LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-03-2004, 11:14 PM   #1
heri0n
Member
 
Registered: Oct 2004
Location: Hamilton, Ontario
Distribution: Slackware 10.0
Posts: 48

Rep: Reputation: 15
SSH brute force.... compromised?


Here is my /var/log/secure.1

Code:
Oct 18 15:55:15 pastpower sshd[983]: Did not receive identification string from 211.40.89.159
Oct 18 16:19:28 pastpower sshd[986]: Illegal user patrick from 211.40.89.159
Oct 18 16:19:31 pastpower sshd[988]: Illegal user patrick from 211.40.89.159
Oct 18 16:19:46 pastpower sshd[1000]: Illegal user rolo from 211.40.89.159
Oct 18 16:19:49 pastpower sshd[1002]: Illegal user iceuser from 211.40.89.159
Oct 18 16:19:51 pastpower sshd[1004]: Illegal user horde from 211.40.89.159
Oct 18 16:19:54 pastpower sshd[1006]: Illegal user cyrus from 211.40.89.159
Oct 18 16:19:57 pastpower sshd[1008]: Illegal user www from 211.40.89.159
Oct 18 16:19:59 pastpower sshd[1010]: Illegal user wwwrun from 211.40.89.159
Oct 18 16:20:02 pastpower sshd[1012]: Illegal user matt from 211.40.89.159
Oct 18 16:20:04 pastpower sshd[1014]: Illegal user test from 211.40.89.159
Oct 18 16:20:07 pastpower sshd[1016]: Illegal user test from 211.40.89.159
Oct 18 16:20:10 pastpower sshd[1018]: Illegal user test from 211.40.89.159
Oct 18 16:20:12 pastpower sshd[1020]: Illegal user test from 211.40.89.159
Oct 18 16:20:15 pastpower sshd[1022]: Illegal user www-data from 211.40.89.159
Oct 18 16:20:20 pastpower sshd[1026]: Illegal user operator from 211.40.89.159
Oct 18 16:20:23 pastpower sshd[1028]: Illegal user adm from 211.40.89.159
Oct 18 16:20:25 pastpower sshd[1030]: Illegal user apache from 211.40.89.159
Oct 18 16:20:28 pastpower sshd[1032]: Illegal user irc from 211.40.89.159
Oct 18 16:20:30 pastpower sshd[1034]: Illegal user irc from 211.40.89.159
Oct 18 16:20:33 pastpower sshd[1036]: Illegal user adm from 211.40.89.159
Oct 18 16:20:43 pastpower sshd[1044]: Illegal user jane from 211.40.89.159
Oct 18 16:20:46 pastpower sshd[1046]: Illegal user pamela from 211.40.89.159
Oct 18 16:21:01 pastpower sshd[1058]: Illegal user cosmin from 211.40.89.159
Oct 18 16:22:49 pastpower sshd[1132]: Illegal user cip52 from 211.40.89.159
Oct 18 16:22:53 pastpower sshd[1134]: Illegal user cip51 from 211.40.89.159
Oct 18 16:23:01 pastpower sshd[1138]: Illegal user noc from 211.40.89.159
Oct 18 16:23:20 pastpower sshd[1148]: Illegal user webmaster from 211.40.89.159
Oct 18 16:23:23 pastpower sshd[1150]: Illegal user data from 211.40.89.159
Oct 18 16:23:25 pastpower sshd[1152]: Illegal user user from 211.40.89.159
Oct 18 16:23:31 pastpower sshd[1154]: Illegal user user from 211.40.89.159
Oct 18 16:23:34 pastpower sshd[1156]: Illegal user user from 211.40.89.159
Oct 18 16:23:37 pastpower sshd[1158]: Illegal user web from 211.40.89.159
Oct 18 16:23:40 pastpower sshd[1160]: Illegal user web from 211.40.89.159
Oct 18 16:23:43 pastpower sshd[1162]: Illegal user oracle from 211.40.89.159
Oct 18 16:23:45 pastpower sshd[1164]: Illegal user sybase from 211.40.89.159
Oct 18 16:23:51 pastpower sshd[1166]: Illegal user master from 211.40.89.159
Oct 18 16:23:58 pastpower sshd[1168]: Illegal user account from 211.40.89.159
Oct 18 16:24:00 pastpower sshd[1170]: Illegal user backup from 211.40.89.159
Oct 18 16:24:04 pastpower sshd[1172]: Illegal user server from 211.40.89.159
Oct 18 16:24:07 pastpower sshd[1174]: Illegal user adam from 211.40.89.159
Oct 18 16:24:10 pastpower sshd[1176]: Illegal user alan from 211.40.89.159
Oct 18 16:24:13 pastpower sshd[1178]: Illegal user frank from 211.40.89.159
Oct 18 16:24:15 pastpower sshd[1180]: Illegal user george from 211.40.89.159
Oct 18 16:24:19 pastpower sshd[1182]: Illegal user henry from 211.40.89.159
Oct 18 16:24:22 pastpower sshd[1184]: Illegal user john from 211.40.89.159
Oct 18 16:24:42 pastpower sshd[1196]: Illegal user test from 211.40.89.159
Oct 18 17:46:49 pastpower sshd[1220]: Illegal user test from 62.81.199.204
Oct 18 17:46:50 pastpower sshd[1222]: Illegal user guest from 62.81.199.204
Oct 18 17:46:52 pastpower sshd[1224]: Illegal user admin from 62.81.199.204
Oct 18 17:46:54 pastpower sshd[1226]: Illegal user admin from 62.81.199.204
Oct 18 17:46:55 pastpower sshd[1228]: Illegal user user from 62.81.199.204
Oct 18 17:47:02 pastpower sshd[1236]: Illegal user test from 62.81.199.204
Oct 19 09:04:30 pastpower sshd[1632]: Accepted publickey for heri0n from 216.58.40.32 port 1250 ssh2
Oct 19 09:05:48 pastpower su[1649]: + pts/0 heri0n-root
Oct 19 09:11:34 pastpower su[1670]: + pts/0 heri0n-root
Oct 19 09:29:20 pastpower sshd[1681]: Illegal user test from 218.38.136.47
Oct 19 09:29:22 pastpower sshd[1683]: Illegal user guest from 218.38.136.47
Oct 19 09:29:25 pastpower sshd[1685]: Illegal user admin from 218.38.136.47
Oct 19 09:29:27 pastpower sshd[1687]: Illegal user admin from 218.38.136.47
Oct 19 09:29:29 pastpower sshd[1689]: Illegal user user from 218.38.136.47
Oct 19 09:29:38 pastpower sshd[1697]: Illegal user test from 218.38.136.47
Oct 19 21:04:56 pastpower sshd[2156]: Accepted publickey for heri0n from 192.168.1.1 port 3288 ssh2
Oct 19 21:04:56 pastpower sshd[2158]: subsystem request for sftp
Oct 20 10:42:35 pastpower sshd[2491]: Did not receive identification string from 62.77.246.220
Oct 20 11:20:59 pastpower sshd[2514]: Illegal user test from 212.78.150.64
Oct 20 11:21:01 pastpower sshd[2516]: Illegal user guest from 212.78.150.64
Oct 20 11:21:02 pastpower sshd[2518]: Illegal user admin from 212.78.150.64
Oct 20 11:21:04 pastpower sshd[2520]: Illegal user admin from 212.78.150.64
Oct 20 11:21:05 pastpower sshd[2522]: Illegal user user from 212.78.150.64
Oct 20 11:21:11 pastpower sshd[2530]: Illegal user test from 212.78.150.64
Oct 21 09:05:54 pastpower sshd[3058]: Accepted publickey for heri0n from 216.58.40.32 port 1153 ssh2
Oct 21 14:32:35 pastpower su[3385]: + pts/0 heri0n-root
Oct 21 17:01:01 pastpower sshd[11543]: Accepted publickey for heri0n from 216.58.40.32 port 1047 ssh2
Oct 21 17:46:16 pastpower sshd[11575]: Accepted publickey for heri0n from 192.168.1.1 port 1090 ssh2
Oct 21 17:46:16 pastpower sshd[11577]: subsystem request for sftp
Oct 21 17:46:45 pastpower sshd[11579]: Accepted publickey for heri0n from 192.168.1.1 port 1094 ssh2
Oct 21 17:46:45 pastpower sshd[11581]: subsystem request for sftp
Oct 22 10:55:01 pastpower sshd[12021]: Accepted publickey for heri0n from 216.58.40.32 port 1278 ssh2
Oct 22 15:28:14 pastpower sshd[12225]: Illegal user oracle9 from 211.251.71.2
Oct 22 15:28:21 pastpower sshd[12227]: Illegal user informix from 211.251.71.2
Oct 22 15:28:38 pastpower sshd[12229]: Illegal user oracle from 211.251.71.2
Oct 22 15:28:39 pastpower sshd[12231]: Illegal user oracle from 211.251.71.2
Oct 22 15:28:40 pastpower sshd[12233]: Illegal user oracle from 211.251.71.2
Oct 22 15:28:41 pastpower sshd[12235]: Illegal user guest from 211.251.71.2
Oct 22 15:28:41 pastpower sshd[12236]: Illegal user oracle from 211.251.71.2
Oct 22 15:28:42 pastpower sshd[12239]: Illegal user gateway from 211.251.71.2
Oct 22 15:37:04 pastpower sshd[12255]: Illegal user webadmin from 211.251.71.2
Oct 22 15:45:20 pastpower sshd[12261]: Illegal user webadmin from 211.251.71.2
Oct 22 15:51:37 pastpower sshd[12291]: Illegal user postgres from 211.251.71.2
Oct 22 15:51:43 pastpower sshd[12295]: Illegal user webadmin from 211.251.71.2
Oct 22 15:58:36 pastpower sshd[12300]: Illegal user oracle from 211.251.71.2
Oct 22 15:58:39 pastpower sshd[12302]: Illegal user postgres from 211.251.71.2
Oct 22 15:58:44 pastpower sshd[12306]: Illegal user webadmin from 211.251.71.2
Oct 23 23:04:17 pastpower sshd[13724]: Did not receive identification string from 161.53.202.3
Oct 23 23:33:05 pastpower sshd[13737]: Illegal user patrick from 161.53.202.3
Oct 24 01:54:53 pastpower sshd[13874]: Accepted publickey for heri0n from 192.168.1.1 port 2332 ssh2
Oct 24 01:54:53 pastpower sshd[13876]: subsystem request for sftp
What I am wondering is why sshd is accepting connections on weird ports?
The IPs are valid, one is from work, and the other is router. Is it normal to have your router's IP when you connect from home? Have I been compromised? SSH's connection port was not changed from the default of 22.... And I don't see how could my private key could have been stolen.
 
Old 11-03-2004, 11:33 PM   #2
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
That's the source port the connection came from.
 
Old 11-08-2004, 02:30 PM   #3
heri0n
Member
 
Registered: Oct 2004
Location: Hamilton, Ontario
Distribution: Slackware 10.0
Posts: 48

Original Poster
Rep: Reputation: 15
So I am fine?
 
Old 11-08-2004, 07:06 PM   #4
globeTrotter
Member
 
Registered: Feb 2004
Location: Townsville, Queensland, Oz
Distribution: Red Hat 9
Posts: 107

Rep: Reputation: 15
hi

i'm pretty new to linux, and the security thing in general, but after reading your post i checked out my /var/log/secure.* files, and guess what? i have exactly the same prob. everything mirrors your /var/log/secure.1 file except for the source ip address. it appears that they havent gotten in, i think???????????

i ran the following command as root

whois -h whois.apnic.net ip_address

where ip_address was the ip address of the hacker. turns out it's a Network centre in Japan. looks like some script kiddie is trying his/her luck. i sent an email to the hostmaster of the Network centre. i await a reply. if anyone can shed light on what else, if anything can be done, i'd be greatly appreciative.
regards
GT
 
Old 11-08-2004, 07:34 PM   #5
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Quote:
Originally posted by globeTrotter
hi

i'm pretty new to linux, and the security thing in general, but after reading your post i checked out my /var/log/secure.* files, and guess what? i have exactly the same prob. everything mirrors your /var/log/secure.1 file except for the source ip address. it appears that they havent gotten in, i think???????????

i ran the following command as root

whois -h whois.apnic.net ip_address

where ip_address was the ip address of the hacker. turns out it's a Network centre in Japan. looks like some script kiddie is trying his/her luck. i sent an email to the hostmaster of the Network centre. i await a reply. if anyone can shed light on what else, if anything can be done, i'd be greatly appreciative.
regards
GT
There already is a massive thread on this issue. Take a look for more info on the SSH bruteforce/scans:
http://www.linuxquestions.org/questi...hreadid=215431
 
Old 11-08-2004, 08:31 PM   #6
globeTrotter
Member
 
Registered: Feb 2004
Location: Townsville, Queensland, Oz
Distribution: Red Hat 9
Posts: 107

Rep: Reputation: 15
Hi

thanks for the link. i just downloaded an ran the rootkit hunter. it tells me i have 4 vulnerable programs, and a warning about ssh v1.
This is the relevant output.

Application version scan
- GnuPG 1.2.1 [ Vulnerable ]
- Apache 2.0.40 [ Vulnerable ]
- Bind DNS [unknown] [ OK ]
- OpenSSL 0.9.7a [ Vulnerable ]
- PHP [unknown] [ OK ]
- Procmail MTA 3.22 [ OK ]
- OpenSSH 3.5p1 [ Vulnerable ]Check: SSH

Searching for sshd_config...
Found /etc/ssh/sshd_config
Checking for allowed root login... Watch out Root login possible. Possible risk!
Hint: see logfile for more information
info:
Hint: See logfile for more information about this issue
Checking for allowed protocols... [ Warning (SSH v1 allowed) ]

* Check: Events and Logging
Search for syslog configuration... [ OK ]
Checking for running syslog slave... [ OK ]
Checking for logging to remote system... [ OK (no remote logging) ]

As it appears to be ssh they're targetting, how do i turn off SSH v1? all and any info greatly appreciated.

regards
GT
 
Old 11-08-2004, 08:44 PM   #7
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
First make sure to get your system updated immediately (it found several applications with security vulns).

To secure SSH, edit the /etc/ssh/sshd_config file and change the following to disable root logins:
Code:
#PermitRootLogin yes
--uncomment and change to:
PermitRootLogin no
To make SSHd use only protcol 2:
Code:
#Protocol 1,2
--uncomment and change to:
Protocol 2
 
Old 11-08-2004, 09:11 PM   #8
globeTrotter
Member
 
Registered: Feb 2004
Location: Townsville, Queensland, Oz
Distribution: Red Hat 9
Posts: 107

Rep: Reputation: 15
Hi Capt

thanks for the info. since my last post i've been doing a bit of and changed the very attributes you mentioned. only thing was i read i should change the ssh_config file, not the sshd_config file. so i changed the ssh_config file and ran the rootkit hunter again. as it still told me i had probs, i changed the sshd_config file too. ran the rootkit hunter again and everything is hunky dory (?!?!?!?!?!?!?!?)

just before we close this thread, first let me thank you, but what is the diffrence in operation of the ssh_config & sshd_config file. just for future refrence. if you don't know, no worries. i'll work it out sooner or later with my relationship with the smiley penguin.

regards
lee
 
Old 11-08-2004, 10:18 PM   #9
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
ssh_config is for the ssh client application (software you use to connect to other systems). sshd_config is for the ssh server (ssh daemon), which allows other systems to connect to you. It is rather confusing having them both in the same directory and similar names.
 
Old 11-08-2004, 10:37 PM   #10
globeTrotter
Member
 
Registered: Feb 2004
Location: Townsville, Queensland, Oz
Distribution: Red Hat 9
Posts: 107

Rep: Reputation: 15
Hi Capt

that explains why i had to uncoment the
PermitRootLogin no

line from my ssh_config file when i tried to ssh out. Also as i only really use the httpd, mysqld & sshd on my own ethernet, i configured them not to be started up at boot. Basically i'm only using these products to learn , apache, mysql, php etc as they're not taught at Uni, not until post grad anyway, same with Linux, post grad only!!! anyway turning these off while on line should secure the system a little more. Thanks for your knowledge.
Sorted
Lee
 
Old 11-09-2004, 02:53 AM   #11
Kahless
Member
 
Registered: Jul 2003
Location: Pennsylvainia
Distribution: Slackware / Debian / *Ubuntu / Opensuse / Solaris uname: Brian Cooney
Posts: 503

Rep: Reputation: 30
if your getting alot of hacking attempts from a network in japan, it probally woudnt hurt to throw in an iptables rule to drop packets from that network.
 
Old 11-10-2004, 02:47 PM   #12
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
By the way, the reason you have to change the protocol to 2 in both sshd_config and ssh_config is to prevent MitM attacks (Man-in-the-Middle). There are a couple of exploit tools that can spoof SSHv1 handshakes between the client and the server to force both of them to fall back to SSHv1 if they have it enabled. That can lead the attacker to recover the user's password or hijack their connection to the SSH server. If both client and server only support version 2, this attack is impossible (it will basically turn into a denial of service instead of a full hijacking).
 
Old 11-10-2004, 05:58 PM   #13
globeTrotter
Member
 
Registered: Feb 2004
Location: Townsville, Queensland, Oz
Distribution: Red Hat 9
Posts: 107

Rep: Reputation: 15
hi

thanks for the info, i'm fairly new to this stuff, but very interesting. Man in the Middle eh,, sneaky bas@#rds. do these attacks happen alot? mind you i have nothing worth all that trouble for on my computer. thanks again.
regards
GT
 
Old 11-10-2004, 08:06 PM   #14
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,782
Blog Entries: 1

Rep: Reputation: 413Reputation: 413Reputation: 413Reputation: 413Reputation: 413
Quote:
Originally posted by globeTrotter

mind you i have nothing worth all that trouble for on my computer. thanks again.
Ah, but the use of the computer itself might be worth the trouble. I general, I agree with you. If someone breaks into my system they are likely to be sorely dissapointed at the contents. However I keep a close eye on it because someone could use it to cover their tracks as they try to do unsavory things to other computers. It isn't always the data they are after!
 
Old 11-20-2004, 12:06 PM   #15
sfhc
LQ Newbie
 
Registered: Jun 2004
Posts: 5

Rep: Reputation: 0
Hello,

My Linux box seems to get lots of attention from this brute force script.

In yesterday's logwatch, I got a wierd message.

Code:
Illegal user admin from 81.7.135.70
Illegal user user from 81.7.135.70
Illegal user test from 81.7.135.70
 succeeded
The word "succeeded' concerns me. Does this mean that one of the illegal users got in? No other LogWatch for SSHD contains the word "succeeded".

FYI:
Red Hat 9
SSHD - root disabled, PAM set to deny access after 3 failures for 24 hours

Any information on this matter will be greatly appreciated.

-Jose
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Brute Force Detection for iptables SlAiD Linux - Security 3 05-05-2005 04:03 PM
brute force 'mungas bungas ' ovparrilla Linux - Software 2 07-06-2004 02:38 PM
Nessus Brute Force Gerardoj Linux - General 0 12-27-2003 04:07 PM
Brute force DHCP SSBN Linux - Networking 10 10-21-2003 10:34 AM
Brute Force kwigibo Linux - General 2 08-01-2002 12:42 AM


All times are GMT -5. The time now is 05:15 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration