Re: SSH attacks?

[Steve Schuster <sjs74 () cornell edu>]

We have also been seeing similar scanning with the same accounts being 
tested.  I will share some preliminary analysis of a system for which the 
scanning was successful.

OS: Redhat 7.0

Initial scanning for the 'test' account occurred on July 25th.  User 'test' 
logged in successfully and then logged out almost immediately.

No additional logins occurred until July 28 when three successful logins 
occurred within a five minute window from three different domains.

After these three logins the following system modifications where 
identified.  Unfortunately, we do not have extremely good knowledge of the 
state of the system prior to this time so some of this information may be a 
little suspect.

/etc/shadow and /etc/passwd were modified with password changes for 'root' 
and 'test'.

/dev/log
** /dev/log suid-root, user: root, group: test

Some potentially new files include
'/usr/sbin/,fbi/     /'
'bios.txt
go.sh
ss
sshfc
uniq.txt
vuln.txt -- this appears to be a list of IP addresses and usernames   of 
successful connections.

User 'test' logged out after 6 minutes and 'root' then logged in remaining 
for 3 hours and 40 minutes.

Scanning for port 22 began from this system right after 'root' logged in 
and continued until 'root' logged out as described above.

I hope this helps and as we gain additional relevant information I'll share 
appropriately.

sjs


At 04:19 AM 7/28/2004, Christine Kronberg wrote:
> On Tue, 27 Jul 2004, Adam Young wrote:
> > On Tue, 27 Jul 2004 10:59:07 +1200
> > Robin <robin () kallisti net nz> wrote:
> >
> > > accounts. The big ones are going over a large list, the pairs seem to 
> be just
> > > hitting test and guest:
> > > Jul 26 23:05:59 kallisti sshd[12314]: Illegal user test
> > > from ::ffff:64.246.56.44
> > > Jul 26 23:05:59 kallisti sshd[12314]: Failed password for illegal 
> user test
> > > from ::ffff:64.246.56.44 port 41920 ssh2
> > > Jul 26 23:06:01 kallisti sshd[12320]: Illegal user guest
> > > from ::ffff:64.246.56.44
> > > Jul 26 23:06:01 kallisti sshd[12320]: Failed password for illegal 
> user guest
> > > from ::ffff:64.246.56.44 port 41967 ssh2
> > >
> > > Does anyone know why this would appear all of a sudden?
> >
> > I've noticed this myself.  It has been happening for roughly one week, 
> two at
> > maximum.
>
>   Heaven, I'm glad you are seeing that, too. It really gave me headaches.
>   In the last four weeks I had (privately) two ssh "incidents": one
>   originating from Korea, one from Germany. The first was clearly a
>   person trying to get in, taking a deliberate taste in the (existing)
>   test account (without success). The other one was "next door", someone
>   trying to get in as root (no success either). I only reported the
>   second one.
>   Only after the first playround the test/guest attempts started so
>   I was starting to think that whoever was probing my host from Korea
>   was probably going with that. Now that my host is out of focus, I'm
>   really relieved. :-)
>
> > I think someone has either caught wind of some sort of information 
> about loosely
> > configured proprietary hardware which has an empty password on 
> test/guest, or a
> > worm sets up these accounts with some preset password that it checks other
> > machines for to see if they're also infected.
>
>   Has anyone tried to capture that with an honeypot? I'm considering
>   that for my own but lack the proper enviroment.
>
>   Cheers,
>
>
>                                                      Chris Kronberg.
>
> --
> GeNUA mbH

---------------------------------------------------------------------------------------------------------------------
Steve Schuster
IT Security Office
Cornell University
Work -- (607)255-8825   Cell -- (607)351-1386
---------------------------------------------------------------------------------------------------------------------