Port 22 on the local network here was forwarded earlier this week and just yesterday the IP was linked to foran.mooo.com via http://freedns.afraid.org/ (which I came to through the dd-wrt ddns dropdown options)
Tonight, a virtual terminal got spammed with some message I wish I'd thought to copy. It involved the words ssh and root.
I stopped the ssh deamon and killed all sshd process, grepped auth.log for 'Accepted password', and check /root/.bash_history (though any commands would likely have been sent without opening an interactive shell).
I've been rooted!
The earliest entry was at 8am this morning. The last after 7pm.
grep -i 'accepted password' /var/log/auth.log*| perl -lne 'print "$2\t$1" if m/for (\w+) from ([0-9\.]+)/'|sort |uniq -c | sort -nr
2 1.214.194.114 root *
1 94.127.67.61 root *
1 221.239.81.4 root +
1 221.207.229.6 root +
1 218.240.44.249 root *
1 217.148.218.74 root +
* have many attempts
+ only one connection, know correct root password
Russia, South Korea, and China represented.
I checked /etc/passwd, /etc/rc.* and ls -tlc {,/usr/}{/bin/,/sbin/}. All seem okay.
ps axo cmd,users appears normal. ~/.ssh/authorized_keys are all trusted.
nmap localhost is as expected. There are no new jobs in crontab.
It looks like the harm is only that a few people know I forgot to change my weak root password when I opened up the box.
I fixed that.
I disabled root login and only allow access via publickey,
/etc/ssh/sshd_config
PermitRootLogin No
PasswordAuthentication no
ChallengeResponseAuthentication no
In the most recent attack, over 3000 attempts with more than 12 hundred user names were logged. User names were probed at different intensities. After root, test is apparently thought to be a likely account.
function searchIP() {
perl -lne "print \$2 if m/(user|for) (\w+) from $1 /" /var/log/auth.log*
}
searchIP 1.214.194.114|wc -l3429searchIP 1.214.194.114 |sort -u|wc -lsearchIP 1.214.194.114 |sort |uniq -c|sort -nr | tee >(head -n5 1>&2) |tail -n3
1269
1087 root
45 test
28 oracle
23 tester
22 info
22 guest
1 gaby
1 gabriell
1
Earlier attacks applied less force. But were equally successful. The chines prob appears to be smart enough not to probe an account that doesn't exist multiple times. I imagine it can determine this by the delay before the password prompt is presented.
The Russian probe solved root's password in the first 100 tries, but continued down the dictionary regardless. It also gave more tries to oracle than root.
searchIP 218.240.44.249 |sort |uniq -c|sort -nr
316 root
1 router
searchIP 94.127.67.61 |wc -l
713
searchIP 94.127.67.61 |sort |uniq -c |sort -nr | tee >(head -n5 1>&2) | tail -n3
394 oracle
206 root
140 admin
56 asterisk
1 string
1 ftp
1 dbus
Picking on 1.214.194.114
nmap -A -T4 1.214.194.114
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.5
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 1024 5f:03:2f:d1:a0:74:be:e9:94:9a:fc:f1:88:66:a9:7a (DSA)
|_2048 22:75:08:79:7b:e2:4f:19:15:0a:39:12:7c:78:af:b4 (RSA)
80/tcp open http Apache httpd 2.2.3 ((CentOS))
|_http-title: UBI\xEB\x84\xA4\xED\x8A\xB8\xEC\x9B\x8C\xED\x81\xAC
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-favicon:
111/tcp open rpcbind 2 (rpc #100000)
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1700/tcp filtered mps-raft
1720/tcp filtered H.323/Q.931
Service Info: OS: Unix
The host http is in Korean.
Clicking around http://1.214.194.114 eventually directs to www.ubipc.co.kr
I thought the IP host would be a clone of ubipc for phishing. But
ping www.ubipc.co.kr
PING www.ubipc.co.kr (1.214.194.114) 56(84) bytes of data.
It appears the attach came from the registered domain's ip.
Domain Name : ubipc.co.kr
Registrant : UBInetwork
Administrative Contact(AC) : UBInetwork
AC E-Mail : kaf551@naver.com
Registered Date : 2011. 12. 27.
Last updated Date : 2011. 12. 27.
Expiration Date : 2013. 12. 27.
Publishes : N
Authorized Agency : Whois Corp.(http://whois.co.kr)
I sent an email to the AC.
0 Comments