Friday, June 23, 2006

 

SSH brute attack

Today I discovered that one of our lab machines has been compromised. It faced heavy dictionary attack via ssh from matheron.scv.math.unb.ca. One of the users had a simple password and the attacker was able to get access to his account. Attackers after getting the access, copied a brute force cracking program for ssh to /tmp/. /brute and started using our machine to break in other machines.

I had noticed such brute force attacks earlier, but ignored them. I never realized that such attacks actually work. In last one month, there were over 20 thousand such attempts from over 100 different hosts. Scary!

An excerpt from /var/log/messages/

Jun 18 05:20:17 soho sshd(pam_unix)[29250]: check pass; user unknown
Jun 18 05:20:17 soho sshd(pam_unix)[29250]: authentication failure; logname= uid=0
                                   euid=0 tty=ssh ruser= rhost=202.96.216.173
Jun 18 05:20:21 soho sshd(pam_unix)[29252]: authentication failure; logname= uid=0 
                                   euid=0 tty=ssh ruser= rhost=202.96.216.173  user=root
Jun 18 05:20:26 soho sshd(pam_unix)[29254]: authentication failure; logname= uid=0 
                                   euid=0 tty=ssh ruser= rhost=202.96.216.173  user=root
Jun 18 05:20:33 soho sshd(pam_unix)[29256]: check pass; user unknown
Jun 18 05:20:33 soho sshd(pam_unix)[29256]: authentication failure; logname= uid=0 
                                   euid=0 tty=ssh ruser= rhost=202.96.216.173
Jun 18 05:20:38 soho sshd(pam_unix)[29258]: check pass; user unknown
Jun 18 05:20:38 soho sshd(pam_unix)[29258]: authentication failure; logname= uid=0 
                                   euid=0 tty=ssh ruser= rhost=202.96.216.173
Jun 18 05:20:45 soho sshd(pam_unix)[29260]: authentication failure; logname= uid=0 
                                   euid=0 tty=ssh ruser= rhost=202.96.216.173  user=root
Jun 18 05:20:50 soho sshd(pam_unix)[29262]: authentication failure; logname= uid=0 
                                   euid=0 tty=ssh ruser= rhost=202.96.216.173  user=root
Jun 18 05:20:55 soho sshd(pam_unix)[29264]: check pass; user unknown
Jun 18 05:20:55 soho sshd(pam_unix)[29264]: authentication failure; logname= uid=0 
                                   euid=0 tty=ssh ruser= rhost=202.96.216.173

The reason I was able to detect that our machine is compromised is that brute program crashed frequently and had entries in /var/log/messages/

Jun 20 21:51:33 soho kernel: brute[15536]: segfault at 0000000000000000 
                                                rip 0000000008048e33 rsp 00000000ffffd280 error 4
Jun 20 21:51:33 soho kernel: brute[15537]: segfault at 0000000000000000 
                                                rip 0000000008048e33 rsp 00000000ffffd280 error 4
Jun 20 21:51:33 soho kernel: brute[15538]: segfault at 0000000000000000 
                                                rip 0000000008048e33 rsp 00000000ffffd280 error 4
Jun 20 21:51:33 soho kernel: brute[15540]: segfault at 0000000000000000 
                                                rip 0000000008048e33 rsp 00000000ffffd280 error 4

The bottom line is: Its a dangerous world out there!


This page is powered by Blogger. Isn't yours?