Attack on sshd caused near-DOS

The MCP · 02-14-2006, 03:19 PM

Last night I found that someone had managed to screw up my server's sshd service. Even when I stopped playing online games, the adsl modem activity lights were flashing furiously. After 'service network stop' to immediately end any intrusion, I found the problem in my logs:

Code:

Feb 13 22:39:22 server sshd[5377]: Invalid user alina from 66.221.222.19
Feb 13 22:39:27 server sshd[5377]: reverse mapping checking getaddrinfo for basicbible101.propagation.net failed - POSSIBLE BREAK-IN ATTEMPT!
Feb 13 22:39:27 server sshd[5377]: error: Could not get shadow information for NOUSER
Feb 13 22:39:27 server sshd[5377]: Failed password for invalid user alina from 66.221.222.19 port 48544 ssh2
Feb 13 22:41:21 server sshd[5377]: fatal: Timeout before authentication for 66.221.222.19
Feb 13 22:44:44 server sshd[30631]: Received signal 15; terminating.

However, sshd did not terminate - it was still open (kill still took it down), as was my remote login. w and who didn't show anyone new logged in, ps aux showed no anomalous processes, rkhunter found nothing, and netstat -pantu showed no strange outbound connection. It also appeared to be spawning new processes at a high rate.

Anyone know what this is about? Secunia has nothing up about openssh-4.3p1 or openssl-0.9.7i vulnerabilities.

gilead · 02-14-2006, 03:46 PM

It looks like they didn't get in which is a god thing. Trying to crack SSH is popular at the moment - lots of dictionary attacks and scans. If you have strong passwords (or preferably, key access only) and no root login you're pretty safe. Have a look at http://www.debiansec.com/linux/services/ssh.html for a quick but useful guid to SSH config options.

Matir · 02-14-2006, 09:06 PM

Yeah, this just looks like a standard SSH brute force attempt.