I just got a notice from LogWatch with the dire warning "POSSIBLE BREAKIN ATTEMPT!". Quite a lot of them, too. I'm already disabling the root login and have /etc/hosts.allow turning away 'unknown' addresses. (This version uses that, right? It's unmodified...)
The typical entry looks like this: Oct 13 06:33:14 fahrlander sshd[13361]: warning: /etc/hosts.allow, line 6: can't verify hostname: getaddrinfo(170.67-19-122.reverse.theplanet.com, AF_INET) failed Oct 13 06:33:14 fahrlander sshd[13361]: Did not receive identification string from 67.19.122.170 Oct 13 06:53:08 fahrlander sshd[13468]: warning: /etc/hosts.allow, line 6: can't verify hostname: getaddrinfo(170.67-19-122.reverse.theplanet.com, AF_INET) failed Oct 13 06:53:09 fahrlander sshd[13468]: reverse mapping checking getaddrinfo for 170.67-19-122.reverse.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT! Oct 13 06:53:09 fahrlander sshd[13468]: User nobody not allowed because not listed in AllowUsers Oct 13 06:53:09 fahrlander sshd[13469]: input_userauth_request: illegal user nobody
And this site hit me 40-50 times trying various usernames, including 'root' quite a lot. Other names such as patrick, nobody, wwwrun, www, cyrus, horde, iceuser, rolo...it doesn't look like anything that, say, Cisco would use on their factory defaults. They also don't look like a set of names _I_ would use, so they probably don't know _me_. Times range from 0633-0654...
Some questions:
- Anyone else getting this?
Oh, yes; lots of them.
- Wouldn't these connections just get dumped because their forward and reverse addresses don't match?
- Does anyone recognize these usernames?
They appear to be scripted attacks from compromised linux machines:
Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2004-10-14 14:12 CDT Interesting ports on 170.67-19-122.reverse.theplanet.com (67.19.122.170): (The 1632 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 25/tcp filtered smtp 53/tcp filtered domain 80/tcp open http 106/tcp open pop3pw 110/tcp open pop3 111/tcp open rpcbind 139/tcp filtered netbios-ssn 143/tcp open imap 443/tcp open https 445/tcp filtered microsoft-ds 465/tcp open smtps 993/tcp open imaps 995/tcp open pop3s 1027/tcp open IIS 1040/tcp open netsaint 1080/tcp filtered socks 1434/tcp filtered ms-sql-m 2005/tcp open deslogin 2121/tcp open ccproxy-ftp 3128/tcp filtered squid-http 3306/tcp open mysql 6969/tcp filtered acmsoda 8009/tcp open ajp13 8080/tcp open http-proxy 8443/tcp open https-alt 9999/tcp open abyss Device type: general purpose Running: Linux 2.4.X OS details: Linux 2.4.6 - 2.4.21 Uptime 15.359 days (since Wed Sep 29 05:34:57 2004)
Nmap run completed -- 1 IP address (1 host up) scanned in 13.940 seconds
Like I said, I've seen plenty of similar attempts from many different IP addresses and geographic locations. The similarities between the attacks (same sequence of user names) leads me to believe that are scripted attacks rather than somebody sitting at the console directing the attack.
I've taken to forwarding the logs from such attacks to the service provider, in this case:
OrgName: ThePlanet.com Internet Services, Inc. OrgID: TPCM Address: 1333 North Stemmons Freeway Address: Suite 110 City: Dallas StateProv: TX PostalCode: 75207 Country: US
[...]
TechHandle: PP46-ARIN TechName: Pathos, Peter TechPhone: +1-214-782-7800 TechEmail: abuse@xxxxxxxxxxxxx
OrgAbuseHandle: ABUSE271-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-214-782-7802 OrgAbuseEmail: abuse@xxxxxxxxxxxxx
Often I get a response that the owner of the machine in question has been contacted and taken it off-line.
--
-John (john@xxxxxxxxxxx)
