LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   sshd attacks - failed passwords (http://www.linuxquestions.org/questions/linux-security-4/sshd-attacks-failed-passwords-493240/)

x42bn6 10-17-2006 01:14 PM

sshd attacks - failed passwords
 
My name is Jason Lim and I am an Administrator (or, rather, co-Administrator) of a forum that is rather large. Recently, we were disconnected from our webhost because of "unsolicited attacks". It appears that our server has been attacking our webhost (sounds funny, eh?). They allowed us the ability to secure it, but I have no idea how.

Neither I nor one of my peers have direct access to the server, so we cannot run remote commands. However, I would appreciate any help.

Here is a log of what our webhost sent me:
Oct 15 07:41:16 localhost sshd[15184]: Failed password for root from ***.***.***.*** port 41501 ssh2
Oct 15 07:41:19 localhost sshd[15186]: Failed password for root from ***.***.***.*** port 41834 ssh2
Oct 15 07:41:22 localhost sshd[15188]: Failed password for root from ***.***.***.*** port 43369 ssh2
Oct 15 07:41:24 localhost sshd[15191]: Failed password for invalid user admin from ***.***.***.*** port 45955 ssh2
Oct 15 07:41:26 localhost sshd[15193]: Failed password for invalid user test from ***.***.***.*** port 47823 ssh2
Oct 15 07:41:28 localhost sshd[15195]: Failed password for invalid user guest from ***.***.***.*** port 50122 ssh2
Oct 15 07:41:30 localhost sshd[15197]: Failed password for invalid user webmaster from ***.***.***.*** port 52199 ssh2
Oct 15 07:41:33 localhost sshd[15199]: Failed password for mysql from ***.***.***.*** port 53423 ssh2
Oct 15 07:41:35 localhost sshd[15201]: Failed password for invalid user oracle from ***.***.***.*** port 54223 ssh2
Oct 15 07:41:37 localhost sshd[15204]: Failed password for invalid user library from ***.***.***.*** port 54353 ssh2
Oct 15 07:41:39 localhost sshd[15206]: Failed password for invalid user info from ***.***.***.*** port 54519 ssh2
Oct 15 07:41:41 localhost sshd[15208]: Failed password for invalid user shell from ***.***.***.*** port 54691 ssh2
Oct 15 07:41:43 localhost sshd[15210]: Failed password for invalid user linux from ***.***.***.*** port 54824 ssh2
Oct 15 07:41:45 localhost sshd[15212]: Failed password for invalid user unix from ***.***.***.*** port 55001 ssh2
Oct 15 07:41:47 localhost sshd[15214]: Failed password for invalid user webadmin from ***.***.***.*** port 55138 ssh2
Oct 15 07:41:49 localhost sshd[15216]: Failed password for ftp from ***.***.***.*** port 55271 ssh2
Oct 15 07:41:51 localhost sshd[15218]: Failed password for invalid user test from ***.***.***.*** port 55437 ssh2
Oct 15 07:41:54 localhost sshd[15221]: Failed password for root from ***.***.***.*** port 55639 ssh2
Oct 15 07:41:57 localhost sshd[15223]: Failed password for invalid user admin from ***.***.***.*** port 55816 ssh2
Oct 15 07:41:58 localhost sshd[15225]: Failed password for invalid user guest from ***.***.***.*** port 56036 ssh2
Oct 15 07:42:00 localhost sshd[15227]: Failed password for invalid user master from ***.***.***.*** port 56159 ssh2
Oct 15 07:42:02 localhost sshd[15229]: Failed password for apache from ***.***.***.*** port 56330 ssh2
Oct 15 07:42:04 localhost sshd[15231]: Failed password for root from ***.***.***.*** port 56480 ssh2
Oct 15 07:42:06 localhost sshd[15233]: Failed password for root from ***.***.***.*** port 56630 ssh2
Oct 15 07:42:09 localhost sshd[15236]: Failed password for invalid user network from ***.***.***.*** port 56807 ssh2
Oct 15 07:42:11 localhost sshd[15238]: Failed password for invalid user word from ***.***.***.*** port 56991 ssh2
Oct 15 07:42:13 localhost sshd[15240]: Failed password for root from ***.***.***.*** port 57167 ssh2
Oct 15 07:42:15 localhost sshd[15242]: Failed password for root from ***.***.***.*** port 57323 ssh2
Oct 15 07:42:17 localhost sshd[15244]: Failed password for root from ***.***.***.*** port 57506 ssh2
Oct 15 07:42:19 localhost sshd[15246]: Failed password for root from ***.***.***.*** port 57648 ssh2
Oct 15 07:42:21 localhost sshd[15248]: Failed password for root from ***.***.***.*** port 57839 ssh2
Oct 15 07:42:24 localhost sshd[15251]: Failed password for root from ***.***.***.*** port 58001 ssh2
Oct 15 07:42:26 localhost sshd[15253]: Failed password for root from ***.***.***.*** port 58173 ssh2
Oct 15 07:42:27 localhost sshd[15255]: Failed password for root from ***.***.***.*** port 58350 ssh2
Oct 15 07:42:29 localhost sshd[15257]: Failed password for invalid user text from ***.***.***.*** port 58951 ssh2
Oct 15 07:42:31 localhost sshd[15259]: Failed password for invalid user book from ***.***.***.*** port 59087 ssh2
Oct 15 07:42:34 localhost sshd[15261]: Failed password for invalid user choil from ***.***.***.*** port 59666 ssh2
Oct 15 07:42:36 localhost sshd[15263]: Failed password for invalid user jarid from ***.***.***.*** port 59848 ssh2
Oct 15 07:42:38 localhost sshd[15266]: Failed password for root from ***.***.***.*** port 59999 ssh2
Oct 15 07:42:39 localhost sshd[15268]: Failed password for root from ***.***.***.*** port 60587 ssh2
Oct 15 07:42:41 localhost sshd[15270]: Failed password for root from ***.***.***.*** port 60713 ssh2
Oct 15 07:42:44 localhost sshd[15272]: Failed password for root from ***.***.***.*** port 60851 ssh2
Oct 15 07:42:46 localhost sshd[15274]: Failed password for root from ***.***.***.*** port 33204 ssh2
Oct 15 07:42:47 localhost sshd[15276]: Failed password for root from ***.***.***.*** port 33358 ssh2
Oct 15 07:42:49 localhost sshd[15278]: Failed password for invalid user admin from ***.***.***.*** port 33854 ssh2
Oct 15 07:42:51 localhost sshd[15280]: Failed password for invalid user admin from ***.***.***.*** port 34028 ssh2
Oct 15 07:42:53 localhost sshd[15283]: Failed password for invalid user admin from ***.***.***.*** port 34191 ssh2
Oct 15 07:42:55 localhost sshd[15285]: Failed password for invalid user admin from ***.***.***.*** port 34759 ssh2
Oct 15 07:42:57 localhost sshd[15287]: Failed password for root from ***.***.***.*** port 34915 ssh2
Oct 15 07:42:59 localhost sshd[15289]: Failed password for root from ***.***.***.*** port 35446 ssh2
Oct 15 07:43:01 localhost sshd[15291]: Failed password for invalid user test from ***.***.***.*** port 35605 ssh2
Oct 15 07:43:03 localhost sshd[15293]: Failed password for invalid user test from ***.***.***.*** port 35760 ssh2
Oct 15 07:43:05 localhost sshd[15376]: Failed password for invalid user webmaster from ***.***.***.*** port 36296 ssh2
Oct 15 07:43:08 localhost sshd[15451]: Failed password for invalid user user from ***.***.***.*** port 36445 ssh2
Oct 15 07:43:09 localhost sshd[15453]: Failed password for invalid user username from ***.***.***.*** port 36951 ssh2
Oct 15 07:43:11 localhost sshd[15455]: Failed password for invalid user username from ***.***.***.*** port 37125 ssh2
Oct 15 07:43:13 localhost sshd[15457]: Failed password for invalid user user from ***.***.***.*** port 37259 ssh2
Oct 15 07:43:15 localhost sshd[15459]: Failed password for root from ***.***.***.*** port 37815 ssh2
Oct 15 07:43:18 localhost sshd[15461]: Failed password for invalid user admin from ***.***.***.*** port 37988 ssh2
Oct 15 07:43:20 localhost sshd[15463]: Failed password for invalid user test from ***.***.***.*** port 38545 ssh2
Oct 15 07:43:21 localhost sshd[15466]: Failed password for root from ***.***.***.*** port 38706 ssh2
Oct 15 07:43:23 localhost sshd[15468]: Failed password for root from ***.***.***.*** port 38823 ssh2
Oct 15 07:43:26 localhost sshd[15470]: Failed password for root from ***.***.***.*** port 39389 ssh2
Oct 15 07:43:28 localhost sshd[15472]: Failed password for root from ***.***.***.*** port 39561 ssh2
Oct 15 07:43:30 localhost sshd[15474]: Failed password for invalid user danny from ***.***.***.*** port 40120 ssh2
Oct 15 07:43:32 localhost sshd[15476]: Failed password for invalid user sharon from ***.***.***.*** port 40276 ssh2
Oct 15 07:43:34 localhost sshd[15478]: Failed password for invalid user aron from ***.***.***.*** port 40857 ssh2
Oct 15 07:43:36 localhost sshd[15480]: Failed password for invalid user alex from ***.***.***.*** port 43764 ssh2
Oct 15 07:43:38 localhost sshd[15483]: Failed password for invalid user brett from ***.***.***.*** port 43933 ssh2
Oct 15 07:43:40 localhost sshd[15485]: Failed password for invalid user mike from ***.***.***.*** port 44507 ssh2
Oct 15 07:43:43 localhost sshd[15487]: Failed password for invalid user alan from ***.***.***.*** port 44647 ssh2
Oct 15 07:43:45 localhost sshd[15489]: Failed password for invalid user data from ***.***.***.*** port 45225 ssh2
Oct 15 07:43:47 localhost sshd[15491]: Failed password for invalid user www-data from ***.***.***.*** port 45386 ssh2
Where ***.***.***.*** is our forum's IP address.

The server is a dedicated server, whatever that means.

If anyone has any advice, I would be extremely grateful.

Also, I am a Linux newbie, so please keep the information as simple as possible.

gstimson 10-17-2006 02:32 PM

Looks like your server has been hacked and your ISP would be right to disconnect it.

Someone needs to be responsible for keeping the server's operating system and forum software up-to-date with security patches and apply good security practice.

You should be paying someone to do that. Your host may just be renting you the server and assume you're managing it yourself, in which case it's your responsibility. If you're paying your host to keep it secure and forum software up-to-date then it's their problem.

As you don't know the root SSH password you cannot do this maintenance yourself so I'm assuming your webhost has responsibility for this. You would therefore have a right to expect them to deal with this problem. Frankly the best solution is for them to install and secure a new server and then copy over your data.

Gary

x42bn6 10-17-2006 02:48 PM

Quote:

Originally Posted by gstimson
Looks like your server has been hacked and your ISP would be right to disconnect it.

Someone needs to be responsible for keeping the server's operating system and forum software up-to-date with security patches and apply good security practice.

You should be paying someone to do that. Your host may just be renting you the server and assume you're managing it yourself, in which case it's your responsibility. If you're paying your host to keep it secure and forum software up-to-date then it's their problem.

As you don't know the root SSH password you cannot do this maintenance yourself so I'm assuming your webhost has responsibility for this. You would therefore have a right to expect them to deal with this problem. Frankly the best solution is for them to install and secure a new server and then copy over your data.

Gary

OK, I'm not too familiar with webhost terminology, so...

I am one of 4 Administrators on this forum, but being disorganised idiots as we are, despite the fact we are supposedly able to execute remote commands, I can't, for some reason. But one of us is the owner of the site, the domain name and the server. The server is a dedicated server run by our webhost aplus.net - and I guess it means the responsibility falls on all 4 of us. :(

Alright, we did manage to connect to SSH (but that was my fellow Administrator and he is off now). Is there anything we can do? It's not root access, but I assume it is quite high up.

And, just to confirm, what do you think the odds that we are definitely hacked is? I am in contact with our webhost at the moment, and would like to ascertain what our, er, poor chances are. :(

gstimson 10-17-2006 02:55 PM

Quote:

Originally Posted by x42bn6
Alright, we did manage to connect to SSH (but that was my fellow Administrator and he is off now). Is there anything we can do? It's not root access, but I assume it is quite high up.

To continue using that server you'd need to remove any dodgy stuff installed by a hacker, secure the server and update and secure the forum.

Quote:

Originally Posted by x42bn6
And, just to confirm, what do you think the odds that we are definitely hacked is?

The SSH log you posted looks pretty certain to me.

No offence, but you're probably best off running the forum and leaving someone else to manage the forum software and server security. Some companies provide hosted forums and would assist you in migrating. Your monthly cost would likely be higher because someone has to pay the people to do the maintenance.

Gary

x42bn6 10-17-2006 03:01 PM

Quote:

Originally Posted by gstimson
To continue using that server you'd need to remove any dodgy stuff installed by a hacker, secure the server and update and secure the forum.



The SSH log you posted looks pretty certain to me.

No offence, but you're probably best off running the forum and leaving someone else to manage the forum software and server security. Some companies provide hosted forums and would assist you in migrating. Your monthly cost would likely be higher because someone has to pay the people to do the maintenance.

Gary

Alright, thanks. I have a very good idea who the hacker was - one certain user "deadlock" appeared when we executed last -a and he is most likely the culprit...

I just wish I knew Linux better...

Thank you for your help once again. I'll get my superior to get the job done.

RoaCh Of DisCor 10-17-2006 06:50 PM

Hey guys, thanks for the help so far. I'm another admin over at the forums, and I do have SSH access..so I can execute remote commands.

I run linux as a desktop, and have for a few years now..but still, my sever knowledge is some-what limited.

However, I actually have been updating our server via yum. Right now we run FC4 as our server OS, and we are up-to-date -- this means patches and everything.

I'm not sure if that changes anything, but I figured I should add that.

-roach

RoaCh Of DisCor 10-18-2006 01:01 AM

Quote:

Originally Posted by gstimson
Looks like your server has been hacked and your ISP would be right to disconnect it.

Someone needs to be responsible for keeping the server's operating system and forum software up-to-date with security patches and apply good security practice.

You should be paying someone to do that. Your host may just be renting you the server and assume you're managing it yourself, in which case it's your responsibility. If you're paying your host to keep it secure and forum software up-to-date then it's their problem.

As you don't know the root SSH password you cannot do this maintenance yourself so I'm assuming your webhost has responsibility for this. You would therefore have a right to expect them to deal with this problem. Frankly the best solution is for them to install and secure a new server and then copy over your data.

Gary

Server has been hacked? These look like failed attempts to me..

Am I confused on something?

I'm no server-whiz, but the above simply looks like someone trying to guess the password to the SSH server (possibly trying to crack it with a program). However, ANYONE can connect to an SSH server remotely with a username and password..just like FTP. Am I right so far? If someone decided to type our host address into their ftp client, and go on a password guessing spree, how exactly is that our problem or responsibility? Anyone can do this...and you can't prevent failed hacking attempts.

Robert S 10-18-2006 06:47 AM

I get those messages in my logs all the time. It's due to hackers trying to log into your ssh server. I've fixed it using the script at blinkeye.ch/mediawiki/index.php/SSH_Blocking (this forum won't allow me to post urls - I'm sure you know what to do!

I created an init script that starts it when my machine boots up. It blocks attempts to get onto your sever for 10 minutes if there have been more than 6 unsuccesful attempts at loggin in. You might need to make a few modifications to it. You need iptables installed.

Hangdog42 10-18-2006 06:49 AM

If I'm reading the OP correctly, the log he posted is from a different server. Those are ssh login attempts originating from his server, not trying to get into his server.

matthewg42 10-18-2006 07:04 AM

If you need ssh, and have the ability to change the ssh configuration (not always possible with some hosting solutions), consider changing ssh to run on a port other than 22, e.g. 3456, and/or restricting the IPs which can connect to the ssh port to a list of IPs you know only you have access to.

msound 10-18-2006 07:22 AM

hmm I'm not a linux security guru by any means, but afaik if a server has been compromised it's usually best practice to backup all of your data files and do a reinstall of the os. The reason being that you have no idea what the intruder did when they gained access. Yes you know that they tried to launch an attack on your isp, there's also a good chance he/she's setup a backdoor into your system. Changing passwords and ssh config may not be enough at this point. Best practice would be to back up your data, have aplus.net reinstall the os, install tripwire right away, thoroughly lock down any remote login access, then reload your data from your archives. It sounds like a lot but you could probably knock it all out in one night. Just post a message on your forum saying that "we will temporarily be offline for scheduled maintenance from 10pm - 6am".

matthewg42 10-18-2006 07:47 AM

I just re-read the thread a little more carefully... These ssh login attempts are coming FROM your server...

Looks like someone at least has a shell on your machine.

This page has some very good advice.

Be aware that the only way to be 100% sure the machine is clean is to re-install the OS, but you can't do this over the net, at least not without the host-co's help.

Search your forum software maker's page, security advisory sites and hacking sites like milw0rm to help identify the flaw which led to the compromise. I mention milw0rm specifically because it helped identify an attack on one of my sites in the past, and it's often got info there before it gets published on the software vendor's site or security sites.

~=gr3p=~ 10-18-2006 08:27 AM

Quote:

Originally Posted by x42bn6
Alright, thanks. I have a very good idea who the hacker was - one certain user "deadlock" appeared when we executed last -a and he is most likely the culprit...

I just wish I knew Linux better...

Thank you for your help once again. I'll get my superior to get the job done.

some hacker wud leave those traces..or maybe he want's to make sure you know u r hacked ;)

there is a topic made sticky why not read it...

http://www.linuxquestions.org/questi...d.php?t=340366

Hangdog42 10-18-2006 11:32 AM

Quote:

Originally Posted by ~=gr3p=~
some hacker wud leave those traces..or maybe he want's to make sure you know u r hacked ;)

there is a topic made sticky why not read it...

http://www.linuxquestions.org/questi...d.php?t=340366


Reading that link is going to do absolutely no good because the OP was the SOURCE of the ssh attack, not the vicitm. The OP needs to take steps to determine how the box was compromised and what was done to it. And since we haven't had any new information for a bit, it is pretty useless to sit and speculate.

x42bn6 10-18-2006 12:35 PM

Quote:

Originally Posted by matthewg42
I just re-read the thread a little more carefully... These ssh login attempts are coming FROM your server...

Looks like someone at least has a shell on your machine.

This page has some very good advice.

Be aware that the only way to be 100% sure the machine is clean is to re-install the OS, but you can't do this over the net, at least not without the host-co's help.

Search your forum software maker's page, security advisory sites and hacking sites like milw0rm to help identify the flaw which led to the compromise. I mention milw0rm specifically because it helped identify an attack on one of my sites in the past, and it's often got info there before it gets published on the software vendor's site or security sites.

Right, I can run remote commands but not sure if I am root. Are there any commands I suggest I run? I'll post what they give here.

[edit] Here is a snippet from last -a -d:
anon ftpd24200 Wed Oct 11 11:54 - 12:00 (00:05) anonland
anon ftpd23050 Tue Oct 10 11:47 - 11:52 (00:05) anonland
amantis pts/1 Tue Oct 10 06:51 - 06:57 (00:05) 86.126.25.217
amantis pts/0 Tue Oct 10 01:02 - 06:57 (05:54) 86.126.25.217
amantis pts/0 Mon Oct 9 03:28 - 08:35 (05:07) 86.126.25.217
amantis pts/0 Sun Oct 8 09:53 - 11:31 (01:38) 86.126.25.217
amantis pts/0 Sun Oct 8 05:29 - 05:31 (00:02) 86.126.25.217
amantis pts/1 Sun Oct 8 05:04 - 05:29 (00:24) 86.126.25.217
amantis pts/0 Sun Oct 8 03:27 - 05:05 (01:38) 86.126.25.217
amantis pts/0 Sat Oct 7 06:04 - 13:14 (07:09) 86.126.25.217
anon ftpd26087 Fri Oct 6 20:46 - 20:46 (00:00) anonland
anon ftpd26088 Fri Oct 6 20:46 - 20:46 (00:00) anonland
"Amantis" was a former Administrator on this forum (and she holds no grudges). The IP address is banned by SORBS, and does not match her any of her IP addresses on our forum IP checking facility. We are deleting the account (if not done so already).

Are there any commands to block that IP address? Or perhaps any other suggested commands?


All times are GMT -5. The time now is 07:29 PM.