[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] Re: strange server logs, do I have a problem or a script kiddie...

To: shef-lug [at] xxxxxxxxxxxxxxxxxxx
Subject: Re: [Sheflug] Re: strange server logs, do I have a problem or a script kiddie...
From: "Chris J" <cej [at] xxxxxxxxxxxxxxxx>
Date: Tue, 26 Oct 2004 20:59:57 +0100
Delivered-to: shef-lug [at] list.sheflug.org.uk
List-help: <mailto:shef-lug-request [at] list.sheflug.org.uk?subject=help>
List-id: Sheflug <shef-lug.list.sheflug.org.uk>
List-post: <mailto:shef-lug [at] list.sheflug.org.uk>
List-subscribe: <http://community.uklinux.net/mailman/listinfo/shef-lug>,<mailto:shef-lug-request [at] list.sheflug.org.uk?subject=subscribe>
List-unsubscribe: <http://community.uklinux.net/mailman/listinfo/shef-lug>,<mailto:shef-lug-request [at] list.sheflug.org.uk?subject=unsubscribe>
Reply-to: shef-lug [at] xxxxxxxxxxxxxxxxxxx
Sender: shef-lug-admin [at] xxxxxxxxxxxxxxxxxxx

And Lo! The Great Prophet Richard Ibbotson uttered these words of wisdom:
> 
> Meanwhile over on the San Francisco LUG list about 40 minutes=20
> later.....
> 
...[snip more logs]...

> 
> So, looks like we are not alone :)  Too much of a coincidence for me.

It's only /not/ a coincidence that someone's trying. It is coincidence if 
you're trying to establish that its the same attack from multiple servers; 
it's not unfeasible, but chances are slim. There's five different class-A
nets in there, with hours between and they're different again from Rob's. 
Usually they just probe well-known accounts for default/bad passwords. A 
quick grep on my server shows:

Oct 23 08:20:17 linux2 sshd[30434]: Illegal user test from 220.70.167.67
Oct 23 08:20:17 linux2 sshd[30434]: Failed password for illegal user test from 220.70.167.67 port 38189 ssh2
Oct 23 08:20:25 linux2 sshd[30436]: Illegal user guest from 220.70.167.67
Oct 23 08:20:25 linux2 sshd[30436]: Failed password for illegal user guest from 220.70.167.67 port 38374 ssh2
Oct 23 08:20:32 linux2 sshd[30438]: Illegal user admin from 220.70.167.67
Oct 23 08:20:32 linux2 sshd[30438]: Failed password for illegal user admin from 220.70.167.67 port 38462 ssh2
Oct 23 08:20:40 linux2 sshd[30440]: Illegal user admin from 220.70.167.67



And that's just a subset of the 23rd (it's been quiet since then -- no 
probes). This should be more of a worry as its all from the same IP, but they
didn't get in, so I've nothing to worry about. The day before I had about
two dozen entries trying to crack root, but failing.

If I chased every bad packet that came into the server I wouldn't get any 
sleep :-) Accounts that get hit the most are: test, user, admin and root 
(267 probes for root since Oct 4th). Other probes to www, www-data, wwwrun,
mysql are less common but still occur (4, 4, 4 and 4 respectively).

Chris...

-- 
\ Chris Johnson                 \ NP: the creatures - 2nd floor
 \ cej [at] nightwolf.org.uk          \  
  \ http://cej.nightwolf.org.uk/  \ 
   \ http://redclaw.org.uk/        ~---------------------------------------


___________________________________________________________________

Sheffield Linux User's Group -
http://www.sheflug.co.uk/mailfaq.html

  GNU the choice of a complete generation.

Follow-Ups:
- [Sheflug] Re: strange server logs, do I have a problem or a script kiddie...
  - From: Richard Ibbotson

References:
- [Sheflug] Re: strange server logs, do I have a problem or a script kiddie...
  - From: Richard Ibbotson

Prev by Date: [Sheflug] Re: strange server logs, do I have a problem or a script kiddie...
Next by Date: [Sheflug] Re: strange server logs, do I have a problem or a script kiddie...
Previous by thread: [Sheflug] Re: strange server logs, do I have a problem or a script kiddie...
Next by thread: [Sheflug] Re: strange server logs, do I have a problem or a script kiddie...
Index(es):
- Date
- Thread