« To the past
Page 1 of 18
Jan 27, 2012
ssh attack from 1.214.194.114
Port 22 on the local network here was forwarded earlier this week and just yesterday the IP was linked to foran.mooo.com via http://freedns.afraid.org/ (which I came to through the dd-wrt ddns dropdown options)
Tonight, a virtual terminal got spammed with some message I wish I’d thought to copy. It involved the words ssh and root.
I stopped the ssh deamon and killed all sshd process, grepped auth.log for ‘Accepted password’, and check /root/.bash_history (though any commands would likely have been sent without opening an interactive shell).
I’ve been rooted!
The earliest entry was at 8am this morning. The last after 7pm.
grep -i ‘accepted password’ /var/log/auth.log*| perl -lne ‘print “$2\t$1” if m/for (\w+) from ([0-9.]+)/’|sort |uniq -c | sort -nr
2 1.214.194.114 root *
1 94.127.67.61 root *
1 221.239.81.4 root +
1 221.207.229.6 root +
1 218.240.44.249 root *
1 217.148.218.74 root +
* have many attempts
+ only one connection, know correct root password
Russia, South Korea, and China represented.
I checked /etc/passwd, /etc/rc.* and ls -tlc {,/usr/}{/bin/,/sbin/}. All seem okay.
ps axo cmd,users appears normal. ~/.ssh/authorized_keys are all trusted.
nmap localhost is as expected. there are no new jobs in crontab.
It looks like the harm is only that a few people know I forgot to change my weak root password when I opened up the box.
I fixed that.
I disabled root login and only allow access via publickey,
/etc/ssh/sshd_config
PermitRootLogin No
PasswordAuthentication no
ChallengeResponseAuthentication no
In the most recent attack, over 3000 attempts with more than 12 hundred user names. Some were probed more than others. After root, test and oracle were accounts thought to most likely exist, and receive the most attention.
function searchIP() {
perl -lne “print \$2 if m/(user|for) (\w+) from $1 /” /var/log/auth.log*
}
searchIP 1.214.194.114|wc -l3429searchIP 1.214.194.114 |sort |uniq -c|sort -nr | tee >(head -n5 1>&2) |tail -n3searchIP 1.214.194.114 |sort -u|wc -l
1269
1087 root
45 test
28 oracle
23 tester
22 info
22 guest
1 gaby
1 gabriell
1
Earlier attacks applied less force. But were equally successful.
searchIP 218.240.44.249 |sort |uniq -c|sort -nr
316 root
1 router
searchIP 94.127.67.61 |wc -l
713
searchIP 94.127.67.61 |sort |uniq -c |sort -nr | tee >(head -n5 1>&2) | tail -n3
394 oracle
206 root
140 admin
56 asterisk
1 string
1 ftp
1 dbus
Picking on 1.214.194.114
nmap -A -T4 1.214.194.114
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.5
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 1024 5f:03:2f:d1:a0:74:be:e9:94:9a:fc:f1:88:66:a9:7a (DSA)
|_2048 22:75:08:79:7b:e2:4f:19:15:0a:39:12:7c:78:af:b4 (RSA)
80/tcp open http Apache httpd 2.2.3 ((CentOS))
|_http-title: UBI\xEB\x84\xA4\xED\x8A\xB8\xEC\x9B\x8C\xED\x81\xAC
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-favicon:
111/tcp open rpcbind 2 (rpc #100000)
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1700/tcp filtered mps-raft
1720/tcp filtered H.323/Q.931
Service Info: OS: Unix
The host http is in Korean.
I thought the IP is a clone of ubipc for phishing. But
ping www.ubipc.co.kr
PING www.ubipc.co.kr (1.214.194.114) 56(84) bytes of data.
It appears the attach came from the registered domain.
Domain Name : ubipc.co.kr
Registrant : UBInetwork
Administrative Contact(AC) : UBInetwork
AC E-Mail : kaf551@naver.com
Registered Date : 2011. 12. 27.
Last updated Date : 2011. 12. 27.
Expiration Date : 2013. 12. 27.
Publishes : N
Authorized Agency : Whois Corp.(http://whois.co.kr)
I sent an email to the AC.
Posted via email from | Comment »
Dec 25, 2010
Paul Baribeau - Christmas Lights
Christmas Lights by Paul Baribeau
Download now or listen on posterous
christmas lights.mp3 (2444 KB) Download now or listen on posterous
fresh snow on the suburbs
staying at my parents
it hasn’t been a good year
but things are all right here
sleeping in the spare room
that used to be my bedroom
even though I’m home now
I feel completely homeless
I’m looking at the moon
shining on the snow
and everything was blue
except the Christmas lights
walking round the basement
where my band used to practice
sometimes I don’t want to make new friends
sometimes I just miss my old friends
but I’m seeing someone new now
she calms my heart down
but I’m too scared to tell her
how crazy I can get sometimes
I’m looking at the moon
shining on the snow
and everything was blue
except the Christmas lights
I never feel better after I cry
I spent 6 months of my life just wanting to die
I’m learning how to be alone without be lonely
learning how to be lonely without losing my mind
I’m looking at the moon
shining on the snow
and everything was blue
except the Christmas lights
Posted via email from | Comment »
Dec 3, 2010
The amazing hereditary inheritance
My uncle(s) are awesome!
To whom it may concern, i would like to know why there s a decomposed rodent on top of the pourch.
Love,
AddisonThe management of this house is under no obligation to explain it’s actions to it’s tenants.
Sincerely,
The Management
Posted via email from | Comment »
Navigate
About
inconsistent disproportions of signal and noise
You can subscribe via RSS.
