We have been noticing flurries of sshd reject messages in which some system out there in the hinterlands hits us with a flood of ssh login attempts. An example: Apr 6 05:41:51 dc sshd[88763]: Did not receive identification string from 67.19.58.170 Apr 6 05:49:42 dc sshd[12389]: input_userauth_request: illegal user anonymous Apr 6 05:49:42 dc sshd[12389]: Failed password for illegal user anonymous from 67.19.58.170 port 32942 ssh2 Apr 6 05:49:42 dc sshd[12389]: Received disconnect from 67.19.58.170: 11: Bye Bye Apr 6 05:49:42 dc sshd[12406]: input_userauth_request: illegal user bruce Apr 6 05:49:42 dc sshd[12406]: Failed password for illegal user bruce from 67.19.58.170 port 32983 ssh2 Apr 6 05:49:42 dc sshd[12406]: Received disconnect from 67.19.58.170: 11: Bye Bye Apr 6 05:49:42 dc sshd[12422]: input_userauth_request: illegal user chuck You get the idea. This goes on for 3 or 4 minutes and then just stops for now. I can almost promise that later, another attack will start from some other IP address and blaze away for a few minutes. Other than spewing lots of entries in to syslog, what is the purpose of the attack? Are they just hoping to luck in to an open account? The odds of guessing the right account name and then guessing the correct password are astronomical to say the least. Direct root logins are not possible so there is another roadblock. This seems on the surface to be aimed at simply filling up the /var file system, but it is so stupid as to make me wonder if there is something else more sophisticated that we truly need to be trembling in our shoes over. I notice from the syslog servers, here, that the same system is hammering other sshd applications on those devices at the same time it is hitting this system so what ever script it is is probably just trolling our network, looking for anything that answers. Thanks for any useful information as to the nature of what appears to be more of a nuisance than a diabolical threat to security. Martin McCormick WB5AGZ Stillwater, OK OSU Information Technology Division Network Operations Group
Luiz Eduardo Roncato Cordeiro
2005-Apr-06 08:56 UTC
What is this Very Stupid DOS Attack Script?
Hi, Probably, what you have seen is a force brute attack against your sshd. Unfortunately, this kind of attack still works. Regards, Cordeiro On Wednesday April 6 2005 12:49, Martin McCormick <Martin McCormick <martin@dc.cis.okstate.edu>> wrote:> We have been noticing flurries of sshd reject messages in > which some system out there in the hinterlands hits us with a flood of > ssh login attempts. An example: > > Apr 6 05:41:51 dc sshd[88763]: Did not receive identification > string from 67.19.58.170 > Apr 6 05:49:42 dc sshd[12389]: input_userauth_request: illegal > user anonymous > Apr 6 05:49:42 dc sshd[12389]: Failed password for illegal user > anonymous from 67.19.58.170 port 32942 ssh2 > Apr 6 05:49:42 dc sshd[12389]: Received disconnect from > 67.19.58.170: 11: Bye Bye > Apr 6 05:49:42 dc sshd[12406]: input_userauth_request: illegal > user bruce > Apr 6 05:49:42 dc sshd[12406]: Failed password for illegal user > bruce from 67.19.58.170 port 32983 ssh2 > Apr 6 05:49:42 dc sshd[12406]: Received disconnect from > 67.19.58.170: 11: Bye Bye > Apr 6 05:49:42 dc sshd[12422]: input_userauth_request: illegal > user chuck > > You get the idea. This goes on for 3 or 4 minutes and then > just stops for now. I can almost promise that later, another attack > will start from some other IP address and blaze away for a few > minutes. > > Other than spewing lots of entries in to syslog, what is the > purpose of the attack? Are they just hoping to luck in to an open > account? The odds of guessing the right account name and then guessing > the correct password are astronomical to say the least. > Direct root logins are not possible so there is another roadblock. > > This seems on the surface to be aimed at simply filling up the /var > file system, but it is so stupid as to make me wonder if there is > something else more sophisticated that we truly need to be trembling > in our shoes over. > > I notice from the syslog servers, here, that the same system > is hammering other sshd applications on those devices at the same time > it is hitting this system so what ever script it is is probably just > trolling our network, looking for anything that answers. > > Thanks for any useful information as to the nature of what > appears to be more of a nuisance than a diabolical threat to security. > > Martin McCormick WB5AGZ Stillwater, OK > OSU Information Technology Division Network Operations Group > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > >
Martin McCormick wrote:> Apr 6 05:49:42 dc sshd[12422]: input_userauth_request: illegal > user chuck > > You get the idea. This goes on for 3 or 4 minutes and then > just stops for now. I can almost promise that later, another attack > will start from some other IP address and blaze away for a few > minutes.I asked the same question a while ago. Seems that there are some linux type worms out there, that use this to target not well protected linux systems.??? I've build some swatch-rules that after two of these hits, I dump the host into ifpw-deny space. --WjW
At 11:49 AM 06/04/2005, Martin McCormick wrote:> We have been noticing flurries of sshd reject messages in >which some system out there in the hinterlands hits us with a flood of >ssh login attempts. An example: > >Apr 6 05:41:51 dc sshd[88763]: Did not receive identification > string from 67.19.58.170 >Apr 6 05:49:42 dc sshd[12389]: input_userauth_request: illegal > user anonymous > Other than spewing lots of entries in to syslog, what is the >purpose of the attack? Are they just hoping to luck in to an open >account? The odds of guessing the right account name and then guessing >the correct password are astronomical to say the least.Actually, sadly the odds are far too good given the cost to run such a script. Unless you force users to use GOOD passwords, they will use dumb ones.... Think Paris Hilton recently. The cost to let a script like that go in the background and pound away at hosts that have open ssh access is zilch. If you have ftpd running anywhere, you will see similar attempts ---Mike
Luiz Eduardo Roncato Cordeiro writes:>Probably, what you have seen is a force brute attack against your >sshd. Unfortunately, this kind of attack still works.My thanks to all who have responded. I am glad to know this isn't more sinister than it appears to be. It did make me get religion and fix all the Linux systems I have control over so that one can not successfully log in as root with any password even though I choose strong passwords. Better to log in as you and su -.
On Wed, Apr 06, 2005 at 10:49:08AM -0500, Martin McCormick wrote:> We have been noticing flurries of sshd reject messages in > which some system out there in the hinterlands hits us with a flood of > ssh login attempts. An example: > > Apr 6 05:49:42 dc sshd[12406]: Failed password for illegal user > bruce from 67.19.58.170 port 32983 ssh2In my experience, these are just script kiddies goofing around. The only useful thing to do is to report them to abuse@ their ISP - this can actually be effective in some cases. $ whois 67.19.58.170 OrgName: ThePlanet.com Internet Services, Inc. OrgID: TPCM Address: 1333 North Stemmons Freeway Address: Suite 110 City: Dallas StateProv: TX PostalCode: 75207 Country: US ... OrgAbuseHandle: ABUSE271-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-214-782-7802 OrgAbuseEmail: abuse@theplanet.com I'm sure his ISP would like to know about his behavior - send them a report of his attempts. Often in my opinion it's some 13 year old who doesn't realize he's not anonymous on the internet. It quickly becomes a tedious and thankless job, but it's the best weapon you have imo. Also, I find on some systems it's nice to do whitelisting with hosts.allow to only allow connectinos from certain addresses. Obviously that is not a solution for every system, but it can work well for some. Dan
On Wed, Apr 06, 2005 at 10:49:08AM -0500, Martin McCormick wrote:> We have been noticing flurries of sshd reject messages in > which some system out there in the hinterlands hits us with a flood of > ssh login attempts. An example:[snip] If you search google, you'll see many recent similar threads on both this and other mailing lists. Perhaps the most interesting is one recently on the DragonFly BSD users list, in which there were several scripts / applications written to analyze the logs and add IPFW / PF rules blocking these connections. It's simply a brute force kiddy script. No harm. Or, shouldn't be if you don't use silly passwords ;) The script simply tries user:user combinations. --Devon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20050406/67c0d7db/attachment.bin
Martin McCormick wrote:> We have been noticing flurries of sshd reject messages in > which some system out there in the hinterlands hits us with a flood of > ssh login attempts. An example: > > Other than spewing lots of entries in to syslog, what is the > purpose of the attack? Are they just hoping to luck in to an open > account? The odds of guessing the right account name and then guessing > the correct password are astronomical to say the least. > Direct root logins are not possible so there is another roadblock. > <snipped for speed>This is probably a variant of a worm that infects the server and then spends all its time trying to log into other servers by guessing the ssh password. Once it succeeds, it attempts a compromise, and if successful, tries to break into other machines. I have read some interesting analyses on this. Apparently there are multiple variations of the worm, but they all do essentially the same thing. About the only real defense you have is to enforce a good password policy. I have taken to dropping everthing that comes from the pacific rim at the firewall. This has been helpful in reducing some attacks, though in my case, it seems like about a quarter of them come from inside the USA. Here's a list of pacific rim IP ranges: http://www.okean.com/iptables/rc.firewall.sinokorea Here's an interesting read on one of the worm variants: http://www.security.org.sg/gtec/honeynet/viewdiary.php?diary=20041102 Personally, it think people who write malicious software should be treated like terrorists because it seems to me, they are. I know it's a common defense to claim that publishing exploits is useful to IT (perhaps it is in some twisted way), but that's like saying defendants in foiled murder plots should be forgiven because they helped to expose flaws in one's personal security. It's nonsense. -- -linux_lad
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 6 Apr 2005 11:28:11 -0500, Dan Rue <drue@therub.org> wrote:> In my experience, these are just script kiddies goofing around. The > only useful thing to do is to report them to abuse@ their ISP - this can > actually be effective in some cases. > > $ whois 67.19.58.170 > OrgName: ThePlanet.com Internet Services, Inc.But definitely *not* in the case of theplanet.com. http://tinyurl.com/6sebk (expands to a search on theplanet.com in the news.admin.net-abuse.sightings newsgroup) Drawing conclusions from the evidence provided is left as an exercise for the reader. - -- G. Stewart - gstewart@spamcop.net Your fault: core dumped -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFCVBehK5oiGLo9AcYRAk59AKDF4UmhASqBsNKtNcRSyrDWI8Vh+gCgkrEa xD2aKKc3l6xYR43zR4yUi7Y=gKry -----END PGP SIGNATURE-----