Am Sa, den 24.07.2004 schrieb Scot L. Harris um 15:46: > > Edwin> The last two days i got bugged by someone from korea and > > Edwin> someone from japan. his is what i find in my LogWatch : > > Edwin> --------------------- SSHD Begin ------------------------ > > > > > > Edwin> Failed logins from these: guest/password from > > Edwin> ::ffff:211.119.136.170: 1 Time(s) test/password from > > Edwin> ::ffff:211.119.136.170: 1 Time(s) > > > > Edwin> Illegal users from these: guest/none from > > Edwin> ::ffff:211.119.136.170: 1 Time(s) guest/password from > > Edwin> ::ffff:211.119.136.170: 1 Time(s) test/none from > > Edwin> ::ffff:211.119.136.170: 1 Time(s) test/password from > > Edwin> ::ffff:211.119.136.170: 1 Time(s) > > > > Edwin> is this a known hack attempt by some sort of program ? > > Edwin> because for both tries the same usernames have been tried > > Edwin> to use : guest and test > Are you using DSL or cable modem? If so you really should invest in a > cheap hardware router. It is amazing how much that will protect you. > > You may want to block that IP address in iptables just to be on the safe > side. > > Most likely a script kiddie running some software they found. > Scot L. Harris Certainly some scripts kids active. I had investigated now a couple of machines from where these attempts reached me or friends hosts. This is what I can conclude: 1) The machines from where these attempts come are already hacked: they have a rootkit running which lets run an SSHD version 1.2.25 on a high port. Most often there is a telnet daemon running too. 2) Most of the hacking machines have an old and vulnerable SSHD running. 3) They have too an old and vulnerable kernel running. 4) Many of the machines are older Redhat releases, I saw a lot of RH8. 5) The script connecting on SSH with user test and guest is checking the SSH version and how the SSH reacts besides the plain version reply. This way it can find out whether the host is a good target for the second step. 6) I was on one hacking host because the rootkit on it - Fuck'it Rootkit - had the default password (rootme) and I tried to find out more details about what the kids do. I found scripts doing the SSH connection tests and also a list of target IPs the script automatically send to a Romanian email address. The admins of the host were absolutely clueless - astonishing it was a central host of a Pakistanian internet provider, holding radius data, data about customers and their usage of the services they offer. The host was a default Redhat 8 host with not any update package installed! Unfortunately all my mail to administrative addresses I found out by whois data came back, so I had to inform them by modifying the /etc/motd and kicking the real root some time, so they had chance to read the motd information. At all it took more than 24 hours until they finally closed the bad hole. Though I am not sure they really changed anything on the host so that in future any further hack over the vulnerable SSHD can take place. Finally: firewalling is certainly a very good thing - but most important is to keep the system as much up to date as it is possible! Alexander -- Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13 Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.7-1.494.2.2smp Serendipity 14:23:38 up 2 days, 7:51, load average: 0.51, 0.35, 0.20
Attachment:
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
