from different
> >addresses with a different number of tries.  When I see these, there is only
> >one source, never a mix of sources.  The next day, it might be a different
> >source, but it is the only one.
> >
> > 
> >
> >Is anybody else seeing this in their logs where I shouldn't be as worried or
> >is this directed at us?
> >
> > 
> >
> > 
> >
> >~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> >Nathaniel Hall
> >
> >Intrusion Detection and Firewall Technician
> >
> >Ozarks Technical Community College -- Office of Computer Networking
> >
> > 
> >
> >halln at otc.edu
> >
> >417-799-0552
> >

More information about the redhat-list mailing list