I am always amazed how fast hacker attempts are on a new installed machine. I install the machine, plug in the Ethernet cable and within 1 hour I see messages, like: sshd: Invalid user ftpd from 61.243.232.22 or a combination of: sshd: Invalid user guest from 210.117.180.111 sshd: Address 210.117.180.111 maps to dalmuri.chonbuk.ac.kr, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT! What is the difference of these two attacks? Most anoying is now that the ethernet port reports into /var/log/messages: kernel: eth0: link down kernel: eth0: link up kernel: eth0: link down (up to down in the same second, two seconds later up again, ......) I have tried to use another IP address, but it keeps the same. What can I do now? Only to plug out the cable stops it. (and yes, I agree that hacker attempts should be jailed, ... hehehehe - or like I read once, they should be hung up on their balls -- or whatever!) bye Ronald Wiplinger
On Fri, Oct 28, 2005 at 11:34:35AM +0800, Ronald Wiplinger wrote:
I am always amazed how fast hacker attempts are on a new installed machine.
I'm not.
I install the machine, plug in the Ethernet cable and within 1 hour I see messages, like:
sshd: Invalid user ftpd from 61.243.232.22
SSHd is blocked by default on SUSE.... Why are you running it? My guess.... You shut off the firewall or told it to allow SSH?..... The firewall is on by default now, and you can updatebefore the machine is even fully booted... You really should give more info than this. It sounds like you turned off the firewall, or told it to allow SSH, and for somereason someon found your IP, which is weird, do you run a server?
or a combination of: sshd: Invalid user guest from 210.117.180.111 sshd: Address 210.117.180.111 maps to dalmuri.chonbuk.ac.kr, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
What is the difference of these two attacks?
Someone on that 210 IP is trying to log in as "guest" and like a drooling half wit doesn't realise Windows is one of like.... OK Windows actually has a guest account, and that Linux doesn't, and that Windows doesn't have an SSHd..... Wow this dude is dumb. Do a whois on the IP, mail abuse with your logs.
Most anoying is now that the ethernet port reports into /var/log/messages:
kernel: eth0: link down kernel: eth0: link up kernel: eth0: link down
(up to down in the same second, two seconds later up again, ......)
I have tried to use another IP address, but it keeps the same. What can I do now? Only to plug out the cable stops it.
(and yes, I agree that hacker attempts should be jailed, ... hehehehe - or like I read once, they should be hung up on their balls -- or whatever!)
Yea, you don't want hackers running around creating Linux, BSD, and TCP/IP so you can bitch about them over it ...
bye
Ronald Wiplinger
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Friday 2005-10-28 at 19:53 -0400, Allen wrote:
SSHd is blocked by default on SUSE.... Why are you running it?
The daemon is enabled by default, I think. It might be closed in the firewall, though.
My guess.... You shut off the firewall or told it to allow SSH?..... The firewall is on by default now, and you can updatebefore the machine is even fully booted...
You really should give more info than this. It sounds like you turned off the firewall, or told it to allow SSH, and for somereason someon found your IP, which is weird, do you run a server?
Not weird at all. I get attempts as soon as I connect trhough my V90 modem (dial up dynamic address). There are people out there running port scans continuosly, using scripts. Most try ports 445, 135, 139... or wieird ones like 1028, 1026, 1030, 12316. But they also try 21, of course: Oct 22 04:05:46 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=ppp0 OUT= MAC= SRC=64.34.92.187 DST=81.41.201.250 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=27217 DF PROTO=TCP SPT=47499 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A7E3F764C0000000001030302) They try the guest account because some installs have it, and several other "typical" names. There was a problem in sshd by which the attacker could determine if the name was valid by measuring the response time of the server, which was diferent if the user existed or not. Once they find a user name, they launch a dictionary attack on it. That hole was plugged. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFDYtCYtTMYHG2NR9URAi9CAJ9kcb6B4DZTG7dmCDWH4CPZo1Y+qgCggq2W ONTDuVgXUjF5eWE1hKXLDPs= =vMVT -----END PGP SIGNATURE-----
On Sat, Oct 29, 2005 at 03:29:52AM +0200, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Friday 2005-10-28 at 19:53 -0400, Allen wrote:
SSHd is blocked by default on SUSE.... Why are you running it?
The daemon is enabled by default, I think. It might be closed in the firewall, though.
My guess.... You shut off the firewall or told it to allow SSH?..... The firewall is on by default now, and you can updatebefore the machine is even fully booted...
You really should give more info than this. It sounds like you turned off the firewall, or told it to allow SSH, and for somereason someon found your IP, which is weird, do you run a server?
Not weird at all. I get attempts as soon as I connect trhough my V90 modem (dial up dynamic address). There are people out there running port scans continuosly, using scripts. Most try ports 445, 135, 139... or wieird ones like 1028, 1026, 1030, 12316. But they also try 21, of course:
Oct 22 04:05:46 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=ppp0 OUT= MAC= SRC=64.34.92.187 DST=81.41.201.250 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=27217 DF PROTO=TCP SPT=47499 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A7E3F764C0000000001030302)
My boxes are up 24/7 as is my connection (6.2 MBs a second) and I've had maybe ONE attack attempt on a server I was using. And that was someone trying to log into the FTP server here as root a long time ago.... Well like not that long ago. I have them up all the time though and I've never had that. I even pop them in my DMZ and no one attacks it, and believe me, I'm quite a target being someone who challenges people openly when I don't think they are doing the right thing, being a soon to be govt employee, and of cours being a senior member of AntiOnline. Lol yea I'm a huge one.
They try the guest account because some installs have it, and several other "typical" names. There was a problem in sshd by which the attacker could determine if the name was valid by measuring the response time of the server, which was diferent if the user existed or not. Once they find a user name, they launch a dictionary attack on it.
That hole was plugged.
- -- Cheers, Carlos Robinson
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76
iD8DBQFDYtCYtTMYHG2NR9URAi9CAJ9kcb6B4DZTG7dmCDWH4CPZo1Y+qgCggq2W ONTDuVgXUjF5eWE1hKXLDPs= =vMVT -----END PGP SIGNATURE-----
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Sunday 30 October 2005 00:15, Allen wrote:
On Sat, Oct 29, 2005 at 03:29:52AM +0200, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Friday 2005-10-28 at 19:53 -0400, Allen wrote:
SSHd is blocked by default on SUSE.... Why are you running it?
The daemon is enabled by default, I think. It might be closed in the firewall, though. <snip> Not weird at all. I get attempts as soon as I connect trhough my V90 modem (dial up dynamic address). There are people out there running port scans continuosly, using scripts. Most try ports 445, 135, 139... or wieird ones like 1028, 1026, 1030, 12316. But they also try 21, of course:
<snip>
They try the guest account because some installs have it, and several other "typical" names. There was a problem in sshd by which the attacker could determine if the name was valid by measuring the response time of the server, which was diferent if the user existed or not. Once they find a user name, they launch a dictionary attack on it.
That hole was plugged.
1- During installation there is a check box to allow ssh in through the firewall. (SUSE 10) 2- By default SUSE starts sshd. 3- There is a know "Brute force" attack against ssh being done in "slow motion" over the last 2 years or more. This is why lots of people change te port sshd is running on. For more information on the attack see For more info on the attacks see: http://www.whitedust.net/article/27/Recent%20SSH%20Brute-Force%20Attacks/ http://seclists.org/lists/incidents/2004/Jul/0097.html I once had a link to an article done by a security company that caught the intrusion via a "honeypot". But after searching for an hour, I give up... Jerry
On Sunday 30 October 2005 00:33, Jerry Westrick wrote:
3- There is a know "Brute force" attack against ssh being done in "slow motion" over the last 2 years or more.
Point of order! This isn't an attack against ssh, it's an attack against bad passwords. Don't use them
Howdy, Anders, On Saturday 29 October 2005 16:50, Anders Johansson wrote:
On Sunday 30 October 2005 00:33, Jerry Westrick wrote:
3- There is a know "Brute force" attack against ssh being done in "slow motion" over the last 2 years or more.
Point of order! This isn't an attack against ssh, it's an attack against bad passwords. Don't use them
Correction: This is a "point of clarification." Points of order refer to the rules of order within a forum. RRS
On Saturday 29 October 2005 03:29, Carlos E. R. wrote:
wieird ones like 1028, 1026, 1030, 12316. But they also try 21, of course:
21 is ftp. This isn't a crack attempt, it's just someone looking for ftp servers
They try the guest account because some installs have it, and several other "typical" names. There was a problem in sshd by which the attacker could determine if the name was valid by measuring the response time of the server, which was diferent if the user existed or not. Once they find a user name, they launch a dictionary attack on it.
That hole was plugged.
It was of course also only ever possible on a high quality local LAN, as across the internet, the microsecond timings necessary for something like that are drowned out by the general low quality of the network
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2005-10-30 at 01:44 +0200, Anders Johansson wrote:
On Saturday 29 October 2005 03:29, Carlos E. R. wrote:
wieird ones like 1028, 1026, 1030, 12316. But they also try 21, of course:
21 is ftp. This isn't a crack attempt, it's just someone looking for ftp servers
Ah, right, memory slips. Then port 22: Sep 9 01:29:20 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=ppp0 OUT= MAC= SRC=195.162.195.69 DST=81.41.200.66 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=27308 DF PROTO=TCP SPT=46386 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A066C2FD30000000001030302) That was 20 seconds after I connected! Oct 27 20:19:29 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=ppp0 OUT= MAC= SRC=81.196.58.13 DST=81.41.201.68 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=24437 PROTO=TCP SPT=60707 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402) And that was 6 minutes after connection.
That hole was plugged.
It was of course also only ever possible on a high quality local LAN, as across the internet, the microsecond timings necessary for something like that are drowned out by the general low quality of the network
I didn't know that, I thought the time difference was bigger, due to the filesystem seek time when the server had to locate the password data after a user matches. But... don't tcp packets have a timestamp? Perhaps they used that one. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFDZCbctTMYHG2NR9URAkIzAJ4+yEfTWO0hK/moOYs71hvDC6MVswCeIbqM KGFQirGuOw64bM+Qa5oznNU= =Ylb5 -----END PGP SIGNATURE-----
participants (6)
-
Allen
-
Anders Johansson
-
Carlos E. R.
-
Jerry Westrick
-
Randall R Schulz
-
Ronald Wiplinger