Re: SSH server under attack...

[Kenton Smith <listsks () yahoo ca>]

We've seen this a fair bit on our SSH enabled boxes
for the last year or so. It seems to just be a
variation on a brute-force hack attempt. It is most
likely automated although the fact that it switched to
2222 is interesting (there would have to have been at
least one attempt to connect to 22 after you changed,
otherwise it/he would have no way of knowing that the
port was closed). I'd be curious to see what would
happen if you changed the port to something less
predictaable for SSH like 3089 or 55321. It may be
that there is a person there, but I would be more
inclined to think it's some zombie system that's just
scanning ports and doing an automated attack.
If it's causing you problems, my recommendation would
be to get IPTables to drop any packets coming from
that IP.

Kenton

------- Original Message ------ 

Date: Mon, 23 Jan 2006 16:40:41 -0500
From:"Dave" <dlaud.flux () gmail com>
To:security-basics () securityfocus com
Subject: SSH server under attack...

My SSH server has been under DoS and I cant stop it!!!

I changed the port of the SSH server from 22 to 2222.
This isnt going 
to
really do much but it would stop some automated script
that attacks 
port
22. OK...within a few hours the server was being
attacked again on port
2222. This is an *active* attacker, active in that he
is actively
monitoring what he is doing. The router/firewall logs
dont show any
dropped packets sent to port 22 so he changed the port
of the attack
script. Now, the new machine to attack me is
200.55.192.29. This 
belongs
to a company in south america called 'Springs South
America Textiles
Ltda.'. I scanned the machine and found that it is
hosting a webserver
(Apache/2.0.52 (Fedora) Server at www.springs.cl)
among other services.
The last machine the attacker used to brute_force me
was also an apache
server (rh linux). So this attacker is cracking
various webservers 
(most
likely) or some other service on these boxes in order
to use these
machines as an attack platform. Now, yes, i notified
the admin of this
company etc..but think of this. If this admin is going
to put an
*unused* and unprotected server on the net then what
kind of admin is
he? Will he even care about my email? Who knows!
Calling the 
authorities
is not going to work 'cause frankly I am a
nobody...who cares if my
servers are under attack! No one is going to waste
resource (money) in
trying to find this guy, so really its up to me. So
what do we know
about this guy? At first the info seems conflicting:
He has the ability
to crack a number of random servers and use them at
his disposal but he
is running the same stupid attack over and over...why?
First off, the
attack is a brute force attack. He is trying to guess
a username
password combo in order to be able to log into my
server and get shell
access...but maybe not. Like I said..he is no dummy.
So what is he
doing? I think DoS (denial of service) , the brute
force tool is just
the means to an end. He isnt trying to break in by
doing this. Maybe he
coudnt break in to my server so he is resorting to the
next trick up 
his
sleeve. By having all these machines attempting to log
into my server
over and over he might be trying to use up my
bandwidth in effect
causing a DoS to anyone! OR...In closely looking at
the logs you will
notice something *unusual*:

Failed password for invalid user admin from
::ffff:200.55.192.29 port
34182 ssh2
Invalid user admin from ::ffff:200.55.192.29
Failed password for invalid user admin from
::ffff:200.55.192.29 port
34679 ssh2
Invalid user admin from ::ffff:200.55.192.29
Failed password for invalid user admin from
::ffff:200.55.192.29 port
34752 ssh2
Invalid user administrator from ::ffff:200.55.192.29
Failed password for invalid user administrator from 
::ffff:200.55.192.29
port 35253 ssh2
Invalid user administrator from ::ffff:200.55.192.29
Failed password for invalid user administrator from 
::ffff:200.55.192.29
port 35735 ssh2
Invalid user administrator from ::ffff:200.55.192.29
Failed password for invalid user administrator from 
::ffff:200.55.192.29
port 36237 ssh2
Invalid user tads from ::ffff:200.55.192.29
Failed password for invalid user tads from
::ffff:200.55.192.29 port
36703 ssh2
Invalid user tads from ::ffff:200.55.192.29
Failed password for invalid user tads from
::ffff:200.55.192.29 port
36813 ssh2
Invalid user tads from ::ffff:200.55.192.29
Failed password for invalid user tads from
::ffff:200.55.192.29 port
37332 ssh2
Invalid user tip from ::ffff:200.55.192.29
Failed password for invalid user tip from
::ffff:200.55.192.29 port
37820 ssh2
Invalid user tip from ::ffff:200.55.192.29
Failed password for invalid user tip from
::ffff:200.55.192.29 port
38267 ssh2
Invalid user tip from ::ffff:200.55.192.29
Failed password for invalid user tip from
::ffff:200.55.192.29 port
38757 ssh2
Invalid user myra from ::ffff:200.55.192.29
Failed password for invalid user myra from
::ffff:200.55.192.29 port
38844 ssh2
Invalid user myra from ::ffff:200.55.192.29
Failed password for invalid user myra from
::ffff:200.55.192.29 port
39333 ssh2
Invalid user myra from ::ffff:200.55.192.29
Failed password for invalid user myra from
::ffff:200.55.192.29 port
39812 ssh2
Invalid user jack from ::ffff:200.55.192.29
Failed password for invalid user jack from
::ffff:200.55.192.29 port
40312 ssh2
Invalid user jack from ::ffff:200.55.192.29
Failed password for invalid user jack from
::ffff:200.55.192.29 port
40787 ssh2
Invalid user jack from ::ffff:200.55.192.29
Failed password for invalid user jack from
::ffff:200.55.192.29 port
40893 ssh2
Invalid user sya from ::ffff:200.55.192.29


Each user name was tried three times. What does this
mean...I dont know but right off hand I would guess
that he is trying 
to
lock out legit user accounts. You see some servers
will disallow a user
to log in if they entered three wrong passwords. This,
strangely 
enough,
is used to help stop brute forcing!!! Anyway, The
attacker has put
together a list of *potential* user names that *might*
be found on my
server and is attempting to lock them out...in effect
creating a DoS to
any users whose names appear on this list.

He also knew right away when I changed the sshd port
number and wasted
no time in getting another machine to attack me via
this port!

Authorities arent going to help...Servers admin prob
doesnt care plus
the attacker most likely has access to any number of
servers so writing
the abuse lines could be a daily chore just to keep
up...any
recommendations?

Any help / comments / flames appreciated

take it easy...
dave

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE -
ONLINE
The Norwich University program offers unparalleled
Infosec management 
education and the case study affords you unmatched
consulting 
experience. 
Tailor your education to your own professional goals
with degree 
customizations including Emergency Management,
Business Continuity 
Planning, 
Computer Emergency Response Teams, and Digital
Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


        

        
                
__________________________________________________________ 
Find your next car at http://autos.yahoo.ca

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------