Friday, June 23, 2006

 

SSH brute attack

Today I discovered that one of our lab machines has been compromised. It faced heavy dictionary attack via ssh from matheron.scv.math.unb.ca. One of the users had a simple password and the attacker was able to get access to his account. Attackers after getting the access, copied a brute force cracking program for ssh to /tmp/. /brute and started using our machine to break in other machines.

I had noticed such brute force attacks earlier, but ignored them. I never realized that such attacks actually work. In last one month, there were over 20 thousand such attempts from over 100 different hosts. Scary!

An excerpt from /var/log/messages/

Jun 18 05:20:17 soho sshd(pam_unix)[29250]: check pass; user unknown
Jun 18 05:20:17 soho sshd(pam_unix)[29250]: authentication failure; logname= uid=0
                                   euid=0 tty=ssh ruser= rhost=202.96.216.173
Jun 18 05:20:21 soho sshd(pam_unix)[29252]: authentication failure; logname= uid=0 
                                   euid=0 tty=ssh ruser= rhost=202.96.216.173  user=root
Jun 18 05:20:26 soho sshd(pam_unix)[29254]: authentication failure; logname= uid=0 
                                   euid=0 tty=ssh ruser= rhost=202.96.216.173  user=root
Jun 18 05:20:33 soho sshd(pam_unix)[29256]: check pass; user unknown
Jun 18 05:20:33 soho sshd(pam_unix)[29256]: authentication failure; logname= uid=0 
                                   euid=0 tty=ssh ruser= rhost=202.96.216.173
Jun 18 05:20:38 soho sshd(pam_unix)[29258]: check pass; user unknown
Jun 18 05:20:38 soho sshd(pam_unix)[29258]: authentication failure; logname= uid=0 
                                   euid=0 tty=ssh ruser= rhost=202.96.216.173
Jun 18 05:20:45 soho sshd(pam_unix)[29260]: authentication failure; logname= uid=0 
                                   euid=0 tty=ssh ruser= rhost=202.96.216.173  user=root
Jun 18 05:20:50 soho sshd(pam_unix)[29262]: authentication failure; logname= uid=0 
                                   euid=0 tty=ssh ruser= rhost=202.96.216.173  user=root
Jun 18 05:20:55 soho sshd(pam_unix)[29264]: check pass; user unknown
Jun 18 05:20:55 soho sshd(pam_unix)[29264]: authentication failure; logname= uid=0 
                                   euid=0 tty=ssh ruser= rhost=202.96.216.173

The reason I was able to detect that our machine is compromised is that brute program crashed frequently and had entries in /var/log/messages/

Jun 20 21:51:33 soho kernel: brute[15536]: segfault at 0000000000000000 
                                                rip 0000000008048e33 rsp 00000000ffffd280 error 4
Jun 20 21:51:33 soho kernel: brute[15537]: segfault at 0000000000000000 
                                                rip 0000000008048e33 rsp 00000000ffffd280 error 4
Jun 20 21:51:33 soho kernel: brute[15538]: segfault at 0000000000000000 
                                                rip 0000000008048e33 rsp 00000000ffffd280 error 4
Jun 20 21:51:33 soho kernel: brute[15540]: segfault at 0000000000000000 
                                                rip 0000000008048e33 rsp 00000000ffffd280 error 4

The bottom line is: Its a dangerous world out there!


Comments:
Oes Tsetnoc one of the ways in which we can learn seo besides Mengembalikan Jati Diri Bangsa. By participating in the Oes Tsetnoc or Mengembalikan Jati Diri Bangsa we can improve our seo skills. To find more information about Oest Tsetnoc please visit my Oes Tsetnoc pages. And to find more information about Mengembalikan Jati Diri Bangsa please visit my Mengembalikan Jati Diri Bangsa pages. Thank you So much.
Oes Tsetnoc | Semangat Mengembalikan Jati Diri Bangsa
 
Post a Comment

Links to this post:

Create a Link



<< Home

This page is powered by Blogger. Isn't yours?