FYI. This guy spent two hours Thursday, 3am-5am, trying to break into my server's root account.
168.68.129.127
Dig says: ; <<>> DiG 2.1 <<>> @dns1.menandmice.is 168.68.129.127 A ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10 ;; flags: qr rd ra; Ques: 1, Ans: 0, Auth: 1, Addit: 0 ;; QUESTIONS: ;; 168.68.129.127, type = A, class = IN ;; AUTHORITY RECORDS: . 300 SOA A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. ( 2004102900 serial 1800 refresh (30 mins) 900 retry (15 mins) 604800 expire (7 days) 86400 ) minimum (1 day) ;; Total query time: 2 msec ;; FROM: us.mirror.menandmice.com to SERVER: default -- 0.0.0.0 ;; WHEN: Fri Oct 29 09:09:57 2004 ;; MSG SIZE sent: 32 rcvd: 107
*********************************************************8
ARIN says:
OrgName: USDA Office of Operations OrgID: UOO-2 Address: Suite 133, Building A Address: 2150 Centre Ave City: Fort Collins StateProv: CO PostalCode: 80526 Country: US
NetRange: 168.68.0.0 - 168.68.255.255 CIDR: 168.68.0.0/16 NetName: PPQ NetHandle: NET-168-68-0-0-1 Parent: NET-168-0-0-0-0 NetType: Direct Assignment NameServer: NS1.USDA.GOV NameServer: NS2.USDA.GOV NameServer: NS3.USDA.GOV Comment: RegDate: 1994-01-26 Updated: 2003-04-30
OrgAbuseHandle: ZU20-ARIN OrgAbuseName: USDA - Office of the ChiefInformation Officer OrgAbusePhone: +1-970-295-5277 OrgAbuseEmail: Network.Operations@usda.gov
OrgNOCHandle: ZU20-ARIN OrgNOCName: USDA - Office of the ChiefInformation Officer OrgNOCPhone: +1-970-295-5277 OrgNOCEmail: Network.Operations@usda.gov
OrgTechHandle: ZU20-ARIN OrgTechName: USDA - Office of the ChiefInformation Officer OrgTechPhone: +1-970-295-5277 OrgTechEmail: Network.Operations@usda.gov
# ARIN WHOIS database, last updated 2004-10-28 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database.
On Fri, October 29, 2004 10:17 am, Brian Densmore said:
OrgTechHandle: ZU20-ARIN OrgTechName: USDA - Office of the ChiefInformation Officer OrgTechPhone: +1-970-295-5277 OrgTechEmail: Network.Operations@usda.gov
So they really are out to get you? =)
That or some cracker is using zombie software to do the dirty work.
Jeremy
-----Original Message----- From: kclug-bounces@kclug.org [mailto:kclug-bounces@kclug.org] On Behalf Of Brian Densmore Sent: Friday, October 29, 2004 10:17 AM To: KCLUG (E-mail) Subject: Crack attempt
FYI. This guy spent two hours Thursday, 3am-5am, trying to break into my server's root account.
[snip]
ARIN says:
OrgName: USDA Office of Operations OrgID: UOO-2 Address: Suite 133, Building A Address: 2150 Centre Ave City: Fort Collins StateProv: CO PostalCode: 80526 Country: US
[snip]
OrgAbuseHandle: ZU20-ARIN OrgAbuseName: USDA - Office of the ChiefInformation Officer OrgAbusePhone: +1-970-295-5277 OrgAbuseEmail: Network.Operations@usda.gov
OrgNOCHandle: ZU20-ARIN OrgNOCName: USDA - Office of the ChiefInformation Officer OrgNOCPhone: +1-970-295-5277 OrgNOCEmail: Network.Operations@usda.gov
OrgTechHandle: ZU20-ARIN OrgTechName: USDA - Office of the ChiefInformation Officer OrgTechPhone: +1-970-295-5277 OrgTechEmail: Network.Operations@usda.gov
Brian, I would highly recommend sending a copy of your logs to the address listed above. They likely do not know this is happening (yet), and could use the info I'm sure.
Dustin
Not too long ago, someone posted information on a series of attempts to log on via ssh, more or less brute forcing things. I figured I would throw out some of what I've seen which is similar.
I've been seeing a lot of traffic that behaves in similar fashion, across sensors deployed on various ISP's for which the only common link is being a client of mine, and the attacks. I (and more importantly my clients) stay off the radar pretty well, so I am inclined to think this is a scripted process, executed after a root-kit is installed etc. to further the conquest.
If you watch the behavior, and the ascending port numbers, it looks more and more like I am correct. What I find interesting is the sources change over time, and then we see the script trying an even larger number of user names.
Another reference point - I see this a lot more on roadrunner clients than any others. Someone is ramping up for something, looking for launch platforms is my guess. Anyone interested in seeing the entire conversations (rather than the logged info below) can drop me an e-mail and I will obfuscate things and offer 'em up. Due to confidentiality clauses in my contracts, I will have to munge the IPs that I am protecting, and make a mess of the checksums etc.
Oct 16 22:26:01 [obfuscated] sshd[14705]: Failed password for nobody from 62.188.61.214 port 3201 ssh2 Oct 16 22:26:08 [obfuscated] sshd[14712]: input_userauth_request: illegal user patrick Oct 16 22:26:11 [obfuscated] sshd[14712]: Failed password for illegal user patrick from 62.188.61.214 port 1622 ssh2 Oct 16 22:26:18 [obfuscated] sshd[14713]: input_userauth_request: illegal user patrick Oct 16 22:26:21 [obfuscated] sshd[14713]: Failed password for illegal user patrick from 62.188.61.214 port 4104 ssh2 Oct 16 22:26:30 [obfuscated] sshd[14714]: Failed password for root from 62.188.61.214 port 2606 ssh2 Oct 16 22:26:38 [obfuscated] sshd[14715]: Failed password for root from 62.188.61.214 port 4781 ssh2 Oct 16 22:26:50 [obfuscated] sshd[14716]: Failed password for root from 62.188.61.214 port 2941 ssh2
Oct 16 22:25:59 [obfuscated2] sshd(pam_unix)[14705]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=usern214.dsl.pipex.com user=nobody Oct 16 22:26:08 [obfuscated2] sshd(pam_unix)[14712]: check pass; user unknown Oct 16 22:26:08 [obfuscated2] sshd(pam_unix)[14712]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=usern214.dsl.pipex.com Oct 16 22:26:18 [obfuscated2] sshd(pam_unix)[14713]: check pass; user unknown Oct 16 22:26:18 [obfuscated2] sshd(pam_unix)[14713]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=usern214.dsl.pipex.com Oct 16 22:26:27 [obfuscated2] sshd(pam_unix)[14714]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=usern214.dsl.pipex.com user=root Oct 16 22:26:36 [obfuscated2] sshd(pam_unix)[14715]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=usern214.dsl.pipex.com user=root Oct 16 22:26:47 [obfuscated2] sshd(pam_unix)[14716]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=usern214.dsl.pipex.com user=root
Oct 24 05:01:57 [obfuscated4] sshd(pam_unix)[2541]: check pass; user unknown Oct 24 05:01:57 [obfuscated4] sshd(pam_unix)[2541]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=220.70.167.67 Oct 24 05:02:01 [obfuscated4] sshd(pam_unix)[2548]: check pass; user unknown Oct 24 05:02:01 [obfuscated4] sshd(pam_unix)[2548]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=220.70.167.67 Oct 24 05:02:09 [obfuscated4] sshd(pam_unix)[2549]: check pass; user unknown Oct 24 05:02:09 [obfuscated4] sshd(pam_unix)[2549]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=220.70.167.67 Oct 24 05:02:14 [obfuscated4] sshd(pam_unix)[2550]: check pass; user unknown Oct 24 05:02:14 [obfuscated4] sshd(pam_unix)[2550]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=220.70.167.67 Oct 24 05:02:18 [obfuscated4] sshd(pam_unix)[2551]: check pass; user unknown Oct 24 05:02:18 [obfuscated4] sshd(pam_unix)[2551]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=220.70.167.67 Oct 24 05:02:22 [obfuscated4] sshd(pam_unix)[2552]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=220.70.167.67 user=root Oct 24 05:02:26 [obfuscated4] sshd(pam_unix)[2553]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=220.70.167.67 user=root Oct 24 05:02:34 [obfuscated4] sshd(pam_unix)[2554]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=220.70.167.67 user=root Oct 24 05:02:39 [obfuscated4] sshd(pam_unix)[2555]: check pass; user unknown Oct 24 05:02:39 [obfuscated4] sshd(pam_unix)[2555]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=220.70.167.67
Oct 27 15:30:39 [obfuscated3] sshd(pam_unix)[5783]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.234.105.236 user=nobody Oct 27 15:30:43 [obfuscated3] sshd(pam_unix)[5784]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.234.105.236 Oct 27 15:30:48 [obfuscated3] sshd(pam_unix)[5785]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.234.105.236 [about 400 more of these] Oct 27 15:30:42 [obfuscated3] sshd[5783]: Failed password for nobody from 211.234.105.236 port 44817 ssh2 Oct 27 15:30:43 [obfuscated3] sshd[5784]: input_userauth_request: illegal user patrick Oct 27 15:30:46 [obfuscated3] sshd[5784]: Failed password for illegal user patrick from 211.234.105.236 port 44944 ssh2 Oct 27 15:30:48 [obfuscated3] sshd[5785]: input_userauth_request: illegal user patrick Oct 27 15:30:50 [obfuscated3] sshd[5785]: Failed password for illegal user patrick from 211.234.105.236 port 45018 ssh2 Oct 27 15:30:54 [obfuscated3] sshd[5786]: Failed password for root from 211.234.105.236 port 45089 ssh2 Oct 27 15:31:04 [obfuscated3] sshd[5788]: Failed password for root from 211.234.105.236 port 45156 ssh2 Oct 27 15:31:08 [obfuscated3] sshd[5796]: Failed password for root from 211.234.105.236 port 45310 ssh2 Oct 27 15:31:13 [obfuscated3] sshd[5799]: Failed password for root from 211.234.105.236 port 45382 ssh2 Oct 27 15:31:17 [obfuscated3] sshd[5800]: Failed password for root from 211.234.105.236 port 45453 ssh2 Oct 27 15:31:21 [obfuscated3] sshd[5801]: input_userauth_request: illegal user rolo Oct 27 15:31:23 [obfuscated3] sshd[5801]: Failed password for illegal user rolo from 211.234.105.236 port 45521 ssh2 Oct 27 15:31:25 [obfuscated3] sshd[5802]: input_userauth_request: illegal user iceuser Oct 27 15:31:27 [obfuscated3] sshd[5802]: Failed password for illegal user iceuser from 211.234.105.236 port 45613 ssh2 Oct 27 15:31:29 [obfuscated3] sshd[5803]: input_userauth_request: illegal user horde Oct 27 15:31:32 [obfuscated3] sshd[5803]: Failed password for illegal user horde from 211.234.105.236 port 45682 ssh2 Oct 27 15:31:34 [obfuscated3] sshd[5804]: input_userauth_request: illegal user cyrus Oct 27 15:31:36 [obfuscated3] sshd[5804]: Failed password for illegal user cyrus from 211.234.105.236 port 45745 ssh2 Oct 27 15:31:39 [obfuscated3] sshd[5805]: input_userauth_request: illegal user www Oct 27 15:31:42 [obfuscated3] sshd[5805]: Failed password for illegal user www from 211.234.105.236 port 45807 ssh2 Oct 27 15:31:47 [obfuscated3] sshd[5806]: input_userauth_request: illegal user wwwrun Oct 27 15:31:49 [obfuscated3] sshd[5806]: Failed password for illegal user wwwrun from 211.234.105.236 port 45881 ssh2 Oct 27 15:31:51 [obfuscated3] sshd[5807]: input_userauth_request: illegal user matt Oct 27 15:31:53 [obfuscated3] sshd[5807]: Failed password for illegal user matt from 211.234.105.236 port 45979 ssh2 Oct 27 15:31:56 [obfuscated3] sshd[5808]: input_userauth_request: illegal user test Oct 27 15:31:58 [obfuscated3] sshd[5808]: Failed password for illegal user test from 211.234.105.236 port 46032 ssh2 Oct 27 15:32:04 [obfuscated3] sshd[5809]: input_userauth_request: illegal user test Oct 27 15:32:06 [obfuscated3] sshd[5809]: Failed password for illegal user test from 211.234.105.236 port 46091 ssh2 Oct 27 15:32:08 [obfuscated3] sshd[5816]: input_userauth_request: illegal user test Oct 27 15:32:10 [obfuscated3] sshd[5816]: Failed password for illegal user test from 211.234.105.236 port 46179 ssh2 Oct 27 15:32:12 [obfuscated3] sshd[5817]: input_userauth_request: illegal user test Oct 27 15:32:15 [obfuscated3] sshd[5817]: Failed password for illegal user test from 211.234.105.236 port 46224 ssh2 Oct 27 15:32:17 [obfuscated3] sshd[5818]: input_userauth_request: illegal user www-data Oct 27 15:32:19 [obfuscated3] sshd[5818]: Failed password for illegal user www-data from 211.234.105.236 port 46267 ssh2 Oct 27 15:32:21 [obfuscated3] sshd[5821]: input_userauth_request: illegal user mysql Oct 27 15:32:28 [obfuscated3] sshd[5821]: Failed password for illegal user mysql from 211.234.105.236 port 46310 ssh2 Oct 27 15:32:34 [obfuscated3] sshd[5826]: Failed password for operator from 211.234.105.236 port 46401 ssh2 Oct 27 15:32:41 [obfuscated3] sshd[5829]: Failed password for adm from 211.234.105.236 port 46448 ssh2 Oct 27 15:32:49 [obfuscated3] sshd[5830]: Failed password for apache from 211.234.105.236 port 46506 ssh2 Oct 27 15:32:51 [obfuscated3] sshd[5831]: input_userauth_request: illegal user irc Oct 27 15:32:53 [obfuscated3] sshd[5831]: Failed password for illegal user irc from 211.234.105.236 port 46560 ssh2 Oct 27 15:32:55 [obfuscated3] sshd[5834]: input_userauth_request: illegal user irc Oct 27 15:32:57 [obfuscated3] sshd[5834]: Failed password for illegal user irc from 211.234.105.236 port 46589 ssh2 Oct 27 15:33:03 [obfuscated3] sshd[5835]: Failed password for adm from 211.234.105.236 port 46620 ssh2 Oct 27 15:33:07 [obfuscated3] sshd[5844]: Failed password for root from 211.234.105.236 port 46655 ssh2 Oct 27 15:33:11 [obfuscated3] sshd[5845]: Failed password for root from 211.234.105.236 port 46686 ssh2 Oct 27 15:33:16 [obfuscated3] sshd[5846]: Failed password for root from 211.234.105.236 port 46713 ssh2 Oct 27 15:33:18 [obfuscated3] sshd[5847]: input_userauth_request: illegal user jane Oct 27 15:33:20 [obfuscated3] sshd[5847]: Failed password for illegal user jane from 211.234.105.236 port 46737 ssh2 Oct 27 15:33:26 [obfuscated3] sshd[5850]: input_userauth_request: illegal user pamela Oct 27 15:33:29 [obfuscated3] sshd[5850]: Failed password for illegal user pamela from 211.234.105.236 port 46766 ssh2 Oct 27 15:33:34 [obfuscated3] sshd[5851]: Failed password for root from 211.234.105.236 port 46819 ssh2 Oct 27 15:33:39 [obfuscated3] sshd[5853]: Failed password for root from 211.234.105.236 port 46849 ssh2 Oct 27 15:33:49 [obfuscated3] sshd[5855]: Failed password for root from 211.234.105.236 port 46874 ssh2 Oct 27 15:33:55 [obfuscated3] sshd[5856]: Failed password for root from 211.234.105.236 port 46929 ssh2 Oct 27 15:34:04 [obfuscated3] sshd[5861]: Failed password for root from 211.234.105.236 port 46959 ssh2 Oct 27 15:34:06 [obfuscated3] sshd[5870]: input_userauth_request: illegal user cosmin Oct 27 15:34:14 [obfuscated3] sshd[5870]: Failed password for illegal user cosmin from 211.234.105.236 port 47009 ssh2 Oct 27 15:34:18 [obfuscated3] sshd[5874]: Failed password for root from 211.234.105.236 port 47049 ssh2 Oct 27 15:34:24 [obfuscated3] sshd[5875]: Failed password for root from 211.234.105.236 port 47064 ssh2 Oct 27 15:34:28 [obfuscated3] sshd[5879]: Failed password for root from 211.234.105.236 port 47083 ssh2 Oct 27 15:34:32 [obfuscated3] sshd[5880]: Failed password for root from 211.234.105.236 port 47100 ssh2 Oct 27 15:34:37 [obfuscated3] sshd[5882]: Failed password for root from 211.234.105.236 port 47114 ssh2 Oct 27 15:34:41 [obfuscated3] sshd[5883]: Failed password for root from 211.234.105.236 port 47128 ssh2 Oct 27 15:34:51 [obfuscated3] sshd[5887]: Failed password for root from 211.234.105.236 port 47141 ssh2