Port Scanning and ssh2 brute force attempts Fedora Core 4

hazmatt20 · 01-20-2006, 09:20 AM

My internet connection keeps getting shut off by my school isp because of port scanning. Here are some of the emails I've received.

This is the most common and generic edited for size.

Problem Details:

Your system is mass-scanning Georgia Tech computer resources. This
could be a result of your system being compromised or the result of a
CNUSP policy violation (at minimum, the "port scanning" phrase is being
violated by your traffic).

Harmful activities

Harmful activities are prohibited. Examples include IP spoofing;
creating and propagating viruses; port scanning; disrupting services;
damaging files; or intentional destruction of or damage to equipment,
software, or data.

Please note that file sharing software such as Share Scan will create
traffic like this. Please cease in using Share Scan and similar
software on Georgia Tech networks immediately.

If you are not aware of software that would cause this, most likely your
system is compromised.

Please take these steps outlined below.

1)
If you use Windows XP, disable system restore.
(right-click on My Computer, click Properties, select System Restore and
Disable System Restore)

2)
Download and run/install the following:

Stinger - deletes common popular viruses
http://vil.nai.com/vil/stinger/

Virus Scan - more thorough cleaning and will help protect your
system
RealSecure - desktop firewall

Microsoft Windows Update - download critical security updates; this
helps prevent future infections and hack attempts
http://windowsupdate.microsoft.com

3)
Finally, please be sure to employ strong passwords. Many newer viruses
can crack weak passwords. It is best to use at least 8 characters, and
use upper and lower case, numbers, and special characters (such as
!@#$%^&*()+).

4) If you use Windows XP, reenable system restore.
(see above; do the opposite)

It is recommend you also download Ad-Aware or Spybot Search and Destroy
and run them periodically to remove the spyware that often can get on a
system, especially when using Internet Explorer.

First violation of this policy results in your account being placed in
Limbo, following the steps outlined above you should be able to Scan-Out
via https://start.gatech.edu. When scanning out of Limbo you are
confirming that you have followed all the steps above.

Second violation of this policy results in your Internet access to be
temporarily Disabled. You will be required to bring your CPU or laptop
to the ResNet Office or EastNet HTA and have them confirm the steps
above and run additional software if required.

Subsequent violations of this policy will result in your Internet
access to be Disabled. At this point a mandatory format and rebuild of
your operating system by the ResNet Office or HTA will be required. You will be responsible for bringing your CPU, OPERATING SYSTEM DISKS AND ACTIVATION NUMBER, Georgia Tech cannot provide Windows operating systems software, however, a free
Linux distribution is available at...

Thank you for your understanding,

This one came today.

Jan 19 21:44:16 aaron sshd[2824]: Failed password for root from ::ffff:128.XX.XX.XX port 45175 ssh2
Jan 19 21:44:16 aaron sshd[2825]: Failed password for root from ::ffff:128.XX.XX.XX port 43348 ssh2
Jan 19 21:44:19 aaron sshd[2829]: Failed password for invalid user fluffy from ::ffff:128.XX.XX.XX port 43593 ssh2
Jan 19 21:44:19 aaron sshd[2828]: Failed password for invalid user fluffy from ::ffff:128.XX.XX.XX port 45421 ssh2
Jan 19 21:44:22 aaron sshd[2832]: Failed password for invalid user admin from ::ffff:128.XX.XX.XX port 43828 ssh2

etc.

I have the Linux firewall enabled with a few protocals allowed through (mail, ftp, etc.). I also run the very secure ftp daemon (vsftpd), and as I could not get it to run under SELinux, SELinux is disabled. I ran chkrootkit without finding anything. What can I do?

kilgoretrout · 01-20-2006, 09:47 AM

I am by no means a security expert but I recall reports from many of brute force attempts to crack passwords on ssh:

http://www.whitedust.net/article/27/...rce%20Attacks/

If you google, you will find many more articles on this phenomena which seems to have started in the spring/summer 2005.

Now the issue is why the scans are coming from your system. If you have ssh running, you may have been compromised and the scans may be running from your system by a remote attacker by ssh. Try shutting down ssh and see if the scans stop. You could also try changing your password to a strong password.
The alternative explanation is ip spoofing but the scool network, if properly configured, should stop that and the scans would continue even after you are off the network when your account is disabled. You may have been rooted as well, in which case, back up your personal data, format and reinstall.

Matir · 01-20-2006, 11:18 AM

You can also try running ethereal to see what your computer is doing traffic-wise. Look for suspicious processes, new users, etc. Try using netstat to see what processes have (lots of) ports open. Use firewall rules to filter outbound traffic as well as inbound.

Do you update regularly? Also, what distro are you running?

(On another note, I go to GSU, so hello to another Atlantan)

hazmatt20 · 01-31-2006, 06:19 PM

I run Fedora Cora 4, and my system is completely up to date after being reformatted and reinstalled just last week. Also, I do configure outbound traffic as well.

Capt_Caveman · 01-31-2006, 06:29 PM

Now that you've rebuilt the system, I'd also recommend shutting off any un-necessary services, making sure that none of your passwords have been re-used, install a file-integrity scanner like tripwire/aide, and disallow root logins over ssh.

Take a look at the Security references thread for more general hardening checklists as well.

Matir · 01-31-2006, 08:42 PM

I'm glad you got it taken care of. If you keep firewall and updates up, you should be just fine.

hazmatt20 · 02-01-2006, 12:07 AM

I'm sorry if I made it sound otherwise, but it isn't taken care of. I meant that this happened even after being up to date and with firewall enabled. Apparently, my computer is sending out brute force attacks to Ohio State University.

Capt_Caveman · 02-01-2006, 06:47 AM

Did you re-use any of the same account names/passwords? What type of passwords are you using (words in dictionary, alphanumeric, etc)?

Also verify that these attacks actually are coming from your system. Fire up tcpdump or ethereal and see if you can see the outbound ssh traffic. If you can see it, run netstat -pant and find the PID# of the sshbrute process. From there, look it up in /proc/<PID>/cmdline which should show you the path to the binary.

If you've been compromised again, then you'll need to rebuild again. I'd recommend downloading the necessary patches/updates on a seperate system, burn them to CD. Then when you re-install, do so without any network connection and update the system using the CD before putting it online.

Matir · 02-01-2006, 10:19 AM

Also, use netstat to see if there are any suspicious incoming connections to your computer. Being the college environment it is (especially Georgia Tech) I would not be too surprised if your attacker was on-campus, or at least being routed through another computer on campus.

But using ethereal or something similar to look at your own outbound traffic is a good start. Netstat with the -p option will show you what process is performing these attacks.

I assume you have double checked the IP in question to make sure that it really was the one your computer is/was using?

You may also want to consult with the LUG@GT. They might be able to come take a look at the machine itself, if you wanted. I'll be up there for their Installfest Sunday, if my schedule permits.

hazmatt20 · 02-01-2006, 11:41 PM

Is there an installfest on Sunday? It's not listed on their website. If there is, what time is it? I will definitely try to be there (although, if it's in Skilles again, I am not carrying my box up that stinkin' hill. I'll call someone and get a ride).

Matir · 02-02-2006, 08:23 AM

From their e-mail list (which I am subbed to):

Code:

InstallFest 30: Sunday, February 5th, 2006
                Skiles Building, Room 257 from 10:00am to 6:00pm
                http://lugatgt.org/

They do like skiles, don't they?

pk21 · 02-02-2006, 03:41 PM

Quote:

Originally Posted by hazmatt20

(at minimum, the "port scanning" phrase is being
violated by your traffic).

Maybe someone is using some kind of nmap tool to scan networks and use your ip/router as a decoy. I would check the router settings to see if there is a firewall on there and maybe drop all incoming traffic.
(maybe there are some strange entry's in your routers log as well)

Matir · 02-05-2006, 09:09 PM

Without revealing too much (I'll leave that at hazmatt's discretion), I met him today at the LUG@GT Installfest and we were able to determine the source of the compromise (just ssh brute force). A similar ssh brute forcer, psybnc, and an eggdrop were all installed on his system. It does not appear that root was gained, but this was quite enough. We worked to rebuild his system in a much more secure manner today and I believe it is unlikely a problem will recur.

Hazmatt: When you see this (which I hope you will soon) IM me or send me an email. Check my profile for details.