View previous topic :: View next topic |
Author |
Message |
Hu Administrator
Joined: 06 Mar 2007 Posts: 22856
|
Posted: Tue Mar 03, 2020 1:59 am Post subject: |
|
|
Although improbable, one innocuous explanation for the routine pings is that the address you are currently using was previously assigned to some service that the peer was legitimately trying to monitor for liveness, such as to warn someone if an important server went down. That server surrendered the address. You got it. Now they're monitoring you instead. Their failure to abandon the task could be because they have been abandoned, and their attempts to alert someone that you are down (which you would appear to be, since you are refusing to send ICMP echo responses) are being ignored. I think an odd botnet is more likely, but I can't find a good explanation for why a botnet would monitor like that.
Those hostnames aren't particularly useful on their own. All it really tells us is that an AWS customer is running an AWS EC2 instance (usually a Linux VM) and sending you traffic. We know they're in different parts of the country. We can't tell from that whether the customer ran these machines for this purpose or if these are poorly secured VMs that have been compromised and abused for scanning. If you don't mind sending them a bit of return traffic, check each of those systems for whether you can connect on port 22. If yes, then they are probably not firewalled at all on port 22, and anyone anywhere could have attacked them and compromised them. If no, then either they were compromised through other means (say, a Wordpress blog hosted on the VM) or they were rented specifically to scan other hosts. You could also check to see if they offer service on 80 and 443, but if they do, it's hard to guess much about their intended use without probing more deeply than seems polite. |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9846 Location: almost Mile High in the USA
|
Posted: Tue Mar 03, 2020 4:25 am Post subject: |
|
|
I've owned this particular IP address for many years now (static) which does paint a big target on my machine as I suspect static IP machines are desirable for C&C centers. But not sure if this is the only reason for monitoring.
I agree the hostnames are not useful on their own, but was wondering if perhaps Google (nope, they would use their own machines) or Amazon itself is monitoring my machine for whatever reason. But more likely, yes, it's a customer or 0wn3d customer. All three of these machines are sending equivalent ICMP strings which means they may well be running the same code.
I'll need to go to an anonymous site and take a look at those machines. Will stop by a public library and see what's at those IP addresses to make sure I don't get unwanted attention.
If only I had vast bandwidth to take ICMP storms from any revenge attacks, I'd rather just check from my own IP addresses. But my network connection is so poor that if they actually got in and checked, my network connection would be very undesirable to their use they may just leave it and forget it... (They should already know my ping latency is not great obviously, since they've been pinging, but this didn't seem to faze them unfortunately.)
---
EDIT
---
I reverse looked-up some more of the hosts. Some were invalid in-arpa reverses, but I just noticed a bunch of them are
***.***.***.***.bc.googleusercontent.com
Mystery continues... _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
ChrisJumper Advocate
Joined: 12 Mar 2005 Posts: 2400 Location: Germany
|
Posted: Tue Mar 03, 2020 11:16 pm Post subject: |
|
|
Just use a unusual Port for connecting to sshd and you have nearly zero success for attackers... |
|
Back to top |
|
|
axl Veteran
Joined: 11 Oct 2002 Posts: 1146 Location: Romania
|
Posted: Tue Mar 03, 2020 11:26 pm Post subject: |
|
|
ChrisJumper wrote: | Just use a unusual Port for connecting to sshd and you have nearly zero success for attackers... |
I mentioned this too. This is such an old idea. Camouflage. Such a simple and good idea |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9846 Location: almost Mile High in the USA
|
Posted: Wed Mar 04, 2020 12:42 am Post subject: |
|
|
Yeah, 9022 was not a good choice (actually I had both setup, but they found 9022 too; I completely disabled it now)...
But no matter, the number of attacks has dropped down a lot due to active blocking, just curious about the ICMP echo requests now. _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
axl Veteran
Joined: 11 Oct 2002 Posts: 1146 Location: Romania
|
Posted: Wed Mar 04, 2020 12:51 am Post subject: |
|
|
eccerr0r wrote: | Yeah, 9022 was not a good choice (actually I had both setup, but they found 9022 too; I completely disabled it now)...
But no matter, the number of attacks has dropped down a lot due to active blocking, just curious about the ICMP echo requests now. |
Like I said, go in the high 60000 ports. and dont use 22 ffs. Sick compulsion to give yourself up |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9846 Location: almost Mile High in the USA
|
Posted: Wed Mar 04, 2020 12:59 am Post subject: |
|
|
Well as I said as well, the number of attempts have dropped down enough that it doesn't matter, even at 22 which is what it is now. I much prefer it at 22 anyway. _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
axl Veteran
Joined: 11 Oct 2002 Posts: 1146 Location: Romania
|
Posted: Wed Mar 04, 2020 1:00 am Post subject: |
|
|
eccerr0r wrote: | Well as I said as well, the number of attempts have dropped down enough that it doesn't matter, even at 22 which is what it is now. I much prefer it at 22 anyway. |
Well, you also mentioned that you have now "active blocking" which I'm assuming is a firewall. Good job
PS changing port is like the lamest most lazy excuse of a security measure. Still better then doing nothing. A firewall is much better. Congrats |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9846 Location: almost Mile High in the USA
|
Posted: Wed Mar 04, 2020 5:52 am Post subject: |
|
|
Nope, though I do have a VPN system that I solely use to access my internal network. I mean active blocking as in -- I actively choose to block those machines that send attacks. Yes I still have port 22 open so I can connect from anywhere if need be as I cannot predict whether or not the network I'm connected to will pass port UDP or even tcp/1194 and especially >32000, but typically it will pass 22.
The alternate ssh port was in case I or my automatic blocking lock myself out. This is the worst case scenario.
Eventually this is a convenience vs bandwidth waste issue (note I did not say security). Again I don't see dictionary attacks succeeding but it is wasting network bandwidth. But having two ports open means two times the number of attempts going in.
Still has no correlation to the ICMPs. _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9846 Location: almost Mile High in the USA
|
Posted: Mon Mar 16, 2020 5:27 pm Post subject: |
|
|
Oh nice. Very nice.
Someone started spam authentication through SMTP AUTH...
Only one IP address so far. iptables gone. _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
e3k Guru
Joined: 01 Oct 2007 Posts: 515 Location: Quantum Flux
|
Posted: Sat Apr 18, 2020 10:57 am Post subject: |
|
|
last time i checked with nmap all the attacker IPs had also sshd running. a solution would probably be to build your own dictionary and automatically connect to the attackers to shut them down or erase. (probably not so simple but maybe worth of trying) _________________
Flux & Contemplation - Portrait of an Artist in Isolation
|
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9846 Location: almost Mile High in the USA
|
Posted: Sat Apr 18, 2020 2:07 pm Post subject: |
|
|
There's some legal implications in doing that...
though at one point I did randomly telnet back to that machine with (obviously incorrect) requests indicating that their machine cold possibly be rootkitted and should be investigated, but with tcpwrappers no longer part of openssh I stopped (plus the increase of attacks and the non-proliferation policy due to bandwidth limits). _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22856
|
Posted: Sat Apr 18, 2020 4:15 pm Post subject: |
|
|
Even aside from the likely illegality of trying to reverse-hack them, it's not unheard of for an attacker to improve the security of a system after taking control of it, so that no one else hacks in and interferes with the first intruder. It's also possible that the offending bot was installed through some non-sshd weakness, like an insecure WordPress install, and that the sshd was already hardened enough that you would not be able to break in.
Probably the best you could hope for would be something like what eccerr0r describes, where you never actually breach the bot system, but you get the attention of the true administrator of that system and he/she intervenes to kill the bot and evict the intruder. |
|
Back to top |
|
|
e3k Guru
Joined: 01 Oct 2007 Posts: 515 Location: Quantum Flux
|
Posted: Sat Apr 18, 2020 6:19 pm Post subject: |
|
|
yes ignoring the bot by adding port knocking (as mentioned before) would be legal and probably more effective. on the other hand you could build a honey pot with a fake SSH (only auth sequence) which would store all the keys and passwords delivered. based on that you probably could do some statistics and deliver that to the authorities.ls _________________
Flux & Contemplation - Portrait of an Artist in Isolation
|
|
Back to top |
|
|
axl Veteran
Joined: 11 Oct 2002 Posts: 1146 Location: Romania
|
Posted: Sun Apr 19, 2020 6:51 am Post subject: |
|
|
u guys brought up legality.
hack my system. delete my stuff. I'd be fine with that.
what I would NOT be fine with, is someone using my system to hack someone else.
Hu has a nostalgic and optimistic and naive kind of concept about good hackers. Well, maybe he doesn't. What he is referring to are tiger teams. Which is a thing. Or was a thing. Nowadays, not sure it's a thing anymore.
I feel like, the more bandwidth you have, the more uneasy you should feel about how that bandwidth is used. Much easier to try to prevent stuff, than try to explain later that it wasn't you.
And to the point of reporting stuff... I tried to report stuff. To the local police when the attacker was local. In Romania, they laughed in my face. Even though the attacker was in the same damn city. To my ISP. They don't care. To other entities. To the original ISP. To anyone that would listen. Nobody listens. Even when you provide logs and context and everything.
I feel like... it's still the wild wild west out there, but without the sheriff. Until you get "caught" for something that originated from your system and you didn't do. Then it's another story. And we're going back to the idea that prevention made more sense than repairing.
HONESTLY... there are times when I feel like shutting down everything... just because I need a good night sleep. |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9846 Location: almost Mile High in the USA
|
Posted: Sun Apr 19, 2020 4:32 pm Post subject: |
|
|
How about copy your stuff and claim it for their own?
Like account numbers and passwords or novel research? _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22856
|
Posted: Sun Apr 19, 2020 4:45 pm Post subject: |
|
|
I did not mean the attackers would secure the system for an altruistic purpose. I was referring to attackers who are purely self interested. They secured the system so that no other intruders would break in and interfere with the first intruder's use of the system.
Suppose that there exists a vulnerable system with plenty of bandwidth and CPU power. Attacker #1 breaks in, and wants to use it for bitcoin mining. Attacker #2, if he breaks in, will use the system to start sending spam. Spammers get reported more often than bitcoin miners, because lots of people receive the unwanted spam, but the only negative effect of the bitcoin miner is the increased load on the victim's system, so that is easier to miss. If the spam gets enough reports, the legitimate owner might examine the system and notice both intruders, then reclaim the system. Now no intruders have use of the system. Therefore, in a purely self interested sense, attacker #1 should harden the system against attacker #2, so that the system can be dedicated to bitcoin mining and not draw unwanted attention due to attacker #2 using it to send spam. |
|
Back to top |
|
|
axl Veteran
Joined: 11 Oct 2002 Posts: 1146 Location: Romania
|
Posted: Mon Apr 20, 2020 10:45 am Post subject: |
|
|
Hu wrote: | I did not mean the attackers would secure the system for an altruistic purpose. I was referring to attackers who are purely self interested. They secured the system so that no other intruders would break in and interfere with the first intruder's use of the system.
Suppose that there exists a vulnerable system with plenty of bandwidth and CPU power. Attacker #1 breaks in, and wants to use it for bitcoin mining. Attacker #2, if he breaks in, will use the system to start sending spam. Spammers get reported more often than bitcoin miners, because lots of people receive the unwanted spam, but the only negative effect of the bitcoin miner is the increased load on the victim's system, so that is easier to miss. If the spam gets enough reports, the legitimate owner might examine the system and notice both intruders, then reclaim the system. Now no intruders have use of the system. Therefore, in a purely self interested sense, attacker #1 should harden the system against attacker #2, so that the system can be dedicated to bitcoin mining and not draw unwanted attention due to attacker #2 using it to send spam. |
So why even bring it up? Most parasitic organisms kill their host... sooner or later.
The host is what matters here. I am the host. Or the attacked is the host.
Should I be more happy that 2-3-4-5 things killed me, or that 1 thing killed me? What is the difference? |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9846 Location: almost Mile High in the USA
|
Posted: Mon Apr 20, 2020 4:26 pm Post subject: |
|
|
It was brought up because hackers are selfish likewise, they don't want to share "their loot" (i.e. YOUR computer) with competing hackers. _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22856
|
Posted: Tue Apr 21, 2020 3:00 am Post subject: |
|
|
axl: e3k suggested trying to "hack back." I noted that not only is such a thing likely illegal, but that selfish intruders may well have secured their bots against such attempts, for the specific purpose of keeping the bots in service to the intruders for as long as possible. |
|
Back to top |
|
|
axl Veteran
Joined: 11 Oct 2002 Posts: 1146 Location: Romania
|
Posted: Tue Apr 21, 2020 7:47 am Post subject: |
|
|
Which, in my humble opinion leaves you with just one option. DO NOT GET HACKED.
Because every road past that, leads to disaster. I'm sorry. I can't take comfort in the idea that the hackers will secure my systems.
On the other hand, I really wish there were more "reporting" options. I would put in the work. I already mentioned that I tried to send mails to abuse@stuff. To this day, I never got a reply that leads me to believe it was effort well spent. And reporting to local authorities about hacking attempts from Russia or China or whatever seems like a lost cause.
Nobody cares. Which is a sad state of affairs. Nobody seems to care even when systems from the US or EU are involved. As proxies. I assume they are proxies. At this moment, I am under pressure on smtp with like 10-20 requests per second. From various ip's. Most don't repeat ever. It's scary how many they are. It will go on for 1-2 more days and it will stop for a number of weeks. Didn't yet figure out the pattern. But usually there's like 3-4 days of non-stop spamming, then pause for a couple of weeks. rinse and repeat.
I portscanned with nmap some of these ip's and it seems to me like a good portion of them are residential addresses. To their credit, most isp's do not give a reverse name. Therefor 80% of them end up with: Client host rejected: cannot find your reverse hostname. The rest are picked up by spamhaus or another rbl. postgrey or dkim or spamassassin or clam.
They can't even make a dent in the systems. From any point of view. not even like 1% cpu is spent just rejecting them. But it makes quite hard to read all other logs. The screen just scrolls like its' possessed. And it's having a significant psychological effect, believe it or not. I'm wonder what's so special about me that I deserve this kind of attention.
today was not a good day. my eye hurt. and the lines keep on scrolling, day 3. I'm hoping based on paste experiences that in a day or 2 it will be over.
PS I know spamming (or whatever - not sure what it is) and hacking are not exactly the same thing. But I don't know. Could be some phishing thing, or some ransomware thing, or just noise to make all other log lines fade in the background of all the noise. Even it's just 1% cpu, and 1% bandwidth, it just bothers me to no end. I lived in a dialup era. And it's wasted resources on NOTHING. Drives me mad. You can do things with ssh to hide it or whatever. You can't do that with smtp. Not if you want to receive mails. And WWW. That's were I feel most exposed. And like I said before, you can do geoblocking... but god damn... there are many hacked computers out there. |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22856
|
Posted: Wed Apr 22, 2020 2:25 am Post subject: |
|
|
axl, are you in the same thread that the rest of us are? No one ever advocated hoping hackers would secure a system. I advocated not trying to "hack back" because it would probably be illegal, and probably not be useful even if you got away with it. |
|
Back to top |
|
|
axl Veteran
Joined: 11 Oct 2002 Posts: 1146 Location: Romania
|
Posted: Wed Apr 22, 2020 9:19 am Post subject: |
|
|
Hu wrote: | axl, are you in the same thread that the rest of us are? No one ever advocated hoping hackers would secure a system. I advocated not trying to "hack back" because it would probably be illegal, and probably not be useful even if you got away with it. |
Hey Hu, I never said you're advocating for stuff. I just said it doesn't matter. Past that point our 1to1 discussion was over and I started bitching about requests per second. I'm sorry if you thought EVERYTHING I said was a dig at you. Wasn't. Was just talking about stuff. BTW, as expected, day 3, the spam stopped. just like that. 3 days of intense fire, then totally quiet.
But now that you brought it up. (and again... talking to myself) It doesn't hurt to run a whois. whois is not hacking. doesn't hurt to do a nmap.
Actually, in my experience, sometimes nmap helps. nmap is not hacking. nmap is not illegal. yet if you nmap a host... their own firewall will block you. And therefor the original attacker will be locked out by his own protection mechanisms.
it doesn't always work though. In my estimation, maybe 20-30% of the time nmap thing works. especially if you use really aggressive settings of timing and ports. to be as obvious as possible. it's not illegal (afaik), and it gives some results, in cases of persistent hackers.
But I wouldn't suggest to make it automatic. And it wouldn't work in case of what I experienced in the last 3 days. Must have been over 10000 hosts that I seen in the last 3 days. I said... persistent hackers. In the case of randomised attack, that wouldn't work at all. One other thing I said is how most ip's I would see just once.
And the 10000 number I just pulled out of my behind. Based on a previous attack when I tried to make a text parser that would block you on your first offense. And iptables -xvnL ... you would see most blocked ip's were like 0/0. 0 packets, 0 bytes. one offense... and they would never try again. That previous attack I had 29000 blocks in 3 days. so 10000 sounded like a good conservative number. |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9846 Location: almost Mile High in the USA
|
Posted: Sun Jun 14, 2020 12:44 am Post subject: |
|
|
Oh yeah. Now this russian machine is sending me SMTP SASL AUTH requests every 3 minutes, dictionary style.
iptables-filtered. _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9846 Location: almost Mile High in the USA
|
Posted: Tue Jun 30, 2020 2:29 pm Post subject: |
|
|
Other than the port 465 attacks, this is another strange behavior I see from the distributed attacks.
When I ban a specific host for connecting to ssh with bad credentials, the whole subnet/24 gets banned for all packets. I end up logging subsequent connection attempts.
However I note that though they continue to hammer port 22, I also see all sorts of other ports being connected to, not just 22 which was the initial infraction. _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
|