Re: these sshmucks are at it again...

VAXman- @SendSpamHere.ORG wrote:[color=blue]
> More ssh attacks. They are mostly a nuisance. However, logs full of
> OPCOM messages like this
>
> %%%%%%%%%%% OPCOM 18-JUL-2007 08:05:42.85 %%%%%%%%%%%
> Message from user AUDIT$SERVER on ******
> Security alarm (SECURITY) and security audit (SECURITY) on ******, system id: 1234
> Auditable event: Network login
> Event time: 18-JUL-2007 08:05:42.85
> PID: 20200D5E
> Process name: TCPIP$SS_BG3304
> Username: TCPIP$SSH
> Process owner: [TCPIP$AUX,TCPIP$SSH]
> Image name: DKA0:[SYS0.SYSCOMMON.][SYSEXE]LOGINOUT.EXE
> Remote node id: 11223344 (aa.bbb)
> Remote node fullname: aa.bb.cc.dd
> Remote username: TCPIP$SSH
> Posix UID: -2
> Posix GID: -2 (%XFFFFFFFE)
>
> %%%%%%%%%%% OPCOM 18-JUL-2007 08:05:48.42 %%%%%%%%%%%
> Message from user AUDIT$SERVER on ******
> Security alarm (SECURITY) and security audit (SECURITY) on ******, system id: 1234
> Auditable event: Network login failure
> Event time: 18-JUL-2007 08:05:48.42
> PID: 20200D5E
> Process name: TCPIP$SS_BG3304
> Username: TCPIP$SSH
> Remote node fullname: SSH_PASSWORD:some.hackers.net
> Remote username: SSH_11223344
> Status: %LOGIN-F-NOTVALID, user authorization failure
>
> would be much more useful if ONE of the above two logged messages would
> include the username the hacker is trying to use for access. I do not
> see it (the username under attack) in any of the SSH log files either.
>
> This is TCPIP services ssh, BTW. If anybody has a quick and dirty to get
> the username under attack, I'd appreciate it. HP, if you are listening,
> this would be a nice feature if it doesn't already exist (I didn't see a
> way get it when I perused the ssh doc).
>
>[/color]
VMS 7.3-1 Alpha TCPIP 5.3 ECO 4.

ANAL/AUDI will show you the attempted user names. On my system I see:

Date / Time Type Subtype Node Username
------------------------------------------------------------------------
12-JUL-2007 01:07:58.33 LOGFAIL NETWORK AS600 admin
12-JUL-2007 01:07:58.86 LOGFAIL NETWORK AS600 admin
12-JUL-2007 01:07:59.43 LOGFAIL NETWORK AS600 admin
12-JUL-2007 01:08:00.01 LOGFAIL NETWORK AS600 admin
12-JUL-2007 01:08:00.72 LOGFAIL NETWORK AS600 admin
12-JUL-2007 01:08:01.43 BREAKIN NETWORK AS600 admin
12-JUL-2007 01:08:02.26 BREAKIN NETWORK AS600 guest
12-JUL-2007 01:08:02.91 BREAKIN NETWORK AS600 guest
12-JUL-2007 01:08:03.56 BREAKIN NETWORK AS600 guest
12-JUL-2007 01:08:04.17 BREAKIN NETWORK AS600 guest
12-JUL-2007 01:08:04.89 BREAKIN NETWORK AS600 guest
12-JUL-2007 01:08:05.72 BREAKIN NETWORK AS600 guest
12-JUL-2007 01:08:06.57 BREAKIN NETWORK AS600 Administrato
12-JUL-2007 01:08:07.43 BREAKIN NETWORK AS600 Administrato
12-JUL-2007 01:08:08.14 BREAKIN NETWORK AS600 Administrato
12-JUL-2007 01:08:08.65 BREAKIN NETWORK AS600 Administrato
12-JUL-2007 01:08:09.26 BREAKIN NETWORK AS600 Administrato
12-JUL-2007 01:08:09.88 BREAKIN NETWORK AS600 Administrato


HTH,

Jeff

----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
[url]http://www.newsfeeds.com[/url] The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

In article <1184785605_1913@sp12lax.superfeed.net>, Jeff Campbell <n8wxs@arrl.net> writes:[color=blue]
>
>
>VAXman- @SendSpamHere.ORG wrote:[color=green]
>> More ssh attacks. They are mostly a nuisance. However, logs full of
>> OPCOM messages like this
>>
>> %%%%%%%%%%% OPCOM 18-JUL-2007 08:05:42.85 %%%%%%%%%%%
>> Message from user AUDIT$SERVER on ******
>> Security alarm (SECURITY) and security audit (SECURITY) on ******, system id: 1234
>> Auditable event: Network login
>> Event time: 18-JUL-2007 08:05:42.85
>> PID: 20200D5E
>> Process name: TCPIP$SS_BG3304
>> Username: TCPIP$SSH
>> Process owner: [TCPIP$AUX,TCPIP$SSH]
>> Image name: DKA0:[SYS0.SYSCOMMON.][SYSEXE]LOGINOUT.EXE
>> Remote node id: 11223344 (aa.bbb)
>> Remote node fullname: aa.bb.cc.dd
>> Remote username: TCPIP$SSH
>> Posix UID: -2
>> Posix GID: -2 (%XFFFFFFFE)
>>
>> %%%%%%%%%%% OPCOM 18-JUL-2007 08:05:48.42 %%%%%%%%%%%
>> Message from user AUDIT$SERVER on ******
>> Security alarm (SECURITY) and security audit (SECURITY) on ******, system id: 1234
>> Auditable event: Network login failure
>> Event time: 18-JUL-2007 08:05:48.42
>> PID: 20200D5E
>> Process name: TCPIP$SS_BG3304
>> Username: TCPIP$SSH
>> Remote node fullname: SSH_PASSWORD:some.hackers.net
>> Remote username: SSH_11223344
>> Status: %LOGIN-F-NOTVALID, user authorization failure
>>
>> would be much more useful if ONE of the above two logged messages would
>> include the username the hacker is trying to use for access. I do not
>> see it (the username under attack) in any of the SSH log files either.
>>
>> This is TCPIP services ssh, BTW. If anybody has a quick and dirty to get
>> the username under attack, I'd appreciate it. HP, if you are listening,
>> this would be a nice feature if it doesn't already exist (I didn't see a
>> way get it when I perused the ssh doc).
>>
>>[/color]
>VMS 7.3-1 Alpha TCPIP 5.3 ECO 4.
>
>ANAL/AUDI will show you the attempted user names. On my system I see:
>
> Date / Time Type Subtype Node Username
> ------------------------------------------------------------------------
>12-JUL-2007 01:07:58.33 LOGFAIL NETWORK AS600 admin
>12-JUL-2007 01:07:58.86 LOGFAIL NETWORK AS600 admin
>12-JUL-2007 01:07:59.43 LOGFAIL NETWORK AS600 admin
>12-JUL-2007 01:08:00.01 LOGFAIL NETWORK AS600 admin
>12-JUL-2007 01:08:00.72 LOGFAIL NETWORK AS600 admin
>12-JUL-2007 01:08:01.43 BREAKIN NETWORK AS600 admin
>12-JUL-2007 01:08:02.26 BREAKIN NETWORK AS600 guest
>12-JUL-2007 01:08:02.91 BREAKIN NETWORK AS600 guest
>12-JUL-2007 01:08:03.56 BREAKIN NETWORK AS600 guest
>12-JUL-2007 01:08:04.17 BREAKIN NETWORK AS600 guest
>12-JUL-2007 01:08:04.89 BREAKIN NETWORK AS600 guest
>12-JUL-2007 01:08:05.72 BREAKIN NETWORK AS600 guest
>12-JUL-2007 01:08:06.57 BREAKIN NETWORK AS600 Administrato
>12-JUL-2007 01:08:07.43 BREAKIN NETWORK AS600 Administrato
>12-JUL-2007 01:08:08.14 BREAKIN NETWORK AS600 Administrato
>12-JUL-2007 01:08:08.65 BREAKIN NETWORK AS600 Administrato
>12-JUL-2007 01:08:09.26 BREAKIN NETWORK AS600 Administrato
>12-JUL-2007 01:08:09.88 BREAKIN NETWORK AS600 Administrato[/color]

From ssh? I don't think so... Here is what I see for both LOGFAIL and
BREAKIN event types in my AUDIT logs:

Date / Time Type Subtype Node Username ID Term
18-JUL-2007 07:55:26.57 BREAKIN NETWORK ****** TCPIP$SSH 20200D4F

18-JUL-2007 07:54:56.92 LOGFAIL NETWORK ****** TCPIP$SSH 20200D4A



Using HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 6

--
VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM

"Well my son, life is like a beanstalk, isn't it?"

[url]http://tmesis.com/sig.jpg[/url]

VAXman- @SendSpamHere.ORG wrote:[color=blue]
> In article <1184785605_1913@sp12lax.superfeed.net>, Jeff Campbell <n8wxs@arrl.net> writes:[color=green]
>>
>> VAXman- @SendSpamHere.ORG wrote:[color=darkred]
>>> More ssh attacks. They are mostly a nuisance. However, logs full of
>>> OPCOM messages like this
>>>
>>> %%%%%%%%%%% OPCOM 18-JUL-2007 08:05:42.85 %%%%%%%%%%%
>>> Message from user AUDIT$SERVER on ******
>>> Security alarm (SECURITY) and security audit (SECURITY) on ******, system id: 1234
>>> Auditable event: Network login
>>> Event time: 18-JUL-2007 08:05:42.85
>>> PID: 20200D5E
>>> Process name: TCPIP$SS_BG3304
>>> Username: TCPIP$SSH
>>> Process owner: [TCPIP$AUX,TCPIP$SSH]
>>> Image name: DKA0:[SYS0.SYSCOMMON.][SYSEXE]LOGINOUT.EXE
>>> Remote node id: 11223344 (aa.bbb)
>>> Remote node fullname: aa.bb.cc.dd
>>> Remote username: TCPIP$SSH
>>> Posix UID: -2
>>> Posix GID: -2 (%XFFFFFFFE)
>>>
>>> %%%%%%%%%%% OPCOM 18-JUL-2007 08:05:48.42 %%%%%%%%%%%
>>> Message from user AUDIT$SERVER on ******
>>> Security alarm (SECURITY) and security audit (SECURITY) on ******, system id: 1234
>>> Auditable event: Network login failure
>>> Event time: 18-JUL-2007 08:05:48.42
>>> PID: 20200D5E
>>> Process name: TCPIP$SS_BG3304
>>> Username: TCPIP$SSH
>>> Remote node fullname: SSH_PASSWORD:some.hackers.net
>>> Remote username: SSH_11223344
>>> Status: %LOGIN-F-NOTVALID, user authorization failure
>>>
>>> would be much more useful if ONE of the above two logged messages would
>>> include the username the hacker is trying to use for access. I do not
>>> see it (the username under attack) in any of the SSH log files either.
>>>
>>> This is TCPIP services ssh, BTW. If anybody has a quick and dirty to get
>>> the username under attack, I'd appreciate it. HP, if you are listening,
>>> this would be a nice feature if it doesn't already exist (I didn't see a
>>> way get it when I perused the ssh doc).
>>>
>>>[/color]
>> VMS 7.3-1 Alpha TCPIP 5.3 ECO 4.
>>
>> ANAL/AUDI will show you the attempted user names. On my system I see:
>>
>> Date / Time Type Subtype Node Username
>> ------------------------------------------------------------------------
>> 12-JUL-2007 01:07:58.33 LOGFAIL NETWORK AS600 admin
>> 12-JUL-2007 01:07:58.86 LOGFAIL NETWORK AS600 admin
>> 12-JUL-2007 01:07:59.43 LOGFAIL NETWORK AS600 admin
>> 12-JUL-2007 01:08:00.01 LOGFAIL NETWORK AS600 admin
>> 12-JUL-2007 01:08:00.72 LOGFAIL NETWORK AS600 admin
>> 12-JUL-2007 01:08:01.43 BREAKIN NETWORK AS600 admin
>> 12-JUL-2007 01:08:02.26 BREAKIN NETWORK AS600 guest
>> 12-JUL-2007 01:08:02.91 BREAKIN NETWORK AS600 guest
>> 12-JUL-2007 01:08:03.56 BREAKIN NETWORK AS600 guest
>> 12-JUL-2007 01:08:04.17 BREAKIN NETWORK AS600 guest
>> 12-JUL-2007 01:08:04.89 BREAKIN NETWORK AS600 guest
>> 12-JUL-2007 01:08:05.72 BREAKIN NETWORK AS600 guest
>> 12-JUL-2007 01:08:06.57 BREAKIN NETWORK AS600 Administrato
>> 12-JUL-2007 01:08:07.43 BREAKIN NETWORK AS600 Administrato
>> 12-JUL-2007 01:08:08.14 BREAKIN NETWORK AS600 Administrato
>> 12-JUL-2007 01:08:08.65 BREAKIN NETWORK AS600 Administrato
>> 12-JUL-2007 01:08:09.26 BREAKIN NETWORK AS600 Administrato
>> 12-JUL-2007 01:08:09.88 BREAKIN NETWORK AS600 Administrato[/color]
>
> From ssh? I don't think so... Here is what I see for both LOGFAIL and
> BREAKIN event types in my AUDIT logs:
>
> Date / Time Type Subtype Node Username ID Term
> 18-JUL-2007 07:55:26.57 BREAKIN NETWORK ****** TCPIP$SSH 20200D4F
>
> 18-JUL-2007 07:54:56.92 LOGFAIL NETWORK ****** TCPIP$SSH 20200D4A
>
>
>
> Using HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 6
>[/color]
My TCPIP doesn't have ssh as 5.3 is too old.
The output I posted is from ftp attempts.

Live and learn.

Jeff

----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
[url]http://www.newsfeeds.com[/url] The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

VAXman- wrote:[color=blue]
> In article <1184785605_1913@sp12lax.superfeed.net>, Jeff Campbell <n8wxs@arrl.net> writes:
>[color=green]
>>
>>VAXman- @SendSpamHere.ORG wrote:
>>[color=darkred]
>>>More ssh attacks. They are mostly a nuisance. However, logs full of
>>>OPCOM messages like this
>>>
>>>%%%%%%%%%%% OPCOM 18-JUL-2007 08:05:42.85 %%%%%%%%%%%
>>>Message from user AUDIT$SERVER on ******
>>>Security alarm (SECURITY) and security audit (SECURITY) on ******, system id: 1234
>>>Auditable event: Network login
>>>Event time: 18-JUL-2007 08:05:42.85
>>>PID: 20200D5E
>>>Process name: TCPIP$SS_BG3304
>>>Username: TCPIP$SSH
>>>Process owner: [TCPIP$AUX,TCPIP$SSH]
>>>Image name: DKA0:[SYS0.SYSCOMMON.][SYSEXE]LOGINOUT.EXE
>>>Remote node id: 11223344 (aa.bbb)
>>>Remote node fullname: aa.bb.cc.dd
>>>Remote username: TCPIP$SSH
>>>Posix UID: -2
>>>Posix GID: -2 (%XFFFFFFFE)
>>>
>>>%%%%%%%%%%% OPCOM 18-JUL-2007 08:05:48.42 %%%%%%%%%%%
>>>Message from user AUDIT$SERVER on ******
>>>Security alarm (SECURITY) and security audit (SECURITY) on ******, system id: 1234
>>>Auditable event: Network login failure
>>>Event time: 18-JUL-2007 08:05:48.42
>>>PID: 20200D5E
>>>Process name: TCPIP$SS_BG3304
>>>Username: TCPIP$SSH
>>>Remote node fullname: SSH_PASSWORD:some.hackers.net
>>>Remote username: SSH_11223344
>>>Status: %LOGIN-F-NOTVALID, user authorization failure
>>>
>>>would be much more useful if ONE of the above two logged messages would
>>>include the username the hacker is trying to use for access. I do not
>>>see it (the username under attack) in any of the SSH log files either.
>>>
>>>This is TCPIP services ssh, BTW. If anybody has a quick and dirty to get
>>>the username under attack, I'd appreciate it. HP, if you are listening,
>>>this would be a nice feature if it doesn't already exist (I didn't see a
>>>way get it when I perused the ssh doc).
>>>
>>>[/color]
>>
>>VMS 7.3-1 Alpha TCPIP 5.3 ECO 4.
>>
>>ANAL/AUDI will show you the attempted user names. On my system I see:
>>
>> Date / Time Type Subtype Node Username
>> ------------------------------------------------------------------------
>>12-JUL-2007 01:07:58.33 LOGFAIL NETWORK AS600 admin
>>12-JUL-2007 01:07:58.86 LOGFAIL NETWORK AS600 admin
>>12-JUL-2007 01:07:59.43 LOGFAIL NETWORK AS600 admin
>>12-JUL-2007 01:08:00.01 LOGFAIL NETWORK AS600 admin
>>12-JUL-2007 01:08:00.72 LOGFAIL NETWORK AS600 admin
>>12-JUL-2007 01:08:01.43 BREAKIN NETWORK AS600 admin
>>12-JUL-2007 01:08:02.26 BREAKIN NETWORK AS600 guest
>>12-JUL-2007 01:08:02.91 BREAKIN NETWORK AS600 guest
>>12-JUL-2007 01:08:03.56 BREAKIN NETWORK AS600 guest
>>12-JUL-2007 01:08:04.17 BREAKIN NETWORK AS600 guest
>>12-JUL-2007 01:08:04.89 BREAKIN NETWORK AS600 guest
>>12-JUL-2007 01:08:05.72 BREAKIN NETWORK AS600 guest
>>12-JUL-2007 01:08:06.57 BREAKIN NETWORK AS600 Administrato
>>12-JUL-2007 01:08:07.43 BREAKIN NETWORK AS600 Administrato
>>12-JUL-2007 01:08:08.14 BREAKIN NETWORK AS600 Administrato
>>12-JUL-2007 01:08:08.65 BREAKIN NETWORK AS600 Administrato
>>12-JUL-2007 01:08:09.26 BREAKIN NETWORK AS600 Administrato
>>12-JUL-2007 01:08:09.88 BREAKIN NETWORK AS600 Administrato[/color]
>
>
> From ssh? I don't think so... Here is what I see for both LOGFAIL and
> BREAKIN event types in my AUDIT logs:
>
> Date / Time Type Subtype Node Username ID Term
> 18-JUL-2007 07:55:26.57 BREAKIN NETWORK ****** TCPIP$SSH 20200D4F
>
> 18-JUL-2007 07:54:56.92 LOGFAIL NETWORK ****** TCPIP$SSH 20200D4A
>
>
>
> Using HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 6
>[/color]

Don't you have a router and/or firewall that you can configure to block
access from the source IP or network?

On Wed, 18 Jul 2007, Richard B. Gilbert wrote:
[color=blue]
> Don't you have a router and/or firewall that you can configure to
> block access from the source IP or network?[/color]

Last time I took a look at these SSH attacks, no two sets of attacks
came from the same place.


--

Rob Brown b r o w n a t g m c l d o t c o m
G. Michaels Consulting Ltd. (780)438-9343 (voice)
Edmonton (780)437-3367 (FAX)
[url]http://gmcl.com/[/url]

In article <469E8993.1070101@comcast.net>, "Richard B. Gilbert" <rgilbert88@comcast.net> writes:[color=blue]
>
>
>VAXman- wrote:[color=green]
>> In article <1184785605_1913@sp12lax.superfeed.net>, Jeff Campbell <n8wxs@arrl.net> writes:
>>[color=darkred]
>>>
>>>VAXman- @SendSpamHere.ORG wrote:
>>>
>>>>More ssh attacks. They are mostly a nuisance. However, logs full of
>>>>OPCOM messages like this
>>>>
>>>>%%%%%%%%%%% OPCOM 18-JUL-2007 08:05:42.85 %%%%%%%%%%%
>>>>Message from user AUDIT$SERVER on ******
>>>>Security alarm (SECURITY) and security audit (SECURITY) on ******, system id: 1234
>>>>Auditable event: Network login
>>>>Event time: 18-JUL-2007 08:05:42.85
>>>>PID: 20200D5E
>>>>Process name: TCPIP$SS_BG3304
>>>>Username: TCPIP$SSH
>>>>Process owner: [TCPIP$AUX,TCPIP$SSH]
>>>>Image name: DKA0:[SYS0.SYSCOMMON.][SYSEXE]LOGINOUT.EXE
>>>>Remote node id: 11223344 (aa.bbb)
>>>>Remote node fullname: aa.bb.cc.dd
>>>>Remote username: TCPIP$SSH
>>>>Posix UID: -2
>>>>Posix GID: -2 (%XFFFFFFFE)
>>>>
>>>>%%%%%%%%%%% OPCOM 18-JUL-2007 08:05:48.42 %%%%%%%%%%%
>>>>Message from user AUDIT$SERVER on ******
>>>>Security alarm (SECURITY) and security audit (SECURITY) on ******, system id: 1234
>>>>Auditable event: Network login failure
>>>>Event time: 18-JUL-2007 08:05:48.42
>>>>PID: 20200D5E
>>>>Process name: TCPIP$SS_BG3304
>>>>Username: TCPIP$SSH
>>>>Remote node fullname: SSH_PASSWORD:some.hackers.net
>>>>Remote username: SSH_11223344
>>>>Status: %LOGIN-F-NOTVALID, user authorization failure
>>>>
>>>>would be much more useful if ONE of the above two logged messages would
>>>>include the username the hacker is trying to use for access. I do not
>>>>see it (the username under attack) in any of the SSH log files either.
>>>>
>>>>This is TCPIP services ssh, BTW. If anybody has a quick and dirty to get
>>>>the username under attack, I'd appreciate it. HP, if you are listening,
>>>>this would be a nice feature if it doesn't already exist (I didn't see a
>>>>way get it when I perused the ssh doc).
>>>>
>>>>
>>>
>>>VMS 7.3-1 Alpha TCPIP 5.3 ECO 4.
>>>
>>>ANAL/AUDI will show you the attempted user names. On my system I see:
>>>
>>> Date / Time Type Subtype Node Username
>>> ------------------------------------------------------------------------
>>>12-JUL-2007 01:07:58.33 LOGFAIL NETWORK AS600 admin
>>>12-JUL-2007 01:07:58.86 LOGFAIL NETWORK AS600 admin
>>>12-JUL-2007 01:07:59.43 LOGFAIL NETWORK AS600 admin
>>>12-JUL-2007 01:08:00.01 LOGFAIL NETWORK AS600 admin
>>>12-JUL-2007 01:08:00.72 LOGFAIL NETWORK AS600 admin
>>>12-JUL-2007 01:08:01.43 BREAKIN NETWORK AS600 admin
>>>12-JUL-2007 01:08:02.26 BREAKIN NETWORK AS600 guest
>>>12-JUL-2007 01:08:02.91 BREAKIN NETWORK AS600 guest
>>>12-JUL-2007 01:08:03.56 BREAKIN NETWORK AS600 guest
>>>12-JUL-2007 01:08:04.17 BREAKIN NETWORK AS600 guest
>>>12-JUL-2007 01:08:04.89 BREAKIN NETWORK AS600 guest
>>>12-JUL-2007 01:08:05.72 BREAKIN NETWORK AS600 guest
>>>12-JUL-2007 01:08:06.57 BREAKIN NETWORK AS600 Administrato
>>>12-JUL-2007 01:08:07.43 BREAKIN NETWORK AS600 Administrato
>>>12-JUL-2007 01:08:08.14 BREAKIN NETWORK AS600 Administrato
>>>12-JUL-2007 01:08:08.65 BREAKIN NETWORK AS600 Administrato
>>>12-JUL-2007 01:08:09.26 BREAKIN NETWORK AS600 Administrato
>>>12-JUL-2007 01:08:09.88 BREAKIN NETWORK AS600 Administrato[/color]
>>
>>
>> From ssh? I don't think so... Here is what I see for both LOGFAIL and
>> BREAKIN event types in my AUDIT logs:
>>
>> Date / Time Type Subtype Node Username ID Term
>> 18-JUL-2007 07:55:26.57 BREAKIN NETWORK ****** TCPIP$SSH 20200D4F
>>
>> 18-JUL-2007 07:54:56.92 LOGFAIL NETWORK ****** TCPIP$SSH 20200D4A
>>
>>
>>
>> Using HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 6
>>[/color]
>
>Don't you have a router and/or firewall that you can configure to block
>access from the source IP or network?[/color]

Of course. That's really not the issue. I can't completely block ssh as
I use it when on-the-road and I never know what my IP address will be. I
am just curious, as others have pointed out, whether or not it is a legit
attack or some moron using Administrator or root.

--
VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM

"Well my son, life is like a beanstalk, isn't it?"

[url]http://tmesis.com/sig.jpg[/url]

VAXman- @SendSpamHere.ORG writes:
[color=blue]
>In article <1184785605_1913@sp12lax.superfeed.net>, Jeff Campbell <n8wxs@arrl.net> writes:[color=green][color=darkred]
>>> This is TCPIP services ssh, BTW. If anybody has a quick and dirty to get
>>> the username under attack, I'd appreciate it. HP, if you are listening,
>>> this would be a nice feature if it doesn't already exist (I didn't see a
>>> way get it when I perused the ssh doc).[/color][/color][/color]

Unfortunately, SSH doesn't report the username to the audit server
properly. See below.
[color=blue][color=green]
>>ANAL/AUDI will show you the attempted user names. On my system I see:[/color][/color]
[color=blue]
>From ssh? I don't think so... Here is what I see for both LOGFAIL and
>BREAKIN event types in my AUDIT logs:[/color]
[color=blue]
> Date / Time Type Subtype Node Username ID Term
>18-JUL-2007 07:55:26.57 BREAKIN NETWORK ****** TCPIP$SSH 20200D4F[/color]
[color=blue]
>18-JUL-2007 07:54:56.92 LOGFAIL NETWORK ****** TCPIP$SSH 20200D4A[/color]


[color=blue]
>Using HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 6[/color]

I wrote a little program that listens to the audit server, and when it
detects a TCPIP breakin attempt, it'll disable the attacking IP address.
Except it's not all there. I do detect the breakin and figure out the
IP address to disable, but don't actually disable anything. It knows
about SSH, FTP and TELNET breakin attempts. What I found that makes this
a mess:

There is a "remote node address" field where I'd think the IP address of
the attacker would go. TELNET puts it there. So does FTP, but in the
reverse byte order of TELNET! (Big-endian vs. little endian issue)
SSH doesn't use the field at all! I can figure out the SSH attacker
address via a hack.

FTP and TELNET do tell you the username being attacked. SSH does - only
if it exists on the system! Otherwise it uses the username TCPIP$SSH.

What's stopping me from the final touch and give it to you:
Being busy, and writing a simple LIB$SPAWN to do either a:
$ TCPIP SET COMMUNICATION/REJECT=ip.add.re.ss or
$ TCPIP SET ROUTE ip.add.re.ss /GATEWAY=black.hole or something, and
a LIB$SPAWN to do a SET AUDIT, plus cleanup. The hard part is done
and working.

Does anyone know of a system service or $QIO that will do the above TCPIP
commands, or the equivalent of a $ SET AUDIT/LISTENER=mailbox and
$ SET AUDIT/NOLISTEN ? I especially want the latter in an exit handler,
because if the program doesn't shut down properly, the mailbox gets full
and the audit server gets upset and starts suspending all the processes!
I don't want anyone getting pissed off at me because this program hung
your system, even if it's the audit server at fault. If you try to log in
to fix it, the audit server suspends the process before you get a chance
to do anything!

In article <jawni.8716$ip4.5898@newsfe12.lga>, VAXman- @SendSpamHere.ORG wrote:
[...][color=blue]
>I
>am just curious, as others have pointed out, whether or not it is a legit
>attack or some moron using Administrator or root.
>[/color]

Most of the ssh "attacks" that I "suffer" seem to come from folks attempting to
login as "SSH" (TCPware 5-7.2 on Alpha VMS 8.3); however, I'm confident enough
that none of them will "break-in", and so I leave the normal SSH port "open",
as kind of a "poor man's Teergrube". :-) The more time the b****rds spend
trying to break into my system, the less time they have to break into some
other poor schmuck's system. A public service, I call it. :-)
[...]

Michael Moroney wrote:[color=blue]
>[snipage]
>
> Does anyone know of a system service or $QIO that will do the above TCPIP
> commands, or the equivalent of a $ SET AUDIT/LISTENER=mailbox and
> $ SET AUDIT/NOLISTEN ? I especially want the latter in an exit handler,
> because if the program doesn't shut down properly, the mailbox gets full
> and the audit server gets upset and starts suspending all the processes!
> I don't want anyone getting pissed off at me because this program hung
> your system, even if it's the audit server at fault. If you try to log in
> to fix it, the audit server suspends the process before you get a chance
> to do anything!
>[/color]

In a previous life, I wrote a program that listened to audit server
messages also. I came to the conclusion that the best way to do the
SET AUDIT/NOLISTEN was to declare an exit handler to generate an OPCOM
message (just to let people know what's going on) and then create a
detached process to perform the SET AUDIT/NOLISTEN.

For the SET AUDIT/LISTEN, I just have a command procedure to start the
program as a detached process, and wait in a loop for the appropriate
mailbox logical to appear.

I'm unaware of any documented ways to perform these actions under
program control. If you have access to the source listings however...

HTH

Jim.
--
[url]www.eight-cubed.com[/url]

Brad Hamilton wrote:[color=blue]
>The more time the b****rds spend
> trying to break into my system, the less time they have to break into some
> other poor schmuck's system. A public service, I call it. :-)[/color]

Then the owners of VMS should port SSH to VAX so that hobbysist could
let the sshmucks try to login on all mighty microvax IIs :-) That would
slow them down :-)

JF Mezei wrote:[color=blue]
> Brad Hamilton wrote:
>[color=green]
>> The more time the b****rds spend
>> trying to break into my system, the less time they have to break into
>> some
>> other poor schmuck's system. A public service, I call it. :-)[/color]
>
>
> Then the owners of VMS should port SSH to VAX so that hobbysist could
> let the sshmucks try to login on all mighty microvax IIs :-) That would
> slow them down :-)[/color]

The VAX version of TCPware (and presumably Multinet) supports SSH.


--
John Santos
Evans Griffiths & Hart, Inc.
781-861-0670 ext 539

In article <Pine.LNX.4.61.0707181600130.22771@localhost.localdomain>,
Rob Brown <mylastname@gmcl.com> wrote:
[color=blue]
> On Wed, 18 Jul 2007, Richard B. Gilbert wrote:
>[color=green]
> > Don't you have a router and/or firewall that you can configure to
> > block access from the source IP or network?[/color]
>
> Last time I took a look at these SSH attacks, no two sets of attacks
> came from the same place.[/color]

I have a feeling these things are driven by zombies. I got fed up and
blocked ssh at my router for several months. When I put it back, I chose
a different port.

But on the spam side, I can go several hours with no attempts, then
suddenly get attacks from 2 or 3 addresses within the space of 1 minute.
A simultaneous attack from Brazil, Portugal and Lithuania does point to
zombies.

--
Paul Sture

In article <slrnf9tbgv.aqh0.bradhamilton@rabbit.gateway.2wire.net>,
[email]bradhamilton@comcast.net[/email] (Brad Hamilton) wrote:
[color=blue]
> In article <jawni.8716$ip4.5898@newsfe12.lga>, VAXman- @SendSpamHere.ORG
> wrote:
> [...][color=green]
> >I
> >am just curious, as others have pointed out, whether or not it is a legit
> >attack or some moron using Administrator or root.
> >[/color]
>
> Most of the ssh "attacks" that I "suffer" seem to come from folks attempting
> to
> login as "SSH" (TCPware 5-7.2 on Alpha VMS 8.3); however, I'm confident
> enough
> that none of them will "break-in", and so I leave the normal SSH port "open",
> as kind of a "poor man's Teergrube". :-) The more time the b****rds spend
> trying to break into my system, the less time they have to break into some
> other poor schmuck's system. A public service, I call it. :-)
> [...][/color]

Yes, I've taken that attitude sometimes as well.

My problem is that I can hear the disk activity; such an attack results in a
recognizable rhythm, and I get fed up of that.

PS. Now I think of it, I was a teergube myself back when I bought my first
house. The area was newly built and plagued with window and insulation
salesmen. I saw it my public duty to tie them up for as long as possible
as a service to my neighbours :-)

--
Paul Sture

In article <469eb405@dnews.tpgi.com.au>, Jim Duff <spam.this@127.0.0.1>
wrote:
[color=blue]
> Michael Moroney wrote:[color=green]
> >[snipage]
> >
> > Does anyone know of a system service or $QIO that will do the above TCPIP
> > commands, or the equivalent of a $ SET AUDIT/LISTENER=mailbox and
> > $ SET AUDIT/NOLISTEN ? I especially want the latter in an exit handler,
> > because if the program doesn't shut down properly, the mailbox gets full
> > and the audit server gets upset and starts suspending all the processes!
> > I don't want anyone getting pissed off at me because this program hung
> > your system, even if it's the audit server at fault. If you try to log in
> > to fix it, the audit server suspends the process before you get a chance
> > to do anything!
> >[/color]
>
> In a previous life, I wrote a program that listened to audit server
> messages also. I came to the conclusion that the best way to do the
> SET AUDIT/NOLISTEN was to declare an exit handler to generate an OPCOM
> message (just to let people know what's going on) and then create a
> detached process to perform the SET AUDIT/NOLISTEN.
>
> For the SET AUDIT/LISTEN, I just have a command procedure to start the
> program as a detached process, and wait in a loop for the appropriate
> mailbox logical to appear.[/color]

FWIW, the early 1990s code snippet I have does (did?) a spawn for SET
AUDIT/(NO)LISTEN.

Can a call to spawn work if the audit mailbox is already there and full?
There's some error processing in this routine which does a

"COPY <audit_mailbox> NL:"

if the SET AUDIT/LISTEN command fails. It does this with a 12 second
timeout since you won't see an EOF from the mailbox.
[color=blue]
> I'm unaware of any documented ways to perform these actions under
> program control. If you have access to the source listings however...
>[/color]

I've just scanned the V8.3 System Services manual, but didn't find
anything obvious.

--
Paul Sture

P. Sture wrote:[color=blue]
> In article <slrnf9tbgv.aqh0.bradhamilton@rabbit.gateway.2wire.net>,
> [email]bradhamilton@comcast.net[/email] (Brad Hamilton) wrote:
>
>[color=green]
>>In article <jawni.8716$ip4.5898@newsfe12.lga>, VAXman- @SendSpamHere.ORG
>>wrote:
>>[...]
>>[color=darkred]
>>>I
>>>am just curious, as others have pointed out, whether or not it is a legit
>>>attack or some moron using Administrator or root.
>>>[/color]
>>
>>Most of the ssh "attacks" that I "suffer" seem to come from folks attempting
>>to
>>login as "SSH" (TCPware 5-7.2 on Alpha VMS 8.3); however, I'm confident
>>enough
>>that none of them will "break-in", and so I leave the normal SSH port "open",
>>as kind of a "poor man's Teergrube". :-) The more time the b****rds spend
>>trying to break into my system, the less time they have to break into some
>>other poor schmuck's system. A public service, I call it. :-)
>>[...][/color]
>
>
> Yes, I've taken that attitude sometimes as well.
>
> My problem is that I can hear the disk activity; such an attack results in a
> recognizable rhythm, and I get fed up of that.
>[/color]

<snip>

Consider getting a cheap router/firewall from Linksys, DLink, etc. Mine
does not allow ANY incoming traffic that is not in response to some
outgoing traffic! IOW, don't call me, I'll call you!!

Just for grins, I look at the logs this thing keeps and see three to six
attempts per minute around the clock! Most probes go to ports 1028 and
1029; I've never figured out what that's supposed to accomplish.

I suppose it's not much help if you are trying to maintain a website but
otherwise. . . .

In article <469F526A.6070404@comcast.net>,
"Richard B. Gilbert" <rgilbert88@comcast.net> writes:[color=blue]
> P. Sture wrote:[color=green]
>> In article <slrnf9tbgv.aqh0.bradhamilton@rabbit.gateway.2wire.net>,
>> [email]bradhamilton@comcast.net[/email] (Brad Hamilton) wrote:
>>
>>[color=darkred]
>>>In article <jawni.8716$ip4.5898@newsfe12.lga>, VAXman- @SendSpamHere.ORG
>>>wrote:
>>>[...]
>>>
>>>>I
>>>>am just curious, as others have pointed out, whether or not it is a legit
>>>>attack or some moron using Administrator or root.
>>>>
>>>
>>>Most of the ssh "attacks" that I "suffer" seem to come from folks attempting
>>>to
>>>login as "SSH" (TCPware 5-7.2 on Alpha VMS 8.3); however, I'm confident
>>>enough
>>>that none of them will "break-in", and so I leave the normal SSH port "open",
>>>as kind of a "poor man's Teergrube". :-) The more time the b****rds spend
>>>trying to break into my system, the less time they have to break into some
>>>other poor schmuck's system. A public service, I call it. :-)
>>>[...][/color]
>>
>>
>> Yes, I've taken that attitude sometimes as well.
>>
>> My problem is that I can hear the disk activity; such an attack results in a
>> recognizable rhythm, and I get fed up of that.
>>[/color]
>
> <snip>
>
> Consider getting a cheap router/firewall from Linksys, DLink, etc. Mine
> does not allow ANY incoming traffic that is not in response to some
> outgoing traffic! IOW, don't call me, I'll call you!!
>
> Just for grins, I look at the logs this thing keeps and see three to six
> attempts per minute around the clock! Most probes go to ports 1028 and
> 1029; I've never figured out what that's supposed to accomplish.[/color]

Windows Messenger

bill

--
Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
[email]bill@cs.scranton.edu[/email] | and a sheep voting on what's for dinner.
University of Scranton |
Scranton, Pennsylvania | #include <std.disclaimer.h>

In article <469F526A.6070404@comcast.net>, "Richard B. Gilbert" <rgilbert88@comcast.net> writes:[color=blue]
>
>
>P. Sture wrote:[color=green]
>> In article <slrnf9tbgv.aqh0.bradhamilton@rabbit.gateway.2wire.net>,
>> [email]bradhamilton@comcast.net[/email] (Brad Hamilton) wrote:
>>
>>[color=darkred]
>>>In article <jawni.8716$ip4.5898@newsfe12.lga>, VAXman- @SendSpamHere.ORG
>>>wrote:
>>>[...]
>>>
>>>>I
>>>>am just curious, as others have pointed out, whether or not it is a legit
>>>>attack or some moron using Administrator or root.
>>>>
>>>
>>>Most of the ssh "attacks" that I "suffer" seem to come from folks attempting
>>>to
>>>login as "SSH" (TCPware 5-7.2 on Alpha VMS 8.3); however, I'm confident
>>>enough
>>>that none of them will "break-in", and so I leave the normal SSH port "open",
>>>as kind of a "poor man's Teergrube". :-) The more time the b****rds spend
>>>trying to break into my system, the less time they have to break into some
>>>other poor schmuck's system. A public service, I call it. :-)
>>>[...][/color]
>>
>>
>> Yes, I've taken that attitude sometimes as well.
>>
>> My problem is that I can hear the disk activity; such an attack results in a
>> recognizable rhythm, and I get fed up of that.
>>[/color]
>
><snip>
>
>Consider getting a cheap router/firewall from Linksys, DLink, etc. Mine
>does not allow ANY incoming traffic that is not in response to some
>outgoing traffic! IOW, don't call me, I'll call you!![/color]

I have a not so cheap router and a Juniper NetScreen 5GT firewall. This
still doesn't get to the issue I was trying to make and that is to log in
the security messages/audit trail the username being attempted.

[color=blue]
>Just for grins, I look at the logs this thing keeps and see three to six
>attempts per minute around the clock! Most probes go to ports 1028 and
>1029; I've never figured out what that's supposed to accomplish.[/color]

IANA's list shows 1028 deprecated and 1029 is called "Solid Mux Server".
I don't know why they'd look to probe these other than there may be some
way to distinguish from the reponse whether or not there's some firewall
in the mix.


--
VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM

"Well my son, life is like a beanstalk, isn't it?"

[url]http://tmesis.com/sig.jpg[/url]

In article <d56b0$469eb98b$cef8887a$15420@TEKSAVVY.COM>, JF Mezei <jfmezei.spamnot@vaxination.ca> writes:[color=blue]
>
> Then the owners of VMS should port SSH to VAX so that hobbysist could
> let the sshmucks try to login on all mighty microvax IIs :-) That would
> slow them down :-)[/color]

?

My VAXen have been running SSH for years.

VAXman- wrote:[color=blue]
> In article <469F526A.6070404@comcast.net>, "Richard B. Gilbert" <rgilbert88@comcast.net> writes:
>[color=green]
>>
>>P. Sture wrote:
>>[color=darkred]
>>>In article <slrnf9tbgv.aqh0.bradhamilton@rabbit.gateway.2wire.net>,
>>> [email]bradhamilton@comcast.net[/email] (Brad Hamilton) wrote:
>>>
>>>
>>>
>>>>In article <jawni.8716$ip4.5898@newsfe12.lga>, VAXman- @SendSpamHere.ORG
>>>>wrote:
>>>>[...]
>>>>
>>>>
>>>>>I
>>>>>am just curious, as others have pointed out, whether or not it is a legit
>>>>>attack or some moron using Administrator or root.
>>>>>
>>>>
>>>>Most of the ssh "attacks" that I "suffer" seem to come from folks attempting
>>>>to
>>>>login as "SSH" (TCPware 5-7.2 on Alpha VMS 8.3); however, I'm confident
>>>>enough
>>>>that none of them will "break-in", and so I leave the normal SSH port "open",
>>>>as kind of a "poor man's Teergrube". :-) The more time the b****rds spend
>>>>trying to break into my system, the less time they have to break into some
>>>>other poor schmuck's system. A public service, I call it. :-)
>>>>[...]
>>>
>>>
>>>Yes, I've taken that attitude sometimes as well.
>>>
>>>My problem is that I can hear the disk activity; such an attack results in a
>>>recognizable rhythm, and I get fed up of that.
>>>[/color]
>>
>><snip>
>>
>>Consider getting a cheap router/firewall from Linksys, DLink, etc. Mine
>>does not allow ANY incoming traffic that is not in response to some
>>outgoing traffic! IOW, don't call me, I'll call you!![/color]
>
>
> I have a not so cheap router and a Juniper NetScreen 5GT firewall. This
> still doesn't get to the issue I was trying to make and that is to log in
> the security messages/audit trail the username being attempted.
>
>[/color]

<snip>

If you had the perp's name and address, what could you do? Odds are
that he's in Peking or Singapore or is relaying through a zombie
somewhere. . . . This sort of **** hits the bit-bucket at my router and
I simply ignore it.

In article <469F526A.6070404@comcast.net>,
"Richard B. Gilbert" <rgilbert88@comcast.net> wrote:
[color=blue]
> P. Sture wrote:
>[color=green]
> > My problem is that I can hear the disk activity; such an attack results in
> > a recognizable rhythm, and I get fed up of that.
> >[/color]
>
> <snip>
>
> Consider getting a cheap router/firewall from Linksys, DLink, etc. Mine
> does not allow ANY incoming traffic that is not in response to some
> outgoing traffic! IOW, don't call me, I'll call you!!
>[/color]
<snip>

I already have an el cheapo, and it does block unsolicited incoming
connections unless I deliberately enable them. Unfortunately the logging
function has never worked.

--
Paul Sture