Browse posts
public viewings everywhere ... Posted on June 26, 2008 8 comments (latest 2 months ago)
the next level: distributed SSH-probes :-( 15 comments (latest 4 months ago)
Fotorucksack gesucht. Habt Ihr Tipps? Posted on February 27, 2008 26 comments (latest 4 months ago)
Kontrast - Das Kurzfilmfestival in Bayreuth Posted on February 2nd, 2008 4 comments (latest 7 months ago)
verschollene Negative von Robert Capa aufgetaucht Posted on February 1st, 2008 2 comments (latest 8 months ago)
Mahatma Gandhi Posted on January 30, 2008 1 comment (latest 7 months ago)
Erstes prominentes Opfer des Rauchverbots :) Posted on January 25, 2008 20 comments (latest 8 months ago)
Bad Day at the office? Posted on November 17, 2007 12 comments (latest 8 months ago)
A black Friday ... (Update) Posted on November 9, 2007 6 comments (latest 9 months ago)

the next level: distributed SSH-probes :-(

Wednesday May 14, 2008 at 12:20AM

refering to this article of Byggvir.
But still new methods of attackers rise around.

I'm watching (well, what else can you do with this?) one, who brute forces my whole cluster of webservers for days now! :(

Here a little piece of the cake of one server:

May 14 00:51:27 server sshd[4029]: Invalid user allistir from 64.83.58.161
May 14 00:51:27 server sshd[4021]: Invalid user allistir from 83.12.137.44
May 14 00:52:56 server sshd[4319]: Invalid user allistir from 70.145.116.241
May 14 00:53:03 server sshd[4346]: Invalid user allistir from 190.8.192.66
May 14 00:55:11 server sshd[4804]: Invalid user aloysius from 88.87.195.14
May 14 00:56:39 server sshd[5109]: Invalid user alphonse from 87.230.19.127
May 14 00:56:46 server sshd[5132]: Invalid user alphonse from 217.220.122.58
May 14 00:57:37 server sshd[5266]: Invalid user alphonse from 212.18.40.143
May 14 00:57:50 server sshd[5301]: Invalid user alphonse from 168.243.236.228
May 14 00:59:03 server sshd[5535]: Invalid user alphonso from 149.156.65.10
May 14 00:59:04 server sshd[5545]: Invalid user alphonso from 62.141.42.54
May 14 01:00:07 server sshd[5939]: Invalid user alphonso from 89.6.154.247
May 14 01:00:19 server sshd[6093]: Invalid user alphonso from 200.171.228.149
May 14 01:01:39 server sshd[6285]: Invalid user alturing from 88.48.111.85
May 14 01:02:39 server sshd[6454]: Invalid user alturing from 69.53.25.154
May 14 01:02:44 server sshd[6465]: Invalid user alturing from 87.126.111.187
May 14 01:04:13 server sshd[6613]: Invalid user amabelle from 62.38.242.231
May 14 01:05:07 server sshd[6766]: Invalid user amabelle from 203.20.62.10
May 14 01:06:34 server sshd[7084]: Invalid user ambassador from 68.112.226.71
May 14 01:06:39 server sshd[7103]: Invalid user ambassador from 67.151.95.69
May 14 01:07:57 server sshd[7329]: Invalid user ambassador from 88.191.29.130
May 14 01:08:06 server sshd[7357]: Invalid user ambassador from 76.160.167.251
May 14 01:09:00 server sshd[7537]: Invalid user ambrosio from 82.127.25.235
May 14 01:09:08 server sshd[7566]: Invalid user ambrosio from 74.238.169.202
May 14 01:10:29 server sshd[8020]: Invalid user ambrosio from 72.237.31.200
May 14 01:10:45 server sshd[8084]: Invalid user ambrosio from 80.39.105.189
May 14 01:11:31 server sshd[8255]: Invalid user ambrosius from 69.53.25.154
May 14 01:11:37 server sshd[8282]: Invalid user ambrosius from 209.254.234.18
May 14 01:13:00 server sshd[8606]: Invalid user ambrosius from 217.7.232.220
May 14 01:13:04 server sshd[8621]: Invalid user ambrosius from 168.243.236.228
May 14 01:14:00 server sshd[8838]: Invalid user ammamaria from 200.126.119.91
May 14 01:14:04 server sshd[8863]: Invalid user ammamaria from 217.7.233.155
May 14 01:15:27 server sshd[9273]: Invalid user ammamaria from 213.94.214.50
May 14 01:15:35 server sshd[9301]: Invalid user ammamaria from 76.160.167.251
May 14 01:17:03 server sshd[9636]: Invalid user anabella from 69.15.172.22
May 14 01:17:06 server sshd[9645]: Invalid user anabella from 168.243.236.228
May 14 01:18:03 server sshd[9872]: Invalid user anabella from 81.140.3.90
May 14 01:18:07 server sshd[9890]: Invalid user anabella from 164.77.145.60
May 14 01:19:22 server sshd[10201]: Invalid user anabelle from 85.92.138.60
May 14 01:19:22 server sshd[10196]: Invalid user anabelle from 217.16.114.87
May 14 01:20:29 server sshd[10603]: Invalid user anabelle from 69.60.118.191
May 14 01:22:07 server sshd[10994]: Invalid user analiese from 200.150.13.171
May 14 01:22:54 server sshd[11174]: Invalid user analiese from 88.247.180.216
May 14 01:23:00 server sshd[11196]: Invalid user analiese from 195.120.101.75
May 14 01:24:23 server sshd[11561]: Invalid user anallese from 217.160.20.154
May 14 01:24:36 server sshd[11619]: Invalid user anallese from 66.251.14.143
May 14 01:25:26 server sshd[11872]: Invalid user anallese from 211.115.112.45
May 14 01:25:58 server sshd[11974]: Invalid user anallese from 209.254.234.18
May 14 01:26:58 server sshd[12261]: Invalid user anallise from 87.28.13.76
May 14 01:28:16 server sshd[12525]: Invalid user anallise from 85.25.139.12
May 14 01:28:40 server sshd[12597]: Invalid user anallise from 122.249.20.112
May 14 01:31:35 server sshd[13421]: Invalid user spiel from 85.219.222.6
May 14 01:32:52 server sshd[13671]: Invalid user spiel from 71.129.151.193
May 14 01:33:45 server sshd[13853]: Invalid user admin5 from 201.224.224.37
May 14 01:33:47 server sshd[13864]: Invalid user admin5 from 64.238.127.90
May 14 01:35:05 server sshd[14180]: Invalid user admin5 from 81.5.160.149
May 14 01:35:06 server sshd[14198]: Invalid user admin5 from 82.127.50.9
May 14 01:36:06 server sshd[14423]: Invalid user orant from 88.103.123.217
May 14 01:36:10 server sshd[14433]: Invalid user orant from 200.43.219.134
May 14 01:37:27 server sshd[14719]: Invalid user orant from 82.106.69.157
May 14 01:38:55 server sshd[15037]: Invalid user albrecht from 193.251.186.239
May 14 01:38:56 server sshd[15044]: Invalid user albrecht from 217.126.31.206
May 14 01:39:42 server sshd[15215]: Invalid user albrecht from 212.80.237.58
May 14 01:40:15 server sshd[15481]: Invalid user albrecht from 196.212.26.82
May 14 01:41:06 server sshd[15683]: Invalid user appen from 83.15.64.221
May 14 01:41:27 server sshd[15744]: Invalid user appen from 200.126.119.91
May 14 01:42:05 server sshd[15846]: Invalid user appen from 84.202.156.20
May 14 01:42:13 server sshd[15865]: Invalid user appen from 69.15.172.22
May 14 01:43:24 server sshd[16085]: Invalid user bache from 217.173.42.51
May 14 01:43:32 server sshd[16114]: Invalid user bache from 217.159.148.94
May 14 01:44:33 server sshd[16310]: Invalid user bache from 212.18.40.143
May 14 01:45:55 server sshd[16619]: Invalid user bartloff from 207.47.162.126
May 14 01:46:09 server sshd[16676]: Invalid user bartloff from 200.21.231.45
May 14 01:46:51 server sshd[16739]: Invalid user bartloff from 217.126.31.206
May 14 01:46:57 server sshd[16754]: Invalid user bartloff from 67.151.95.69
May 14 01:48:12 server sshd[16959]: Invalid user bethke from 87.139.20.244
May 14 01:48:26 server sshd[16982]: Invalid user bethke from 62.118.210.94
May 14 01:49:37 server sshd[17169]: Invalid user bethke from 213.41.176.229
May 14 01:49:42 server sshd[17184]: Invalid user bethke from 81.115.35.60
May 14 01:50:49 server sshd[17492]: Invalid user boback from 201.47.43.70
May 14 01:52:20 server sshd[17679]: Invalid user boback from 221.8.255.134
May 14 01:52:26 server sshd[17702]: Invalid user boback from 217.86.172.186

The problem is: there is no IP to block within your firewall! (quite useless)
The hit-rate is quite low (you see a log excerpt of one hour, and each IP is overall used 1-4 times a day!
(quite a nice huge bot-net ;-) )

The point is, I was curious for days now, since "Logwatch" reportet pages over pages of failed SSH logins, but noone trapped into my iptables script (10+ probes at a high hit rate)!

so, a simple grep "Invalid user" /var/log/messages showed, same username in probe + different ip; waitstates between requests vary, and user names aren't used that often ...

Those guys are annoying :(

Edit:

they seem to walk through a database.
The same user names occur on different hosts at similar times, but the bigger server seems to be detected, it gets more requests:

grep "Invalid user" /var/log/messages|grep fuhrhop
May 14 02:23:12 s1 sshd[21841]: Invalid user fuhrhop from 200.209.6.130
May 14 02:23:15 s1 sshd[21851]: Invalid user fuhrhop from 165.228.98.64
May 14 02:23:46 s2 sshd[15418]: Invalid user fuhrhop from 67.71.212.50
May 14 02:23:57 s1 sshd[21990]: Invalid user fuhrhop from 62.2.211.46
May 14 02:24:06 s1 sshd[22014]: Invalid user fuhrhop from 200.67.193.252

grep "Invalid user" /var/log/messages|grep boback
May 14 01:50:49 s1 sshd[17492]: Invalid user boback from 201.47.43.70
May 14 01:52:09 s2 sshd[15291]: Invalid user boback from 190.8.192.66
May 14 01:52:20 s1 sshd[17679]: Invalid user boback from 221.8.255.134
May 14 01:52:26 s1 sshd[17702]: Invalid user boback from 217.86.172.186

grep "Invalid user" /var/log/messages|grep friebe
May 14 02:18:11 s1 sshd[21085]: Invalid user friebe from 66.122.59.6
May 14 02:18:44 s2 sshd[15387]: Invalid user friebe from 195.30.95.109
May 14 02:18:55 s1 sshd[21119]: Invalid user friebe from 193.41.235.225
May 14 02:19:02 s1 sshd[21134]: Invalid user friebe from 213.134.152.66

*morons*

15 Comments / add your comment?

beatmaster ^pro says:

referal to securityfocus: http://www.securityfocus.com/archive/75/491953/30/0/threaded
12.5.2008 was about the time it started on my servers ...

Posted 5 months ago. ( permalink )

Rosi`sFotostream ^pro says:

kannst du mir translaten :-) ??

Posted 4 months ago. ( permalink )

beatmaster ^pro replies:

uh, ich probiers mal ;-)
In der Netwerkwelt gibt es Server und Clients. Ein möglicher Client wäre z. B. Dein Browser, und wenn Du dort eine Internetadresse eintippst, kontaktiert Dein Browser einen Server, der wiederum nur darauf wartet dass Clients/Leute Informationen bei ihm anfordern.

Hier geht es um einen Dienst Namens SSH (Secure SHell), mit dem man sich über das Netzwerk auf Servern/Computern "einloggen" kann.
Bei einem erflogreichen Login erscheint so etwas ähnliches wie die "Eingabeaufforderung" bei Dir unter Windows, ein kleines Fensterle in das man Befehle eintippen kann und die Ausgaben dieser ausgeführten Befehle/Programme angezeigt bekommt.

Soweit so gut.
Sehr häufig kommt dieses Programm (Protokoll, da im Netzwerk) zum Einsatz, um entfernte Rechner zu steuern/administrieren.
Und die Verlockung ist für mance Gesellen im Internet groß, fremde Rechner zu missbrauchen auf ihnen Befehle auszuführen, raubkopierte Sachen darauf zum Herunterladen anzubieten, oder gar weitere fremde Rechner im Internet darüber anzugreifen (Verschleierung der eigenen Identität).

Hier siehst Du die "Brachialmethode" (das nennt sich dann "brute force"): einfach immer wieder versuchen einzuloggen, in der Hoffnung dass es irgend wann schon klappt!

Das eigentlich ungewöhnliche an den oben gezeigten Logdaten ist, dass dieser hier gezeigte "Angreifer" (scanning ist eigentlich eine Vorstufe eines Angriffs, ist aber als "unfreundlich" verpöhnt) ganz viele verschiedene Internetadressen benutzt (und nicht wie im typischen Fall nur eine, die man ganz leicht sperren könnte), das sind ein ganzer Haufen "gekaperter" Rechner, vom ungesicherten Webserver bis hin zu Windows-Rechnern die über DSL ins Internet gehen: ein sog. "Bot-Net"!
Und ausserdem Interessant ist, dass dieser "Lausbub" nicht nur einen Rechner nach dem anderen austestet, sondern ganz viele gleichzeitig!