These dang persistent bastads

K-Dawg · Posted: Fri Oct 15, 2004 2:04 am Post subject: These dang persistent bastads

Is everyone else seeing this same crap flood your logs almost daily.

ct 5 19:38:53 whitey sshd[3457]: Failed password for illegal user user from 61.100.180.125 port 45356 ssh2
Oct 5 19:38:55 whitey sshd[3459]: Failed password for illegal user user from 61.100.180.125 port 45808 ssh2
Oct 5 19:38:58 whitey sshd[3461]: Failed password for illegal user web from 61.100.180.125 port 46262 ssh2
Oct 5 19:39:00 whitey sshd[3463]: Failed password for illegal user web from 61.100.180.125 port 46689 ssh2
Oct 5 19:39:02 whitey sshd[3465]: Failed password for illegal user oracle from 61.100.180.125 port 47148 ssh2
Oct 5 19:39:04 whitey sshd[3467]: Failed password for illegal user sybase from 61.100.180.125 port 47532 ssh2
Oct 5 19:39:06 whitey sshd[3469]: Failed password for illegal user master from 61.100.180.125 port 48032 ssh2
Oct 5 19:39:09 whitey sshd[3471]: Failed password for illegal user account from 61.100.180.125 port 48476 ssh2
Oct 5 19:39:11 whitey sshd[3473]: Failed password for illegal user backup from 61.100.180.125 port 49112 ssh2
Oct 5 19:39:13 whitey sshd[3475]: Failed password for illegal user server from 61.100.180.125 port 49537 ssh2
Oct 5 19:39:15 whitey sshd[3477]: Failed password for illegal user adam from 61.100.180.125 port 49944 ssh2
Oct 5 19:39:17 whitey sshd[3479]: Failed password for illegal user alan from 61.100.180.125 port 50343 ssh2
Oct 5 19:39:19 whitey sshd[3481]: Failed password for illegal user frank from 61.100.180.125 port 50847 ssh2
Oct 5 19:39:21 whitey sshd[3483]: Failed password for illegal user george from 61.100.180.125 port 51231 ssh2
Oct 5 19:39:23 whitey sshd[3485]: Failed password for illegal user henry from 61.100.180.125 port 51632 ssh2
Oct 5 19:39:26 whitey sshd[3487]: Failed password for illegal user john from 61.100.180.125 port 52059 ssh2

Sep 29 15:11:24 whitey sshd[14666]: Failed password for illegal user webmaster from 64.156.138.90 port 49196 ssh2
Sep 29 15:11:25 whitey sshd[14668]: Failed password for illegal user data from 64.156.138.90 port 49208 ssh2
Sep 29 15:11:25 whitey sshd[14670]: Failed password for illegal user user from 64.156.138.90 port 49221 ssh2
Sep 29 15:11:26 whitey sshd[14672]: Failed password for illegal user user from 64.156.138.90 port 49235 ssh2
Sep 29 15:11:26 whitey sshd[14674]: Failed password for illegal user user from 64.156.138.90 port 49246 ssh2
Sep 29 15:11:27 whitey sshd[14676]: Failed password for illegal user web from 64.156.138.90 port 49259 ssh2
Sep 29 15:11:27 whitey sshd[14678]: Failed password for illegal user web from 64.156.138.90 port 49273 ssh2
Sep 29 15:11:27 whitey sshd[14680]: Failed password for illegal user oracle from 64.156.138.90 port 49285 ssh2
Sep 29 15:11:28 whitey sshd[14682]: Failed password for illegal user sybase from 64.156.138.90 port 49295 ssh2
Sep 29 15:11:28 whitey sshd[14684]: Failed password for illegal user master from 64.156.138.90 port 49309 ssh2
Sep 29 15:11:29 whitey sshd[14686]: Failed password for illegal user account from 64.156.138.90 port 49321 ssh2
Sep 29 15:11:29 whitey sshd[14688]: Failed password for illegal user backup from 64.156.138.90 port 49333 ssh2
Sep 29 15:11:30 whitey sshd[14690]: Failed password for illegal user server from 64.156.138.90 port 49347 ssh2
Sep 29 15:11:30 whitey sshd[14692]: Failed password for illegal user adam from 64.156.138.90 port 49361 ssh2
Sep 29 15:11:31 whitey sshd[14694]: Failed password for illegal user alan from 64.156.138.90 port 49372 ssh2
Sep 29 15:11:31 whitey sshd[14696]: Failed password for illegal user frank from 64.156.138.90 port 49388 ssh2
Sep 29 15:11:31 whitey sshd[14698]: Failed password for illegal user george from 64.156.138.90 port 49399 ssh2
Sep 29 15:11:32 whitey sshd[14700]: Failed password for illegal user henry from 64.156.138.90 port 49420 ssh2
Sep 29 15:11:32 whitey sshd[14702]: Failed password for illegal user john from 64.156.138.90 port 49433 ssh2

t 7 15:42:27 whitey sshd[18686]: Failed password for illegal user data from 211.214.161.151 port 55767 ssh2
Oct 7 15:42:32 whitey sshd[18688]: Failed password for illegal user user from 211.214.161.151 port 55847 ssh2
Oct 7 15:42:36 whitey sshd[18690]: Failed password for illegal user user from 211.214.161.151 port 55936 ssh2
Oct 7 15:42:43 whitey sshd[18692]: Failed password for illegal user user from 211.214.161.151 port 56011 ssh2
Oct 7 15:42:47 whitey sshd[18694]: Failed password for illegal user web from 211.214.161.151 port 56123 ssh2
Oct 7 15:42:51 whitey sshd[18696]: Failed password for illegal user web from 211.214.161.151 port 56193 ssh2
Oct 7 15:42:55 whitey sshd[18698]: Failed password for illegal user oracle from 211.214.161.151 port 56263 ssh2
Oct 7 15:43:00 whitey sshd[18700]: Failed password for illegal user sybase from 211.214.161.151 port 56326 ssh2
Oct 7 15:43:07 whitey sshd[18702]: Failed password for illegal user master from 211.214.161.151 port 56413 ssh2
Oct 7 15:43:12 whitey sshd[18704]: Failed password for illegal user account from 211.214.161.151 port 56521 ssh2
Oct 7 15:43:17 whitey sshd[18706]: Failed password for illegal user backup from 211.214.161.151 port 56598 ssh2
Oct 7 15:43:23 whitey sshd[18708]: Failed password for illegal user server from 211.214.161.151 port 56687 ssh2
Oct 7 15:43:30 whitey sshd[18710]: Failed password for illegal user adam from 211.214.161.151 port 56798 ssh2
Oct 7 15:43:35 whitey sshd[18712]: Failed password for illegal user alan from 211.214.161.151 port 56908 ssh2
Oct 7 15:43:41 whitey sshd[18714]: Failed password for illegal user frank from 211.214.161.151 port 56987 ssh2
Oct 7 15:43:46 whitey sshd[18716]: Failed password for illegal user george from 211.214.161.151 port 57080 ssh2
Oct 7 15:43:51 whitey sshd[18718]: Failed password for illegal user henry from 211.214.161.151 port 57153 ssh2
Oct 7 15:43:58 whitey sshd[18720]: Failed password for illegal user john from 211.214.161.151 port 57253 ssh2

The list goes on but do ya see the whole smae user scan each time?

Is this some sick brute force script or what? Geez I know I have read a couple of ssh breakins from weak accts and passwords over the last few weeks but I just wanna knwo if this is related or if I should report these bastards. It is getting a little annoying seeing my logs fill up w/ this crap everyday but all in all I guess I will not worry too much as I have strong/smart acct names and passwords on my box.

KozmoNaut · Posted: Fri Oct 15, 2004 6:39 am Post subject:

You could set up IPtables to block those specific IPs. You could also try finding out who or what is behind the IPs (perhaps open proxies?).

EDIT: Just did a few nmap scans (yes, I know, it's probably illegal), and judging by the amount and types of ports open on them, they are open proxies.
_________________
War. War never changes.

thompsonmike · Posted: Fri Oct 15, 2004 8:36 am Post subject:

Just run your ssh deamon on a non standard port. Stops it dead.

Blocking the IP;s using iptables is pointless, never see the same on more than twice in a long long time.
_________________
Thanks

Michael..

fleed · l33t Joined: 28 Aug 2002 Posts: 756 Location: London

Or use bfd to block the ones that try the same trick more than a few times!

nightblade · Posted: Fri Oct 15, 2004 2:50 pm Post subject:

snortsam (www.snortsam.net) is also a viable alternative
_________________
In God we trust. All the others must provide a valid X.509 certificate

amne · Posted: Sat Oct 16, 2004 7:26 pm Post subject:

Please see i got hacked. what were they up to? for more information and discussion on this issue. Moving from N&S to Duplicate Threads.
_________________
Dinosaur week! (Ok, this thread is so last week)