Attempted SSH Logins (from Fedora thread)
James Marcinek
jmarc1 at jemconsult.biz
Tue Aug 3 16:45:54 UTC 2004
This was the last thread from the Fedora list covering this same issue...
Am Fr, den 30.07.2004 schrieb Brian Fahrlander um 11:45:
> From last night's LogWatch:
> --------------------------------------------------------------------------
>
> sshd:
> Invalid Users:
> Unknown Account: 7 Time(s)
> Unknown Entries:
> authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
> rhost=johnstongrain.com : 2 Time(s)
> authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
> rhost=smms-mriley09d.chemistry.uq.edu.au : 2 Time(s)
> authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
> rhost=211.117.191.70 : 1 Time(s)
> authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
> rhost=216.97.110.1 : 1 Time(s)
> authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
> rhost=ccia-062-204-197-193.uned.es : 1 Time(s)
>
> su:
> Sessions Opened:
> brian(uid=500) -> root: 1 Time(s)
>
> ------------------------------------------------------------------------
>
> Ok, guys- what do we do with this? Should we be writing down the
> addresses from which these attempts were made? They're probably all
> 'stooge' addresses, I know, but it might help authorities to know what
> other machines have been compromised...
>
> I'll go save the log somewhere...
>
> ------------------------------------------------------------------------
Just got these SSH login attempts from a machine which is obviously
hacked! I did a portscan immediately after the messages occured in my
log:
$ nmap -vvvv -sS -sV -P0 -O 64.86.78.209
Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2004-08-03 16:53
CEST
Host 64.86.78.209 appears to be up ... good.
Initiating SYN Stealth Scan against 64.86.78.209 at 16:53
Adding open port 5101/tcp
Adding open port 23/tcp
adjust_timeout: packet supposedly had rtt of 11522743 microseconds.
Ignoring time.
adjust_timeout: packet supposedly had rtt of 11516952 microseconds.
Ignoring time.
adjust_timeout: packet supposedly had rtt of 12503503 microseconds.
Ignoring time.
adjust_timeout: packet supposedly had rtt of 25062938 microseconds.
Ignoring time.
Adding open port 818/tcp
adjust_timeout: packet supposedly had rtt of 25019107 microseconds.
Ignoring time.
adjust_timeout: packet supposedly had rtt of 25985784 microseconds.
Ignoring time.
Adding open port 111/tcp
Adding open port 22/tcp
Adding open port 1984/tcp
Adding open port 3001/tcp
Adding open port 21/tcp
Adding open port 443/tcp
Adding open port 3000/tcp
adjust_timeout: packet supposedly had rtt of 11461759 microseconds.
Ignoring time.
Adding open port 5102/tcp
Adding open port 32770/tcp
Adding open port 5100/tcp
Adding open port 80/tcp
Adding open port 3306/tcp
adjust_timeout: packet supposedly had rtt of 11455679 microseconds.
Ignoring time.
The SYN Stealth Scan took 54 seconds to scan 1657 ports.
Initiating service scan against 15 services on 1 host at 16:54
The service scan took 27 seconds to scan 15 services on 1 host.
Initiating RPCGrind Scan against 64.86.78.209 at 16:54
The RPCGrind Scan took 7 seconds to scan 3 ports.
For OSScan assuming that port 21 is open and port 1 is closed and
neither are firewalled
Interesting ports on 64.86.78.209:
(The 1642 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE VERSION
21/tcp open ftp vsFTPd 1.1.0
22/tcp open ssh OpenSSH 3.4p1 (protocol 1.99)
23/tcp open telnet Linux telnetd
Telnet is open!
80/tcp open http Apache httpd 2.0.40 ((Red Hat Linux))
111/tcp open rpcbind 2 (rpc #100000)
443/tcp open ssl/http Apache httpd 2.0.40 ((Red Hat Linux))
818/tcp open rquotad 1-2 (rpc #100011)
1984/tcp open ssh
See below for port 1984!
3000/tcp open ppp?
3001/tcp open nessusd?
3306/tcp open mysql?
5100/tcp open http Apache httpd 1.3.27 ((Unix) Sun-ONE-ASP/4.0.0)
5101/tcp open admdog?
5102/tcp open admeng?
32770/tcp open mountd 1-3 (rpc #100005)
1 service unrecognized despite returning data. If you know the
service/version, please submit the following fingerprint at
http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port1984-TCP:V=3.48%D=8/3%Time=410FA725%r(NULL,20,"SSH-1\.5-FucKiT\x20R
SF:ootKit\x20by\x20Cyrax\n");
ON PORT 1984 THE ROOTKIT SSH IS LISTENING!
Device type: general purpose
Running: Linux 2.4.X|2.5.X
OS details: Linux Kernel 2.4.0 - 2.5.20
The kernel is a Redhat 2.4.18-4 one - so highly vulnerable. No question
why a rootkit is on this box.
OS Fingerprint:
TSeq(Class=RI%gcd=1%SI=22816B%IPID=Z)
T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
TCP Sequence Prediction: Class=random positive increments
Difficulty=2261355 (Good luck!)
TCP ISN Seq. Numbers: 33A1C699 33236160 334D5B86 32FCC75A
IPID Sequence Generation: All zeros
Nmap run completed -- 1 IP address (1 host up) scanned in 119.684
seconds
I mailed the responsible person according whois data. We'll see...
Alexander
General Red Hat Linux discussion list <redhat-list at redhat.com> wrote:
> If you do a dig -x, and then check some of the websites, you see that a
> lot of these are coming out of Korea and China. I've had the same
> attempts on my systems and got curious. Some were coming from the
> Chemistry department of one of the Universities in China.
>
> Also, one of the accounts being tried here is "guest" which is a common
> Microsoft account. Makes me wonder if they aren't looking to hack
> Windows systems.
>
> -Bob
>
> Jenkins, Jeremiah wrote:
>
> >There are some script kiddies out there running automated attacks. If you
> >look at your secure log /var/log/secure, you will see that they try for a
> >few times then move on. if you google on the error message you will find
> >numerous threads on the subject.
> >
> >-----Original Message-----
> >From: Nathaniel Hall [mailto:halln at otc.edu]
> >Sent: Tuesday, August 03, 2004 12:23 PM
> >To: redhat-list at redhat.com
> >Subject: Attempted SSH Logins
> >
> >
> >Hi all.
> >
> >
> >
> >I have been monitoring our logs over the past several weeks using logwatch
> >and have noticed several of these entries (known entries omitted):
> >
> >
> >
> >sshd:
> >
> > Invalid Users:
> >
> > Unknown Account: 5 Time(s)
> >
> > Authentication Failures:
> >
> > test (server.bes1.com ): 2 Time(s)
> >
> > root (server.bes1.com ): 3 Time(s)
> >
> > unknown (server.bes1.com ): 4 Time(s)
> >
> >
> >
> >The source addresses vary. I always see the same accounts from different
> >addresses with a different number of tries. When I see these, there is only
> >one source, never a mix of sources. The next day, it might be a different
> >source, but it is the only one.
> >
> >
> >
> >Is anybody else seeing this in their logs where I shouldn't be as worried or
> >is this directed at us?
> >
> >
> >
> >
> >
> >~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> >Nathaniel Hall
> >
> >Intrusion Detection and Firewall Technician
> >
> >Ozarks Technical Community College -- Office of Computer Networking
> >
> >
> >
> >halln at otc.edu
> >
> >417-799-0552
> >
More information about the redhat-list
mailing list