This was the last thread from the Fedora list covering this same issue... Am Fr, den 30.07.2004 schrieb Brian Fahrlander um 11:45: > From last night's LogWatch: > -------------------------------------------------------------------------- > > sshd: > Invalid Users: > Unknown Account: 7 Time(s) > Unknown Entries: > authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= > rhost=johnstongrain.com : 2 Time(s) > authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= > rhost=smms-mriley09d.chemistry.uq.edu.au : 2 Time(s) > authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= > rhost=211.117.191.70 : 1 Time(s) > authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= > rhost=216.97.110.1 : 1 Time(s) > authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= > rhost=ccia-062-204-197-193.uned.es : 1 Time(s) > > su: > Sessions Opened: > brian(uid=500) -> root: 1 Time(s) > > ------------------------------------------------------------------------ > > Ok, guys- what do we do with this? Should we be writing down the > addresses from which these attempts were made? They're probably all > 'stooge' addresses, I know, but it might help authorities to know what > other machines have been compromised... > > I'll go save the log somewhere... > > ------------------------------------------------------------------------ Just got these SSH login attempts from a machine which is obviously hacked! I did a portscan immediately after the messages occured in my log: $ nmap -vvvv -sS -sV -P0 -O 64.86.78.209 Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2004-08-03 16:53 CEST Host 64.86.78.209 appears to be up ... good. Initiating SYN Stealth Scan against 64.86.78.209 at 16:53 Adding open port 5101/tcp Adding open port 23/tcp adjust_timeout: packet supposedly had rtt of 11522743 microseconds. Ignoring time. adjust_timeout: packet supposedly had rtt of 11516952 microseconds. Ignoring time. adjust_timeout: packet supposedly had rtt of 12503503 microseconds. Ignoring time. adjust_timeout: packet supposedly had rtt of 25062938 microseconds. Ignoring time. Adding open port 818/tcp adjust_timeout: packet supposedly had rtt of 25019107 microseconds. Ignoring time. adjust_timeout: packet supposedly had rtt of 25985784 microseconds. Ignoring time. Adding open port 111/tcp Adding open port 22/tcp Adding open port 1984/tcp Adding open port 3001/tcp Adding open port 21/tcp Adding open port 443/tcp Adding open port 3000/tcp adjust_timeout: packet supposedly had rtt of 11461759 microseconds. Ignoring time. Adding open port 5102/tcp Adding open port 32770/tcp Adding open port 5100/tcp Adding open port 80/tcp Adding open port 3306/tcp adjust_timeout: packet supposedly had rtt of 11455679 microseconds. Ignoring time. The SYN Stealth Scan took 54 seconds to scan 1657 ports. Initiating service scan against 15 services on 1 host at 16:54 The service scan took 27 seconds to scan 15 services on 1 host. Initiating RPCGrind Scan against 64.86.78.209 at 16:54 The RPCGrind Scan took 7 seconds to scan 3 ports. For OSScan assuming that port 21 is open and port 1 is closed and neither are firewalled Interesting ports on 64.86.78.209: (The 1642 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 21/tcp open ftp vsFTPd 1.1.0 22/tcp open ssh OpenSSH 3.4p1 (protocol 1.99) 23/tcp open telnet Linux telnetd Telnet is open! 80/tcp open http Apache httpd 2.0.40 ((Red Hat Linux)) 111/tcp open rpcbind 2 (rpc #100000) 443/tcp open ssl/http Apache httpd 2.0.40 ((Red Hat Linux)) 818/tcp open rquotad 1-2 (rpc #100011) 1984/tcp open ssh See below for port 1984! 3000/tcp open ppp? 3001/tcp open nessusd? 3306/tcp open mysql? 5100/tcp open http Apache httpd 1.3.27 ((Unix) Sun-ONE-ASP/4.0.0) 5101/tcp open admdog? 5102/tcp open admeng? 32770/tcp open mountd 1-3 (rpc #100005) 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port1984-TCP:V=3.48%D=8/3%Time=410FA725%r(NULL,20,"SSH-1\.5-FucKiT\x20R SF:ootKit\x20by\x20Cyrax\n"); ON PORT 1984 THE ROOTKIT SSH IS LISTENING! Device type: general purpose Running: Linux 2.4.X|2.5.X OS details: Linux Kernel 2.4.0 - 2.5.20 The kernel is a Redhat 2.4.18-4 one - so highly vulnerable. No question why a rootkit is on this box. OS Fingerprint: TSeq(Class=RI%gcd=1%SI=22816B%IPID=Z) T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW) T2(Resp=N) T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW) T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=) T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=) T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) PU(Resp=Y%DF=N%TOS=0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E) TCP Sequence Prediction: Class=random positive increments Difficulty=2261355 (Good luck!) TCP ISN Seq. Numbers: 33A1C699 33236160 334D5B86 32FCC75A IPID Sequence Generation: All zeros Nmap run completed -- 1 IP address (1 host up) scanned in 119.684 seconds I mailed the responsible person according whois data. We'll see... Alexander General Red Hat Linux discussion list <redhat-list@xxxxxxxxxx> wrote: > If you do a dig -x, and then check some of the websites, you see that a > lot of these are coming out of Korea and China. I've had the same > attempts on my systems and got curious. Some were coming from the > Chemistry department of one of the Universities in China. > > Also, one of the accounts being tried here is "guest" which is a common > Microsoft account. Makes me wonder if they aren't looking to hack > Windows systems. > > -Bob > > Jenkins, Jeremiah wrote: > > >There are some script kiddies out there running automated attacks. If you > >look at your secure log /var/log/secure, you will see that they try for a > >few times then move on. if you google on the error message you will find > >numerous threads on the subject. > > > >-----Original Message----- > >From: Nathaniel Hall [mailto:halln@xxxxxxx] > >Sent: Tuesday, August 03, 2004 12:23 PM > >To: redhat-list@xxxxxxxxxx > >Subject: Attempted SSH Logins > > > > > >Hi all. > > > > > > > >I have been monitoring our logs over the past several weeks using logwatch > >and have noticed several of these entries (known entries omitted): > > > > > > > >sshd: > > > > Invalid Users: > > > > Unknown Account: 5 Time(s) > > > > Authentication Failures: > > > > test (server.bes1.com ): 2 Time(s) > > > > root (server.bes1.com ): 3 Time(s) > > > > unknown (server.bes1.com ): 4 Time(s) > > > > > > > >The source addresses vary. I always see the same accounts from different > >addresses with a different number of tries. When I see these, there is only > >one source, never a mix of sources. The next day, it might be a different > >source, but it is the only one. > > > > > > > >Is anybody else seeing this in their logs where I shouldn't be as worried or > >is this directed at us? > > > > > > > > > > > >~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > >Nathaniel Hall > > > >Intrusion Detection and Firewall Technician > > > >Ozarks Technical Community College -- Office of Computer Networking > > > > > > > >halln@xxxxxxx > > > >417-799-0552 > > -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
