On Tue, 03 Aug 2004 11:45:54 -0500, James Marcinek wrote: > This was the last thread from the Fedora list covering this same > issue... > > > Am Fr, den 30.07.2004 schrieb Brian Fahrlander um 11:45: > > >> From last night's LogWatch: >> ------------------------------------------------------------------ >> -------- >> >> >> sshd: >> Invalid Users: >> Unknown Account: 7 Time(s) >> Unknown Entries: >> authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= >> rhost=johnstongrain.com : 2 Time(s) >> authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= >> rhost=smms-mriley09d.chemistry.uq.edu.au : 2 Time(s) >> authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= >> rhost=211.117.191.70 : 1 Time(s) >> authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= >> rhost=216.97.110.1 : 1 Time(s) >> authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= >> rhost=ccia-062-204-197-193.uned.es : 1 Time(s) >> >> su: >> Sessions Opened: >> brian(uid=500) -> root: 1 Time(s) >> >> >> ------------------------------------------------------------------ >> ------ >> >> >> Ok, guys- what do we do with this? Should we be writing down the >> addresses from which these attempts were made? They're probably >> all 'stooge' addresses, I know, but it might help authorities to >> know what other machines have been compromised... >> >> I'll go save the log somewhere... >> >> >> ------------------------------------------------------------------ >> ------ >> > > Just got these SSH login attempts from a machine which is obviously > hacked! I did a portscan immediately after the messages occured in > my log: > > $ nmap -vvvv -sS -sV -P0 -O 64.86.78.209 > > > Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2004-08-03 > 16:53 CEST Host 64.86.78.209 appears to be up ... good. Initiating > SYN Stealth Scan against 64.86.78.209 at 16:53 Adding open port > 5101/tcp Adding open port 23/tcp > adjust_timeout: packet supposedly had rtt of 11522743 microseconds. > Ignoring time. > adjust_timeout: packet supposedly had rtt of 11516952 microseconds. > Ignoring time. > adjust_timeout: packet supposedly had rtt of 12503503 microseconds. > Ignoring time. > adjust_timeout: packet supposedly had rtt of 25062938 microseconds. > Ignoring time. Adding open port 818/tcp > adjust_timeout: packet supposedly had rtt of 25019107 microseconds. > Ignoring time. > adjust_timeout: packet supposedly had rtt of 25985784 microseconds. > Ignoring time. Adding open port 111/tcp Adding open port 22/tcp > Adding open port 1984/tcp Adding open port 3001/tcp Adding open > port 21/tcp Adding open port 443/tcp Adding open port 3000/tcp > adjust_timeout: packet supposedly had rtt of 11461759 microseconds. > Ignoring time. Adding open port 5102/tcp Adding open port 32770/tcp > Adding open port 5100/tcp Adding open port 80/tcp Adding open port > 3306/tcp > adjust_timeout: packet supposedly had rtt of 11455679 microseconds. > Ignoring time. The SYN Stealth Scan took 54 seconds to scan 1657 > ports. > Initiating service scan against 15 services on 1 host at 16:54 The > service scan took 27 seconds to scan 15 services on 1 host. > Initiating RPCGrind Scan against 64.86.78.209 at 16:54 The RPCGrind > Scan took 7 seconds to scan 3 ports. > For OSScan assuming that port 21 is open and port 1 is closed and > neither are firewalled Interesting ports on 64.86.78.209: > (The 1642 ports scanned but not shown below are in state: closed) > PORT STATE SERVICE VERSION 21/tcp open ftp vsFTPd > 1.1.0 22/tcp open ssh OpenSSH 3.4p1 (protocol 1.99) 23/tcp > open telnet Linux telnetd > > Telnet is open! > > > 80/tcp open http Apache httpd 2.0.40 ((Red Hat Linux)) > 111/tcp open rpcbind 2 (rpc #100000) > 443/tcp open ssl/http Apache httpd 2.0.40 ((Red Hat Linux)) > 818/tcp open rquotad 1-2 (rpc #100011) 1984/tcp open ssh > > See below for port 1984! > > > 3000/tcp open ppp? > 3001/tcp open nessusd? > 3306/tcp open mysql? > 5100/tcp open http Apache httpd 1.3.27 ((Unix) Sun-ONE- > ASP/4.0.0) 5101/tcp open admdog? 5102/tcp open admeng? > 32770/tcp open mountd 1-3 (rpc #100005) > 1 service unrecognized despite returning data. If you know the > service/version, please submit the following fingerprint at > http://www.insecure.org/cgi-bin/servicefp-submit.cgi : > SF-Port1984-TCP:V=3.48%D=8/3%Time=410FA725%r(NULL,20,"SSH-1\.5- > FucKiT\x20R SF:ootKit\x20by\x20Cyrax\n"); > > ON PORT 1984 THE ROOTKIT SSH IS LISTENING! > > > Device type: general purpose > Running: Linux 2.4.X|2.5.X > OS details: Linux Kernel 2.4.0 - 2.5.20 > > > The kernel is a Redhat 2.4.18-4 one - so highly vulnerable. No > question why a rootkit is on this box. > > OS Fingerprint: > TSeq(Class=RI%gcd=1%SI=22816B%IPID=Z) > T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW) > T2(Resp=N) > T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW) > T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=) > T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) > T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=) > T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) > PU(Resp=Y%DF=N%TOS=0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134% > DAT=E) > > > TCP Sequence Prediction: Class=random positive increments > Difficulty=2261355 (Good luck!) > TCP ISN Seq. Numbers: 33A1C699 33236160 334D5B86 32FCC75A > IPID Sequence Generation: All zeros > > > Nmap run completed -- 1 IP address (1 host up) scanned in 119.684 > seconds > > I mailed the responsible person according whois data. We'll see... > > > Alexander > > > General Red Hat Linux discussion list <redhat- > list@xxxxxxxxxx> wrote: > >> If you do a dig -x, and then check some of the websites, you see >> that a lot of these are coming out of Korea and China. I've had >> the same attempts on my systems and got curious. Some were >> coming from the Chemistry department of one of the Universities >> in China. >> >> Also, one of the accounts being tried here is "guest" which is a >> common Microsoft account. Makes me wonder if they aren't looking >> to hack Windows systems. >> >> -Bob >> >> >> Jenkins, Jeremiah wrote: >> >> >>> There are some script kiddies out there running automated >>> attacks. If you look at your secure log /var/log/secure, you >>> will see that they try for a few times then move on. if you >>> google on the error message you will find numerous threads on >>> the subject. >>> >>> -----Original Message----- >>> From: Nathaniel Hall [mailto:halln@xxxxxxx] >>> Sent: Tuesday, August 03, 2004 12:23 PM >>> To: redhat-list@xxxxxxxxxx >>> Subject: Attempted SSH Logins >>> >>> >>> Hi all. >>> >>> >>> I have been monitoring our logs over the past several weeks >>> using logwatch and have noticed several of these entries (known >>> entries omitted): >>> >>> >>> sshd: >>> >>> >>> Invalid Users: >>> >>> >>> Unknown Account: 5 Time(s) >>> >>> >>> Authentication Failures: >>> >>> >>> test (server.bes1.com ): 2 Time(s) >>> >>> >>> root (server.bes1.com ): 3 Time(s) >>> >>> >>> unknown (server.bes1.com ): 4 Time(s) >>> >>> >>> The source addresses vary. I always see the same accounts from >>> different addresses with a different number of tries. When I >>> see these, there is only one source, never a mix of sources. >>> The next day, it might be a different source, but it is the >>> only one. >>> >>> >>> Is anybody else seeing this in their logs where I shouldn't be >>> as worried or is this directed at us? >>> >>> >>> ~~~~~~~~~~~~~~~~~~~~~~~~~~ >>> I think this guy has been going a bit mad...all of my linux boxes show failed login attempts from this IP. My solution: blacklist 'em on the firewalls ;P -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
