Penetration Testing mailing list archives

Re: Some new SSH exploit script?

From: "Adam.Chesnutt" <icetre () digitalfreezer net>
Date: Fri, 09 Jun 2006 10:23:15 -0400

You see, rather than do all this, I think it's much much smarter to turnover the logs more, and write a script that outputs the log - withoutthe script kiddies if it really bothers you. You could make the scriptalso write a report and call it 'lame ssh hacktards' or something andcontain only ip, username and number of attempts..

This is a piss poor solution to a real problem. If you have cruft,correlate. Ignoring what are genuine (albeit lame) attempts to penetrateyour security is dumb.

If 3 people connect to this port, by all means, but just moving the portto decrease your viability of hacktards isn't smart. Your not decreasingyour access, your moving the door. Firewall them for god's sake. Insteadof ignoring the problem, *DO SOMETHING*

This is why I said something about my killapnic script. My killapnicscript is a much better solution than moving the port. Why? Because itactually does something to disallow network access from the attacker,rather than continuing to allow them access, and ignoring the signs ofthem trying to break in.

Consider zombies.. your in a house, and zombies are outside. Do you,move the windows and doors to a new location, or board them up wherethey are? There's enough traffic, there's enough zombies, and thescripts are mostly smart enough *already* to find nonstandard ports. Canwe please join the future here in good ole 2002?

This script is for FreeBSD, but feel free to correct it, call me an ass,or adapt it for any means needed, so long as my name appears as theoriginal source of the idea. If you do make changes, please mail me, I'dlove to hear about it and see your script.


#!/usr/local/bin/bash
#-------------------
#killapnic
#by IcE tRe
#--------------------
#I am sick to death of apnic trying to login as root on my server,
#even though root logins aren't allowed
#
#Deletes policy 666-699 by default, hope that doesn't clobber your crap
#
#If so, edit the following variables

IPFWCMD="/sbin/ipfw"
LYNXCMD="/usr/local/bin/lynx"
LYNXFLAGS=" -source"
URL="http://www.iana.org/assignments/ipv4-address-space";
STARTIPFW=665
RANGE="666-699"
MIDDLE=".0.0.0/"
#end variables
SCORE=`$IPFWCMD show $RANGE`
CURRENTRULES=`echo "$SCORE" | awk '{ print $7 }'`
for DELETE in `$IPFWCMD show $RANGE | awk '{ print $1 }'`
       do
               $IPFWCMD delete $DELETE
                       done
echo "Deleted all rules numbered $RANGE and added the following rules:"

for EACH in `$LYNXCMD $LYNXFLAGS $URL | grep -i apnic | awk '{print $1 }'`

               do

       START=`echo $EACH | awk -F/ '{ print $1 }'| bc`
       END=`echo $EACH | awk -F/ '{ print $2 }'| awk '{ print $1 }'`
               IP=$START$MIDDLE$END
                       ENDIPFW=$(echo "$STARTIPFW + 1 " | bc)
                       STARTIPFW=$ENDIPFW

CMDTEMP=`echo "$IPFWCMD add $ENDIPFW deny ipfrom $IP to any"`

#                       CMDTEMP2=$CMD$CMDTEMP
       #               CMD=$CMDTEMP2
                       $CMDTEMP
                               done
#$CMD
echo $CMD
echo "Old counts were:"
echo "$SCORE"
echo "Old IP's:"
echo "$CURRENTRULES"
#end script

I usually run it in cron with stdout piped to /dev/null, but here's theoutput if your curious.


digitalfreezer# /etc/killapnic
Deleted all rules numbered 666-699 and added the following rules:
00666 deny ip from 58.0.0.0/8 to any
00667 deny ip from 59.0.0.0/8 to any
00668 deny ip from 60.0.0.0/8 to any
00669 deny ip from 61.0.0.0/8 to any
00670 deny ip from 121.0.0.0/8 to any
00671 deny ip from 122.0.0.0/8 to any
00672 deny ip from 123.0.0.0/8 to any
00673 deny ip from 124.0.0.0/8 to any
00674 deny ip from 125.0.0.0/8 to any
00675 deny ip from 126.0.0.0/8 to any
00676 deny ip from 202.0.0.0/8 to any
00677 deny ip from 203.0.0.0/8 to any
00678 deny ip from 210.0.0.0/8 to any
00679 deny ip from 211.0.0.0/8 to any
00680 deny ip from 218.0.0.0/8 to any
00681 deny ip from 219.0.0.0/8 to any
00682 deny ip from 220.0.0.0/8 to any
00683 deny ip from 221.0.0.0/8 to any
00684 deny ip from 222.0.0.0/8 to any

Old counts were:
00666       5        202 deny ip from 58.0.0.0/8 to any
00667      53       3022 deny ip from 59.0.0.0/8 to any
00668      23       1085 deny ip from 60.0.0.0/8 to any
00669      27       1282 deny ip from 61.0.0.0/8 to any
00670       0          0 deny ip from 121.0.0.0/8 to any
00671       1        408 deny ip from 122.0.0.0/8 to any
00672       0          0 deny ip from 123.0.0.0/8 to any
00673       8        394 deny ip from 124.0.0.0/8 to any
00674       6        312 deny ip from 125.0.0.0/8 to any
00675       0          0 deny ip from 126.0.0.0/8 to any
00676       9       1500 deny ip from 202.0.0.0/8 to any
00677      23       1152 deny ip from 203.0.0.0/8 to any
00678      14        653 deny ip from 210.0.0.0/8 to any
00679      12       1504 deny ip from 211.0.0.0/8 to any
00680      27       1970 deny ip from 218.0.0.0/8 to any
00681      20        973 deny ip from 219.0.0.0/8 to any
00682      30       1809 deny ip from 220.0.0.0/8 to any
00683      43       2413 deny ip from 221.0.0.0/8 to any
00684      50       3161 deny ip from 222.0.0.0/8 to any
Old IP's:
58.0.0.0/8
59.0.0.0/8
60.0.0.0/8
61.0.0.0/8
121.0.0.0/8
122.0.0.0/8
123.0.0.0/8
124.0.0.0/8
125.0.0.0/8
126.0.0.0/8
202.0.0.0/8
203.0.0.0/8
210.0.0.0/8
211.0.0.0/8
218.0.0.0/8
219.0.0.0/8
220.0.0.0/8
221.0.0.0/8
222.0.0.0/8
digitalfreezer#

I used to reset the connections, but in the interest in making thescripts run slower, I let em hang.


Anyways, enough from me. ;)

Adam


Paul Barrette wrote:

I totally agree the the last statement.
Full port scan + a banner grab... you then know it's an SSH server...whatever the port it is runningon
Paul



------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?Why not go with the #1 solution - Cenzic, the only one to win the Analyst'sChoice Award from eWeek. As attacks through web applications continue to rise,you need to proactively protect your applications from hackers. Cenzic has themost comprehensive solutions to meet your application security penetrationtesting and vulnerability management needs. You have an option to go with amanaged service (Cenzic ClickToSecure) or an enterprise software(Cenzic Hailstorm). Download FREE whitepaper on how a managed service canhelp you: http://www.cenzic.com/news_events/wpappsec.phpAnd, now for a limited time we can do a FREE audit for you to confirm yourresults from other product. Contact us at request () cenzic com for details.

------------------------------------------------------------------------------

Current thread:

Re: Some new SSH exploit script?, (continued)
- - - Re: Some new SSH exploit script? R. DuFresne (Jun 09)
    - Re: Some new SSH exploit script? litch (Jun 07)
    - Unix auditing tools - Windows based. Serge Vondandamo (Jun 08)
    - Re: Unix auditing tools - Windows based. Sol Invictus (Jun 08)
    - RE: Unix auditing tools - Windows based. Meidinger Chris (Jun 08)
    - RE: Unix auditing tools - Windows based. Serge Vondandamo (Jun 08)
    - Re: Unix auditing tools - Windows based. Sol Invictus (Jun 09)
    - Re: Unix auditing tools - Windows based. Micha Borrmann (Jun 08)
- RE: Some new SSH exploit script? David M. Zendzian (Jun 06)
  - Re: Some new SSH exploit script? Paul Barrette (Jun 08)
    - Re: Some new SSH exploit script? Adam.Chesnutt (Jun 09)
    - Re: Some new SSH exploit script? Dotzero (Jun 09)
    - Re: Some new SSH exploit script? Christine Kronberg (Jun 10)
- Re: RE: Some new SSH exploit script? kudzu (Jun 07)
- FW: Some new SSH exploit script? Art Cooper (Jun 08)
- RE: Some new SSH exploit script? David Ball (Jun 09)
  - Re: Some new SSH exploit script? Art Cooper (Jun 09)