Re: SSH attacks?

[Bulgaro <bulgaro76 () yahoo it>]

> While looking through the logs after someone ran
> over my system with Nessus, I 
> noticed some odd ones from sshd (that don't seem to
> be related to the nessus 
> scan):
> Jul 27 03:12:25 kallisti sshd[16471]: error: Could
> not get shadow information 
> for NOUSER
>
> They usually, although not always occur in pairs, a
> few seconds apart. They 
> don't seem to be very random, which suggests maybe
> that there is someone at 
> the other end, rather than a worm.
>
> The first sighting was Jun 4 04:22:15 (all times
> NZST), with 153 instances 
> going to 04:47:03 (this is fairly constant, and not
> in pairs). It isn't seen 
> again until Jun 17 08:39:54-08:58:20 (75 instances
> this time, again not in 
> pairs). Since then, there have been a few on the
> 21st and 25th, followed by a 
> lot on the 26th and into the 27th, where we now see
> the pairs coming up.
>
> Looking a bit closer (and in other log files), I see
> it's people trying random 
> accounts. The big ones are going over a large list,
> the pairs seem to be just 
> hitting test and guest:
> Jul 26 23:05:59 kallisti sshd[12314]: Illegal user
> test 
> from ::ffff:64.246.56.44
> Jul 26 23:05:59 kallisti sshd[12314]: Failed
> password for illegal user test 
> from ::ffff:64.246.56.44 port 41920 ssh2
> Jul 26 23:06:01 kallisti sshd[12320]: Illegal user
> guest 
> from ::ffff:64.246.56.44
> Jul 26 23:06:01 kallisti sshd[12320]: Failed
> password for illegal user guest 
> from ::ffff:64.246.56.44 port 41967 ssh2
>
> Does anyone know why this would appear all of a
> sudden?
> - -- 
> Robin <robin () kallisti net nz>             JabberID:
> <eythian () jabber org>
>
> Hostes alienigeni me abduxerunt. Qui annus est?
>
> PGP Key 0x776DB663 = DD10 5C62 1E29 A385 9866 0853
> CD38 E07A 776D B663


I've got some logs very similar from auth.log:

Jul 26 18:01:17 cabernet sshd[12014]: Illegal user
test from 163.32.62.4
Jul 26 18:01:17 cabernet sshd[12014]: error: Could not
get shadow information for NOUSER
Jul 26 18:01:17 cabernet sshd[12014]: Failed password
for illegal user test from 163.32.62.4 port 46707 ssh2
Jul 26 18:01:20 cabernet sshd[12016]: Illegal user
guest from 163.32.62.4
Jul 26 18:01:20 cabernet sshd[12016]: error: Could not
get shadow information for NOUSER
Jul 26 18:01:20 cabernet sshd[12016]: Failed password
for illegal user guest from 163.32.62.4 port 46818
ssh2
Jul 26 18:01:23 cabernet sshd[12018]: Illegal user
admin from 163.32.62.4
Jul 26 18:01:23 cabernet sshd[12018]: error: Could not
get shadow information for NOUSER
Jul 26 18:01:23 cabernet sshd[12018]: Failed password
for illegal user admin from 163.32.62.4 port 46899
ssh2
Jul 26 18:01:26 cabernet sshd[12020]: Illegal user
admin from 163.32.62.4
Jul 26 18:01:26 cabernet sshd[12020]: error: Could not
get shadow information for NOUSER
Jul 26 18:01:26 cabernet sshd[12020]: Failed password
for illegal user admin from 163.32.62.4 port 46974
ssh2
Jul 26 18:01:29 cabernet sshd[12022]: Illegal user
user from 163.32.62.4
Jul 26 18:01:29 cabernet sshd[12022]: error: Could not
get shadow information for NOUSER
Jul 26 18:01:29 cabernet sshd[12022]: Failed password
for illegal user user from 163.32.62.4 port 47049 ssh2
Jul 26 18:01:32 cabernet sshd[12024]: Failed password
for root from 163.32.62.4 port 47132 ssh2
Jul 26 18:01:35 cabernet sshd[12026]: Failed password
for root from 163.32.62.4 port 47235 ssh2
Jul 26 18:01:37 cabernet sshd[12028]: Failed password
for root from 163.32.62.4 port 47295 ssh2
Jul 26 18:01:40 cabernet sshd[12030]: Illegal user
test from 163.32.62.4
Jul 26 18:01:40 cabernet sshd[12030]: error: Could not
get shadow information for NOUSER
Jul 26 18:01:40 cabernet sshd[12030]: Failed password
for illegal user test from 163.32.62.4 port 47388 ssh2
Jul 26 18:17:01 cabernet CRON[12117]: (pam_unix)
session opened for user root by (uid=0)
Jul 26 18:17:01 cabernet CRON[12117]: (pam_unix)
session closed for user root
Jul 26 18:50:30 cabernet sshd[12599]: Illegal user
test from 163.32.62.4
Jul 26 18:50:31 cabernet sshd[12599]: error: Could not
get shadow information for NOUSER
Jul 26 18:50:31 cabernet sshd[12599]: Failed password
for illegal user test from 163.32.62.4 port 52670 ssh2
Jul 26 18:50:34 cabernet sshd[12601]: Illegal user
guest from 163.32.62.4
Jul 26 18:50:34 cabernet sshd[12601]: error: Could not
get shadow information for NOUSER
Jul 26 18:50:34 cabernet sshd[12601]: Failed password
for illegal user guest from 163.32.62.4 port 52797
ssh2
Jul 26 18:50:36 cabernet sshd[12603]: Illegal user
admin from 163.32.62.4
Jul 26 18:50:37 cabernet sshd[12603]: error: Could not
get shadow information for NOUSER
Jul 26 18:50:37 cabernet sshd[12603]: Failed password
for illegal user admin from 163.32.62.4 port 52887
ssh2
Jul 26 18:50:39 cabernet sshd[12605]: Illegal user
admin from 163.32.62.4
Jul 26 18:50:39 cabernet sshd[12605]: error: Could not
get shadow information for NOUSER
Jul 26 18:50:39 cabernet sshd[12605]: Failed password
for illegal user admin from 163.32.62.4 port 52965
ssh2
Jul 26 18:50:42 cabernet sshd[12607]: Illegal user
user from 163.32.62.4
Jul 26 18:50:42 cabernet sshd[12607]: error: Could not
get shadow information for NOUSER
Jul 26 18:50:42 cabernet sshd[12607]: Failed password
for illegal user user from 163.32.62.4 port 53045 ssh2
Jul 26 18:50:45 cabernet sshd[12609]: Failed password
for root from 163.32.62.4 port 53129 ssh2
Jul 26 18:50:48 cabernet sshd[12612]: Failed password
for root from 163.32.62.4 port 53229 ssh2
...

I've checked the origin of this connection attempts
and i discovered that the "guilty" host (163.32.62.4)
is a
box called mail.cshs.kh.edu.tw. I think that this host
is affected by a worm but i don't know anything about
the kind of virus. I noticed that the spread of the
worm last only the 26 of July. Maybe there's a spread
controlled by the date.
Sorry for my english
Alessandro Bulgarelli


        

        
                
____________________________________________________________
Yahoo! Companion - Scarica gratis la toolbar di Ricerca di Yahoo! 
http://companion.yahoo.it