intrusion? - Security

This is a discussion on intrusion? - Security ; In my /var/log/messages I have a lot (6000+) of: Jul 16 12:51:20 sole sshd[6669]: Invalid user clamav from 72.3.243.92 Jul 16 12:51:21 sole sshd[6671]: Invalid user appserver from 72.3.243.92 Jul 16 12:51:23 sole sshd[6673]: Invalid user mailman from 72.3.243.92 Jul ...

+ Reply to Thread
Results 1 to 14 of 14

Thread: intrusion?

  1. intrusion?

    In my /var/log/messages I have a lot (6000+) of:

    Jul 16 12:51:20 sole sshd[6669]: Invalid user clamav from 72.3.243.92
    Jul 16 12:51:21 sole sshd[6671]: Invalid user appserver from 72.3.243.92
    Jul 16 12:51:23 sole sshd[6673]: Invalid user mailman from 72.3.243.92
    Jul 16 12:51:25 sole sshd[6675]: Invalid user cyrusimap from 72.3.243.92
    Jul 16 12:51:27 sole sshd[6677]: Invalid user qtss from 72.3.243.92
    Jul 16 12:51:28 sole sshd[6679]: Invalid user eppc from 72.3.243.92
    Jul 16 12:51:30 sole sshd[6681]: Invalid user telnetd from 72.3.243.92
    Jul 16 12:51:32 sole sshd[6683]: Invalid user identd from 72.3.243.92
    Jul 16 12:51:33 sole sshd[6685]: Invalid user gnats from 72.3.243.92
    Jul 16 12:51:35 sole sshd[6687]: Invalid user jeff from 72.3.243.92
    Jul 16 12:51:37 sole sshd[6689]: Invalid user irc from 72.3.243.92

    what is it? I need to write to something like abuse@72.3.243.92 ?


  2. Re: intrusion?

    repo@cannabis:~$ whois 72.3.243.92 | grep abuse
    RAbuseEmail: abuse@rackspace.com
    OrgAbuseEmail: abuse@rackspace.com
    repo@cannabis:~$



    * gtu2003@alice.it :
    > In my /var/log/messages I have a lot (6000+) of:
    >
    > Jul 16 12:51:20 sole sshd[6669]: Invalid user clamav from 72.3.243.92
    > Jul 16 12:51:21 sole sshd[6671]: Invalid user appserver from 72.3.243.92
    > Jul 16 12:51:23 sole sshd[6673]: Invalid user mailman from 72.3.243.92
    > Jul 16 12:51:25 sole sshd[6675]: Invalid user cyrusimap from 72.3.243.92
    > Jul 16 12:51:27 sole sshd[6677]: Invalid user qtss from 72.3.243.92
    > Jul 16 12:51:28 sole sshd[6679]: Invalid user eppc from 72.3.243.92
    > Jul 16 12:51:30 sole sshd[6681]: Invalid user telnetd from 72.3.243.92
    > Jul 16 12:51:32 sole sshd[6683]: Invalid user identd from 72.3.243.92
    > Jul 16 12:51:33 sole sshd[6685]: Invalid user gnats from 72.3.243.92
    > Jul 16 12:51:35 sole sshd[6687]: Invalid user jeff from 72.3.243.92
    > Jul 16 12:51:37 sole sshd[6689]: Invalid user irc from 72.3.243.92
    >
    > what is it? I need to write to something like abuse@72.3.243.92 ?
    >



    --
    Chaos, panic & disorder - my work here is done
    http://beginnerslinux.org

  3. Re: intrusion?

    Hallo,

    Op woensdag 16 juli 2008 schreef gtu2003@alice.it aan All:


    gt> In my /var/log/messages I have a lot (6000+) of:

    gt> Jul 16 12:51:20 sole sshd[6669]: Invalid user clamav from

    gt> what is it? I need to write to something like abuse@72.3.243.92
    gt> ?

    Obviously somebody is trying to force an ssh login on your machine, no
    doubt with the purpose to de something nasty.
    Disconnect your system from the internet immediately, at once and now
    until you are ready!
    I doubt if writing to abuse@72.3.243.92 will have any effect. Most
    likely he is the same as the culprit.
    Check your log files to see if anybody get in already.
    Run a rootkit checker to see if any harm was doen. If there was any,
    best format that partition and do a fresh install. Don't use your
    backups, becasue you don't know if they have been infected.
    Switch off you sshd server if you don't really need it.
    In the /etc/hosts.deny put a line like
    ALL: ALL
    to stop access to all services for everybody.
    Put a line in /etc/hosts.allow like
    ALL: 192.168.178.0/255.255.255.0, 127.0.0.0/255.0.0.0
    to allow for addresses on your local network (obviously you have to
    pt your own addresses there).
    Add lines to your iptables like
    iptables -A INPUT -p tcp --dport 22 -j DROP
    iptables -A INPUT -p udp --dport 22 -j DROP
    to stop all external access to tcp and udp ports 22 (ssh).
    When you're satisfied that everything is allright, connect to the
    internet again.

    Good luck!

    Groeten,

    Hans.

    jdh punt beekhuizen bij duinheks punt nl


  4. Re: intrusion?

    gtu2003@alice.it writes:

    >In my /var/log/messages I have a lot (6000+) of:


    >Jul 16 12:51:20 sole sshd[6669]: Invalid user clamav from 72.3.243.92
    >Jul 16 12:51:21 sole sshd[6671]: Invalid user appserver from 72.3.243.92
    >Jul 16 12:51:23 sole sshd[6673]: Invalid user mailman from 72.3.243.92
    >Jul 16 12:51:25 sole sshd[6675]: Invalid user cyrusimap from 72.3.243.92
    >Jul 16 12:51:27 sole sshd[6677]: Invalid user qtss from 72.3.243.92
    >Jul 16 12:51:28 sole sshd[6679]: Invalid user eppc from 72.3.243.92
    >Jul 16 12:51:30 sole sshd[6681]: Invalid user telnetd from 72.3.243.92
    >Jul 16 12:51:32 sole sshd[6683]: Invalid user identd from 72.3.243.92
    >Jul 16 12:51:33 sole sshd[6685]: Invalid user gnats from 72.3.243.92
    >Jul 16 12:51:35 sole sshd[6687]: Invalid user jeff from 72.3.243.92
    >Jul 16 12:51:37 sole sshd[6689]: Invalid user irc from 72.3.243.92


    There are ssh password attacks on your system-- trying to see if any of
    your users ( or any users) have weak passwords.
    Ban this IP address from your system by placing the address into a line
    like

    sshd: 72.3.243.92 :deny

    Do that before any sshd line giving universal permission, and after a line
    giving special sites permission.

    sshd: 199.99.99.99 199.222.111. :allow
    sshd: 72.3.243.92 :deny
    sshd: ALL :allow

    This allows anyone from 199.99.99.99 and from the network 199.222.111.0 to
    199.222.111.254 to use sshd, disallows 72.3.243.92, and allows anyone else.
    This is to make sure that noone accidentally from your special list ends up
    in the deny line ( it is always the first line which matches which applies)


    >what is it? I need to write to something like abuse@72.3.243.92 ?


    You can try. It probably will not do any good. I now have 140 IP addresses
    in my hosts.allow file who are banned from my site for behaviour like this.


  5. Re: intrusion?

    "Johannes Beekhuizen" writes:

    >Hallo,


    >Op woensdag 16 juli 2008 schreef gtu2003@alice.it aan All:



    > gt> In my /var/log/messages I have a lot (6000+) of:


    > gt> Jul 16 12:51:20 sole sshd[6669]: Invalid user clamav from


    > gt> what is it? I need to write to something like abuse@72.3.243.92
    > gt> ?


    >Obviously somebody is trying to force an ssh login on your machine, no
    >doubt with the purpose to de something nasty.
    >Disconnect your system from the internet immediately, at once and now
    >until you are ready!


    And "ready" means what? How should he be "ready"? He cannot prevent such
    sshd attacks. They are common.


    >I doubt if writing to abuse@72.3.243.92 will have any effect. Most
    >likely he is the same as the culprit.
    >Check your log files to see if anybody get in already.
    >Run a rootkit checker to see if any harm was doen. If there was any,
    >best format that partition and do a fresh install. Don't use your
    >backups, becasue you don't know if they have been infected.
    >Switch off you sshd server if you don't really need it.
    >In the /etc/hosts.deny put a line like
    >ALL: ALL
    >to stop access to all services for everybody.
    >Put a line in /etc/hosts.allow like
    >ALL: 192.168.178.0/255.255.255.0, 127.0.0.0/255.0.0.0
    >to allow for addresses on your local network (obviously you have to
    >pt your own addresses there).
    >Add lines to your iptables like
    >iptables -A INPUT -p tcp --dport 22 -j DROP
    >iptables -A INPUT -p udp --dport 22 -j DROP
    >to stop all external access to tcp and udp ports 22 (ssh).
    >When you're satisfied that everything is allright, connect to the
    >internet again.


    And if he actually needs ssh? This is just silly advice in general. ssh is
    one of the most secure ways of connecting in to a machine. IF he never
    intends to connect in from outside, then of course switch off ssh. But if
    he ever travels, that is a bad idea.




  6. Re: intrusion?

    On Wed, 16 Jul 2008 14:39:30 GMT, Unruh wrote:
    > There are ssh password attacks on your system-- trying to see if any of
    > your users ( or any users) have weak passwords.
    > Ban this IP address from your system by placing the address into a line
    > like
    >
    > sshd: 72.3.243.92 :deny
    >
    > Do that before any sshd line giving universal permission, and after a line
    > giving special sites permission.
    >
    > sshd: 199.99.99.99 199.222.111. :allow
    > sshd: 72.3.243.92 :deny
    > sshd: ALL :allow
    >
    > This allows anyone from 199.99.99.99 and from the network 199.222.111.0 to
    > 199.222.111.254 to use sshd, disallows 72.3.243.92, and allows anyone else.
    > This is to make sure that noone accidentally from your special list ends up
    > in the deny line ( it is always the first line which matches which applies)


    And for anyone wondering where those lines might go, it would be
    in /etc/hosts.allow if tcpwrappers is installed.

    If using /etc/hosts.allow, I'll recommend creating /etc/hosts.deny with

    #
    # hosts.deny This file describes the names of the hosts which are
    # *not* allowed to use the local INET services, as decided
    # by the '/usr/sbin/tcpd' server.
    #
    # The portmap line is redundant, but it is left to remind you that
    # the new secure portmap uses hosts.deny and hosts.allow. In particular
    # you should know that NFS uses portmap!


    ALL: ALL:\
    spawn ( \
    /bin/echo -e "\n\
    TCP Wrappers\: Connection Refused\n\
    By\: $(uname -n)\n\
    Process\: %d (pid %p)\n\
    \n\
    User\: %u\n\
    Host\: %c\n\
    Date\: $(date)\n\
    " | /bin/mail -s \"$(uname -n)\" root ) & : DENY

    #*********************** end host.deny ********************************


    That will email root with a message about attempts which get by hosts.allow.


  7. Re: intrusion?

    Unruh wrote:

    > gtu2003@alice.it writes:
    >
    >>In my /var/log/messages I have a lot (6000+) of:

    >
    >>Jul 16 12:51:20 sole sshd[6669]: Invalid user clamav from 72.3.243.92
    >>Jul 16 12:51:21 sole sshd[6671]: Invalid user appserver from 72.3.243.92
    >>Jul 16 12:51:23 sole sshd[6673]: Invalid user mailman from 72.3.243.92
    >>Jul 16 12:51:25 sole sshd[6675]: Invalid user cyrusimap from 72.3.243.92
    >>Jul 16 12:51:27 sole sshd[6677]: Invalid user qtss from 72.3.243.92
    >>Jul 16 12:51:28 sole sshd[6679]: Invalid user eppc from 72.3.243.92
    >>Jul 16 12:51:30 sole sshd[6681]: Invalid user telnetd from 72.3.243.92
    >>Jul 16 12:51:32 sole sshd[6683]: Invalid user identd from 72.3.243.92
    >>Jul 16 12:51:33 sole sshd[6685]: Invalid user gnats from 72.3.243.92
    >>Jul 16 12:51:35 sole sshd[6687]: Invalid user jeff from 72.3.243.92
    >>Jul 16 12:51:37 sole sshd[6689]: Invalid user irc from 72.3.243.92

    >
    > There are ssh password attacks on your system-- trying to see if any of
    > your users ( or any users) have weak passwords.
    > Ban this IP address from your system by placing the address into a line
    > like
    >
    > sshd: 72.3.243.92 :deny
    >
    > Do that before any sshd line giving universal permission, and after a line
    > giving special sites permission.
    >
    > sshd: 199.99.99.99 199.222.111. :allow
    > sshd: 72.3.243.92 :deny
    > sshd: ALL :allow
    >
    > This allows anyone from 199.99.99.99 and from the network 199.222.111.0
    > to 199.222.111.254 to use sshd, disallows 72.3.243.92, and allows anyone
    > else. This is to make sure that noone accidentally from your special list
    > ends up in the deny line ( it is always the first line which matches which
    > applies)
    >
    >
    >>what is it? I need to write to something like abuse@72.3.243.92 ?

    >
    > You can try. It probably will not do any good. I now have 140 IP addresses
    > in my hosts.allow file who are banned from my site for behaviour like
    > this.


    Thank you very much. Someone know a simple script that do the follow:
    * watch in the logs
    * if there is a lot of invalid access from an Ip it block only this ip for an hour

  8. Re: intrusion?

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    gtu2003@alice.it escribiˇ:

    | Thank you very much. Someone know a simple script that do the follow:
    | * watch in the logs
    | * if there is a lot of invalid access from an Ip it block only this ip
    for an hour

    What is DenyHosts?
    DenyHosts is a script intended to be run by Linux system administrators
    to help thwart SSH server attacks (also known as dictionary based
    attacks and brute force attacks).

    http://denyhosts.sourceforge.net/


    - --
    Un saludo
    Alo [alo(@)uk2.net]
    PGP en http://pgp.eteo.mondragon.edu [Get "0xF6695A61 "]
    Usuario registrado Linux #276144 [http://counter.li.org]

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (MingW32)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iEYEARECAAYFAkiA+bUACgkQvzPPcPZpWmEz/gCfTpQfcPXeAxyofj7ax4bour9Z
    pUgAnjzm9tatmmx5m/7Zn0cwK5TlUn29
    =AcnO
    -----END PGP SIGNATURE-----

  9. Re: intrusion?

    On Fri, 18 Jul 2008 21:28:11 +0200, gtu2003 wrote:

    > Thank you very much. Someone know a simple script that do the follow: *
    > watch in the logs
    > * if there is a lot of invalid access from an Ip it block only this ip
    > for an hour


    sshguard

    --
    Chaos, panic & disorder - my work here is done
    http://beginnerslinux.org

  10. Re: intrusion?

    Unruh writes:


    >>what is it? I need to write to something like abuse@72.3.243.92 ?

    >
    > You can try. It probably will not do any good. I now have 140 IP addresses
    > in my hosts.allow file who are banned from my site for behaviour like this.


    I had a 12-minute long brute-force attack once. It filled my logs. I
    was pissed. I wrote the ISP in question. They wrote back and said they
    term'ed the guy's account.

    Writing a level-headed, relevent-info-containing abuse report with GMT
    timestamps and actual log files will many times yield results. Many
    times they won't report back that they did something, so you can't
    take no response back as a solid indicator that nothing was done. Keep
    the language simple and sweet, as you might be dealing with someone
    that doesn't speak your language.

    With ssh keys and really cheap USB storage units these days, there are
    really few reasons to use any remote password logins to your
    system. They can't guess at passwords if you're not taking passwords



    --
    [** America Is A Police State **]
    http://www.hermes-press.com/police_state.htm
    http://www.theregister.co.uk/2008/01..._nsa_internal/
    http://www.wired.com/politics/securi...007/08/wiretap
    http://www.privacyinternational.org/...D=x-347-559597
    AT&T Betrays America: http://www.eff.org/nsa/hepting

  11. Re: intrusion?

    repo already pointed that the ip belongs to rackspace just mail them.
    AFAIK they are a reputable company that won't let this thing go
    unpunished.

    >repo@cannabis:~$ whois 72.3.243.92 | grep abuse
    >RAbuseEmail: abuse@rackspace.com
    >OrgAbuseEmail: abuse@rackspace.com
    >repo@cannabis:~$


    --
    Nurullah Akkaya

  12. Re: intrusion?

    Bit Twister wrote:

    > On Wed, 16 Jul 2008 14:39:30 GMT, Unruh wrote:
    >> There are ssh password attacks on your system-- trying to see if any of
    >> your users ( or any users) have weak passwords.
    >> Ban this IP address from your system by placing the address into a line
    >> like
    >>
    >> sshd: 72.3.243.92 :deny
    >>
    >> Do that before any sshd line giving universal permission, and after a line
    >> giving special sites permission.
    >>
    >> sshd: 199.99.99.99 199.222.111. :allow
    >> sshd: 72.3.243.92 :deny
    >> sshd: ALL :allow
    >>
    >> This allows anyone from 199.99.99.99 and from the network 199.222.111.0 to
    >> 199.222.111.254 to use sshd, disallows 72.3.243.92, and allows anyone else.
    >> This is to make sure that noone accidentally from your special list ends up
    >> in the deny line ( it is always the first line which matches which applies)

    >
    > And for anyone wondering where those lines might go, it would be
    > in /etc/hosts.allow if tcpwrappers is installed.
    >
    > If using /etc/hosts.allow, I'll recommend creating /etc/hosts.deny with
    >
    > #
    > # hosts.deny This file describes the names of the hosts which are
    > # *not* allowed to use the local INET services, as decided
    > # by the '/usr/sbin/tcpd' server.
    > #
    > # The portmap line is redundant, but it is left to remind you that
    > # the new secure portmap uses hosts.deny and hosts.allow. In particular
    > # you should know that NFS uses portmap!
    >
    > ALL: ALL:\
    > spawn ( \
    > /bin/echo -e "\n\
    > TCP Wrappers\: Connection Refused\n\
    > By\: $(uname -n)\n\
    > Process\: %d (pid %p)\n\
    > \n\
    > User\: %u\n\
    > Host\: %c\n\
    > Date\: $(date)\n\
    > " | /bin/mail -s \"$(uname -n)\" root ) & : DENY
    >
    > #*********************** end host.deny ********************************
    >
    > That will email root with a message about attempts which get by hosts.allow.


    Which may result in a few thousand mails per second (if your box can
    handle this).


    Florian
    --

    -----------------------------------------------------------------------
    ** Hi! I'm a signature virus! Copy me into your signature, please! **
    -----------------------------------------------------------------------

  13. Re: intrusion?

    gtu2003@alice.it pisze:
    >
    > Thank you very much. Someone know a simple script that do the follow:
    > * watch in the logs
    > * if there is a lot of invalid access from an Ip it block only this ip for an hour


    You can try fail2ban.

    Good way to improve security is move ssh to high port, and drop request
    on port 22.

    Regards,

    --
    Pawel B.
    botul.pl

  14. Re: intrusion?

    "Paweł B." wrote:

    > gtu2003@alice.it pisze:
    >>
    >> Thank you very much. Someone know a simple script that do the follow:
    >> * watch in the logs
    >> * if there is a lot of invalid access from an Ip it block only this ip for an hour

    >
    > You can try fail2ban.
    >
    > Good way to improve security is move ssh to high port, and drop
    > request on port 22.


    That doesn't improve security that much but at least keeps the
    dumb script kiddies out and avoids cluttering your log files.

    To improve security disable password authentication if that's possible
    in your environment.


    Florian
    --

    -----------------------------------------------------------------------
    ** Hi! I'm a signature virus! Copy me into your signature, please! **
    -----------------------------------------------------------------------

+ Reply to Thread