Re: these sshmucks are at it again... - VMS

This is a discussion on Re: these sshmucks are at it again... - VMS ; VAXman- @SendSpamHere.ORG wrote: > More ssh attacks. They are mostly a nuisance. However, logs full of > OPCOM messages like this > > %%%%%%%%%%% OPCOM 18-JUL-2007 08:05:42.85 %%%%%%%%%%% > Message from user AUDIT$SERVER on ****** > Security alarm (SECURITY) and ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 38

Thread: Re: these sshmucks are at it again...

  1. Re: these sshmucks are at it again...

    VAXman- @SendSpamHere.ORG wrote:
    > More ssh attacks. They are mostly a nuisance. However, logs full of
    > OPCOM messages like this
    >
    > %%%%%%%%%%% OPCOM 18-JUL-2007 08:05:42.85 %%%%%%%%%%%
    > Message from user AUDIT$SERVER on ******
    > Security alarm (SECURITY) and security audit (SECURITY) on ******, system id: 1234
    > Auditable event: Network login
    > Event time: 18-JUL-2007 08:05:42.85
    > PID: 20200D5E
    > Process name: TCPIP$SS_BG3304
    > Username: TCPIP$SSH
    > Process owner: [TCPIP$AUX,TCPIP$SSH]
    > Image name: DKA0:[SYS0.SYSCOMMON.][SYSEXE]LOGINOUT.EXE
    > Remote node id: 11223344 (aa.bbb)
    > Remote node fullname: aa.bb.cc.dd
    > Remote username: TCPIP$SSH
    > Posix UID: -2
    > Posix GID: -2 (%XFFFFFFFE)
    >
    > %%%%%%%%%%% OPCOM 18-JUL-2007 08:05:48.42 %%%%%%%%%%%
    > Message from user AUDIT$SERVER on ******
    > Security alarm (SECURITY) and security audit (SECURITY) on ******, system id: 1234
    > Auditable event: Network login failure
    > Event time: 18-JUL-2007 08:05:48.42
    > PID: 20200D5E
    > Process name: TCPIP$SS_BG3304
    > Username: TCPIP$SSH
    > Remote node fullname: SSH_PASSWORD:some.hackers.net
    > Remote username: SSH_11223344
    > Status: %LOGIN-F-NOTVALID, user authorization failure
    >
    > would be much more useful if ONE of the above two logged messages would
    > include the username the hacker is trying to use for access. I do not
    > see it (the username under attack) in any of the SSH log files either.
    >
    > This is TCPIP services ssh, BTW. If anybody has a quick and dirty to get
    > the username under attack, I'd appreciate it. HP, if you are listening,
    > this would be a nice feature if it doesn't already exist (I didn't see a
    > way get it when I perused the ssh doc).
    >
    >

    VMS 7.3-1 Alpha TCPIP 5.3 ECO 4.

    ANAL/AUDI will show you the attempted user names. On my system I see:

    Date / Time Type Subtype Node Username
    ------------------------------------------------------------------------
    12-JUL-2007 01:07:58.33 LOGFAIL NETWORK AS600 admin
    12-JUL-2007 01:07:58.86 LOGFAIL NETWORK AS600 admin
    12-JUL-2007 01:07:59.43 LOGFAIL NETWORK AS600 admin
    12-JUL-2007 01:08:00.01 LOGFAIL NETWORK AS600 admin
    12-JUL-2007 01:08:00.72 LOGFAIL NETWORK AS600 admin
    12-JUL-2007 01:08:01.43 BREAKIN NETWORK AS600 admin
    12-JUL-2007 01:08:02.26 BREAKIN NETWORK AS600 guest
    12-JUL-2007 01:08:02.91 BREAKIN NETWORK AS600 guest
    12-JUL-2007 01:08:03.56 BREAKIN NETWORK AS600 guest
    12-JUL-2007 01:08:04.17 BREAKIN NETWORK AS600 guest
    12-JUL-2007 01:08:04.89 BREAKIN NETWORK AS600 guest
    12-JUL-2007 01:08:05.72 BREAKIN NETWORK AS600 guest
    12-JUL-2007 01:08:06.57 BREAKIN NETWORK AS600 Administrato
    12-JUL-2007 01:08:07.43 BREAKIN NETWORK AS600 Administrato
    12-JUL-2007 01:08:08.14 BREAKIN NETWORK AS600 Administrato
    12-JUL-2007 01:08:08.65 BREAKIN NETWORK AS600 Administrato
    12-JUL-2007 01:08:09.26 BREAKIN NETWORK AS600 Administrato
    12-JUL-2007 01:08:09.88 BREAKIN NETWORK AS600 Administrato


    HTH,

    Jeff

    ----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
    http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
    ----= East and West-Coast Server Farms - Total Privacy via Encryption =----

  2. Re: these sshmucks are at it again...

    In article <1184785605_1913@sp12lax.superfeed.net>, Jeff Campbell writes:
    >
    >
    >VAXman- @SendSpamHere.ORG wrote:
    >> More ssh attacks. They are mostly a nuisance. However, logs full of
    >> OPCOM messages like this
    >>
    >> %%%%%%%%%%% OPCOM 18-JUL-2007 08:05:42.85 %%%%%%%%%%%
    >> Message from user AUDIT$SERVER on ******
    >> Security alarm (SECURITY) and security audit (SECURITY) on ******, system id: 1234
    >> Auditable event: Network login
    >> Event time: 18-JUL-2007 08:05:42.85
    >> PID: 20200D5E
    >> Process name: TCPIP$SS_BG3304
    >> Username: TCPIP$SSH
    >> Process owner: [TCPIP$AUX,TCPIP$SSH]
    >> Image name: DKA0:[SYS0.SYSCOMMON.][SYSEXE]LOGINOUT.EXE
    >> Remote node id: 11223344 (aa.bbb)
    >> Remote node fullname: aa.bb.cc.dd
    >> Remote username: TCPIP$SSH
    >> Posix UID: -2
    >> Posix GID: -2 (%XFFFFFFFE)
    >>
    >> %%%%%%%%%%% OPCOM 18-JUL-2007 08:05:48.42 %%%%%%%%%%%
    >> Message from user AUDIT$SERVER on ******
    >> Security alarm (SECURITY) and security audit (SECURITY) on ******, system id: 1234
    >> Auditable event: Network login failure
    >> Event time: 18-JUL-2007 08:05:48.42
    >> PID: 20200D5E
    >> Process name: TCPIP$SS_BG3304
    >> Username: TCPIP$SSH
    >> Remote node fullname: SSH_PASSWORD:some.hackers.net
    >> Remote username: SSH_11223344
    >> Status: %LOGIN-F-NOTVALID, user authorization failure
    >>
    >> would be much more useful if ONE of the above two logged messages would
    >> include the username the hacker is trying to use for access. I do not
    >> see it (the username under attack) in any of the SSH log files either.
    >>
    >> This is TCPIP services ssh, BTW. If anybody has a quick and dirty to get
    >> the username under attack, I'd appreciate it. HP, if you are listening,
    >> this would be a nice feature if it doesn't already exist (I didn't see a
    >> way get it when I perused the ssh doc).
    >>
    >>

    >VMS 7.3-1 Alpha TCPIP 5.3 ECO 4.
    >
    >ANAL/AUDI will show you the attempted user names. On my system I see:
    >
    > Date / Time Type Subtype Node Username
    > ------------------------------------------------------------------------
    >12-JUL-2007 01:07:58.33 LOGFAIL NETWORK AS600 admin
    >12-JUL-2007 01:07:58.86 LOGFAIL NETWORK AS600 admin
    >12-JUL-2007 01:07:59.43 LOGFAIL NETWORK AS600 admin
    >12-JUL-2007 01:08:00.01 LOGFAIL NETWORK AS600 admin
    >12-JUL-2007 01:08:00.72 LOGFAIL NETWORK AS600 admin
    >12-JUL-2007 01:08:01.43 BREAKIN NETWORK AS600 admin
    >12-JUL-2007 01:08:02.26 BREAKIN NETWORK AS600 guest
    >12-JUL-2007 01:08:02.91 BREAKIN NETWORK AS600 guest
    >12-JUL-2007 01:08:03.56 BREAKIN NETWORK AS600 guest
    >12-JUL-2007 01:08:04.17 BREAKIN NETWORK AS600 guest
    >12-JUL-2007 01:08:04.89 BREAKIN NETWORK AS600 guest
    >12-JUL-2007 01:08:05.72 BREAKIN NETWORK AS600 guest
    >12-JUL-2007 01:08:06.57 BREAKIN NETWORK AS600 Administrato
    >12-JUL-2007 01:08:07.43 BREAKIN NETWORK AS600 Administrato
    >12-JUL-2007 01:08:08.14 BREAKIN NETWORK AS600 Administrato
    >12-JUL-2007 01:08:08.65 BREAKIN NETWORK AS600 Administrato
    >12-JUL-2007 01:08:09.26 BREAKIN NETWORK AS600 Administrato
    >12-JUL-2007 01:08:09.88 BREAKIN NETWORK AS600 Administrato


    From ssh? I don't think so... Here is what I see for both LOGFAIL and
    BREAKIN event types in my AUDIT logs:

    Date / Time Type Subtype Node Username ID Term
    18-JUL-2007 07:55:26.57 BREAKIN NETWORK ****** TCPIP$SSH 20200D4F

    18-JUL-2007 07:54:56.92 LOGFAIL NETWORK ****** TCPIP$SSH 20200D4A



    Using HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 6

    --
    VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM

    "Well my son, life is like a beanstalk, isn't it?"

    http://tmesis.com/sig.jpg

  3. Re: these sshmucks are at it again...

    VAXman- @SendSpamHere.ORG wrote:
    > In article <1184785605_1913@sp12lax.superfeed.net>, Jeff Campbell writes:
    >>
    >> VAXman- @SendSpamHere.ORG wrote:
    >>> More ssh attacks. They are mostly a nuisance. However, logs full of
    >>> OPCOM messages like this
    >>>
    >>> %%%%%%%%%%% OPCOM 18-JUL-2007 08:05:42.85 %%%%%%%%%%%
    >>> Message from user AUDIT$SERVER on ******
    >>> Security alarm (SECURITY) and security audit (SECURITY) on ******, system id: 1234
    >>> Auditable event: Network login
    >>> Event time: 18-JUL-2007 08:05:42.85
    >>> PID: 20200D5E
    >>> Process name: TCPIP$SS_BG3304
    >>> Username: TCPIP$SSH
    >>> Process owner: [TCPIP$AUX,TCPIP$SSH]
    >>> Image name: DKA0:[SYS0.SYSCOMMON.][SYSEXE]LOGINOUT.EXE
    >>> Remote node id: 11223344 (aa.bbb)
    >>> Remote node fullname: aa.bb.cc.dd
    >>> Remote username: TCPIP$SSH
    >>> Posix UID: -2
    >>> Posix GID: -2 (%XFFFFFFFE)
    >>>
    >>> %%%%%%%%%%% OPCOM 18-JUL-2007 08:05:48.42 %%%%%%%%%%%
    >>> Message from user AUDIT$SERVER on ******
    >>> Security alarm (SECURITY) and security audit (SECURITY) on ******, system id: 1234
    >>> Auditable event: Network login failure
    >>> Event time: 18-JUL-2007 08:05:48.42
    >>> PID: 20200D5E
    >>> Process name: TCPIP$SS_BG3304
    >>> Username: TCPIP$SSH
    >>> Remote node fullname: SSH_PASSWORD:some.hackers.net
    >>> Remote username: SSH_11223344
    >>> Status: %LOGIN-F-NOTVALID, user authorization failure
    >>>
    >>> would be much more useful if ONE of the above two logged messages would
    >>> include the username the hacker is trying to use for access. I do not
    >>> see it (the username under attack) in any of the SSH log files either.
    >>>
    >>> This is TCPIP services ssh, BTW. If anybody has a quick and dirty to get
    >>> the username under attack, I'd appreciate it. HP, if you are listening,
    >>> this would be a nice feature if it doesn't already exist (I didn't see a
    >>> way get it when I perused the ssh doc).
    >>>
    >>>

    >> VMS 7.3-1 Alpha TCPIP 5.3 ECO 4.
    >>
    >> ANAL/AUDI will show you the attempted user names. On my system I see:
    >>
    >> Date / Time Type Subtype Node Username
    >> ------------------------------------------------------------------------
    >> 12-JUL-2007 01:07:58.33 LOGFAIL NETWORK AS600 admin
    >> 12-JUL-2007 01:07:58.86 LOGFAIL NETWORK AS600 admin
    >> 12-JUL-2007 01:07:59.43 LOGFAIL NETWORK AS600 admin
    >> 12-JUL-2007 01:08:00.01 LOGFAIL NETWORK AS600 admin
    >> 12-JUL-2007 01:08:00.72 LOGFAIL NETWORK AS600 admin
    >> 12-JUL-2007 01:08:01.43 BREAKIN NETWORK AS600 admin
    >> 12-JUL-2007 01:08:02.26 BREAKIN NETWORK AS600 guest
    >> 12-JUL-2007 01:08:02.91 BREAKIN NETWORK AS600 guest
    >> 12-JUL-2007 01:08:03.56 BREAKIN NETWORK AS600 guest
    >> 12-JUL-2007 01:08:04.17 BREAKIN NETWORK AS600 guest
    >> 12-JUL-2007 01:08:04.89 BREAKIN NETWORK AS600 guest
    >> 12-JUL-2007 01:08:05.72 BREAKIN NETWORK AS600 guest
    >> 12-JUL-2007 01:08:06.57 BREAKIN NETWORK AS600 Administrato
    >> 12-JUL-2007 01:08:07.43 BREAKIN NETWORK AS600 Administrato
    >> 12-JUL-2007 01:08:08.14 BREAKIN NETWORK AS600 Administrato
    >> 12-JUL-2007 01:08:08.65 BREAKIN NETWORK AS600 Administrato
    >> 12-JUL-2007 01:08:09.26 BREAKIN NETWORK AS600 Administrato
    >> 12-JUL-2007 01:08:09.88 BREAKIN NETWORK AS600 Administrato

    >
    > From ssh? I don't think so... Here is what I see for both LOGFAIL and
    > BREAKIN event types in my AUDIT logs:
    >
    > Date / Time Type Subtype Node Username ID Term
    > 18-JUL-2007 07:55:26.57 BREAKIN NETWORK ****** TCPIP$SSH 20200D4F
    >
    > 18-JUL-2007 07:54:56.92 LOGFAIL NETWORK ****** TCPIP$SSH 20200D4A
    >
    >
    >
    > Using HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 6
    >

    My TCPIP doesn't have ssh as 5.3 is too old.
    The output I posted is from ftp attempts.

    Live and learn.

    Jeff

    ----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
    http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
    ----= East and West-Coast Server Farms - Total Privacy via Encryption =----

  4. Re: these sshmucks are at it again...

    VAXman- wrote:
    > In article <1184785605_1913@sp12lax.superfeed.net>, Jeff Campbell writes:
    >
    >>
    >>VAXman- @SendSpamHere.ORG wrote:
    >>
    >>>More ssh attacks. They are mostly a nuisance. However, logs full of
    >>>OPCOM messages like this
    >>>
    >>>%%%%%%%%%%% OPCOM 18-JUL-2007 08:05:42.85 %%%%%%%%%%%
    >>>Message from user AUDIT$SERVER on ******
    >>>Security alarm (SECURITY) and security audit (SECURITY) on ******, system id: 1234
    >>>Auditable event: Network login
    >>>Event time: 18-JUL-2007 08:05:42.85
    >>>PID: 20200D5E
    >>>Process name: TCPIP$SS_BG3304
    >>>Username: TCPIP$SSH
    >>>Process owner: [TCPIP$AUX,TCPIP$SSH]
    >>>Image name: DKA0:[SYS0.SYSCOMMON.][SYSEXE]LOGINOUT.EXE
    >>>Remote node id: 11223344 (aa.bbb)
    >>>Remote node fullname: aa.bb.cc.dd
    >>>Remote username: TCPIP$SSH
    >>>Posix UID: -2
    >>>Posix GID: -2 (%XFFFFFFFE)
    >>>
    >>>%%%%%%%%%%% OPCOM 18-JUL-2007 08:05:48.42 %%%%%%%%%%%
    >>>Message from user AUDIT$SERVER on ******
    >>>Security alarm (SECURITY) and security audit (SECURITY) on ******, system id: 1234
    >>>Auditable event: Network login failure
    >>>Event time: 18-JUL-2007 08:05:48.42
    >>>PID: 20200D5E
    >>>Process name: TCPIP$SS_BG3304
    >>>Username: TCPIP$SSH
    >>>Remote node fullname: SSH_PASSWORD:some.hackers.net
    >>>Remote username: SSH_11223344
    >>>Status: %LOGIN-F-NOTVALID, user authorization failure
    >>>
    >>>would be much more useful if ONE of the above two logged messages would
    >>>include the username the hacker is trying to use for access. I do not
    >>>see it (the username under attack) in any of the SSH log files either.
    >>>
    >>>This is TCPIP services ssh, BTW. If anybody has a quick and dirty to get
    >>>the username under attack, I'd appreciate it. HP, if you are listening,
    >>>this would be a nice feature if it doesn't already exist (I didn't see a
    >>>way get it when I perused the ssh doc).
    >>>
    >>>

    >>
    >>VMS 7.3-1 Alpha TCPIP 5.3 ECO 4.
    >>
    >>ANAL/AUDI will show you the attempted user names. On my system I see:
    >>
    >> Date / Time Type Subtype Node Username
    >> ------------------------------------------------------------------------
    >>12-JUL-2007 01:07:58.33 LOGFAIL NETWORK AS600 admin
    >>12-JUL-2007 01:07:58.86 LOGFAIL NETWORK AS600 admin
    >>12-JUL-2007 01:07:59.43 LOGFAIL NETWORK AS600 admin
    >>12-JUL-2007 01:08:00.01 LOGFAIL NETWORK AS600 admin
    >>12-JUL-2007 01:08:00.72 LOGFAIL NETWORK AS600 admin
    >>12-JUL-2007 01:08:01.43 BREAKIN NETWORK AS600 admin
    >>12-JUL-2007 01:08:02.26 BREAKIN NETWORK AS600 guest
    >>12-JUL-2007 01:08:02.91 BREAKIN NETWORK AS600 guest
    >>12-JUL-2007 01:08:03.56 BREAKIN NETWORK AS600 guest
    >>12-JUL-2007 01:08:04.17 BREAKIN NETWORK AS600 guest
    >>12-JUL-2007 01:08:04.89 BREAKIN NETWORK AS600 guest
    >>12-JUL-2007 01:08:05.72 BREAKIN NETWORK AS600 guest
    >>12-JUL-2007 01:08:06.57 BREAKIN NETWORK AS600 Administrato
    >>12-JUL-2007 01:08:07.43 BREAKIN NETWORK AS600 Administrato
    >>12-JUL-2007 01:08:08.14 BREAKIN NETWORK AS600 Administrato
    >>12-JUL-2007 01:08:08.65 BREAKIN NETWORK AS600 Administrato
    >>12-JUL-2007 01:08:09.26 BREAKIN NETWORK AS600 Administrato
    >>12-JUL-2007 01:08:09.88 BREAKIN NETWORK AS600 Administrato

    >
    >
    > From ssh? I don't think so... Here is what I see for both LOGFAIL and
    > BREAKIN event types in my AUDIT logs:
    >
    > Date / Time Type Subtype Node Username ID Term
    > 18-JUL-2007 07:55:26.57 BREAKIN NETWORK ****** TCPIP$SSH 20200D4F
    >
    > 18-JUL-2007 07:54:56.92 LOGFAIL NETWORK ****** TCPIP$SSH 20200D4A
    >
    >
    >
    > Using HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 6
    >


    Don't you have a router and/or firewall that you can configure to block
    access from the source IP or network?


  5. Re: these sshmucks are at it again...

    On Wed, 18 Jul 2007, Richard B. Gilbert wrote:

    > Don't you have a router and/or firewall that you can configure to
    > block access from the source IP or network?


    Last time I took a look at these SSH attacks, no two sets of attacks
    came from the same place.


    --

    Rob Brown b r o w n a t g m c l d o t c o m
    G. Michaels Consulting Ltd. (780)438-9343 (voice)
    Edmonton (780)437-3367 (FAX)
    http://gmcl.com/


  6. Re: these sshmucks are at it again...

    In article <469E8993.1070101@comcast.net>, "Richard B. Gilbert" writes:
    >
    >
    >VAXman- wrote:
    >> In article <1184785605_1913@sp12lax.superfeed.net>, Jeff Campbell writes:
    >>
    >>>
    >>>VAXman- @SendSpamHere.ORG wrote:
    >>>
    >>>>More ssh attacks. They are mostly a nuisance. However, logs full of
    >>>>OPCOM messages like this
    >>>>
    >>>>%%%%%%%%%%% OPCOM 18-JUL-2007 08:05:42.85 %%%%%%%%%%%
    >>>>Message from user AUDIT$SERVER on ******
    >>>>Security alarm (SECURITY) and security audit (SECURITY) on ******, system id: 1234
    >>>>Auditable event: Network login
    >>>>Event time: 18-JUL-2007 08:05:42.85
    >>>>PID: 20200D5E
    >>>>Process name: TCPIP$SS_BG3304
    >>>>Username: TCPIP$SSH
    >>>>Process owner: [TCPIP$AUX,TCPIP$SSH]
    >>>>Image name: DKA0:[SYS0.SYSCOMMON.][SYSEXE]LOGINOUT.EXE
    >>>>Remote node id: 11223344 (aa.bbb)
    >>>>Remote node fullname: aa.bb.cc.dd
    >>>>Remote username: TCPIP$SSH
    >>>>Posix UID: -2
    >>>>Posix GID: -2 (%XFFFFFFFE)
    >>>>
    >>>>%%%%%%%%%%% OPCOM 18-JUL-2007 08:05:48.42 %%%%%%%%%%%
    >>>>Message from user AUDIT$SERVER on ******
    >>>>Security alarm (SECURITY) and security audit (SECURITY) on ******, system id: 1234
    >>>>Auditable event: Network login failure
    >>>>Event time: 18-JUL-2007 08:05:48.42
    >>>>PID: 20200D5E
    >>>>Process name: TCPIP$SS_BG3304
    >>>>Username: TCPIP$SSH
    >>>>Remote node fullname: SSH_PASSWORD:some.hackers.net
    >>>>Remote username: SSH_11223344
    >>>>Status: %LOGIN-F-NOTVALID, user authorization failure
    >>>>
    >>>>would be much more useful if ONE of the above two logged messages would
    >>>>include the username the hacker is trying to use for access. I do not
    >>>>see it (the username under attack) in any of the SSH log files either.
    >>>>
    >>>>This is TCPIP services ssh, BTW. If anybody has a quick and dirty to get
    >>>>the username under attack, I'd appreciate it. HP, if you are listening,
    >>>>this would be a nice feature if it doesn't already exist (I didn't see a
    >>>>way get it when I perused the ssh doc).
    >>>>
    >>>>
    >>>
    >>>VMS 7.3-1 Alpha TCPIP 5.3 ECO 4.
    >>>
    >>>ANAL/AUDI will show you the attempted user names. On my system I see:
    >>>
    >>> Date / Time Type Subtype Node Username
    >>> ------------------------------------------------------------------------
    >>>12-JUL-2007 01:07:58.33 LOGFAIL NETWORK AS600 admin
    >>>12-JUL-2007 01:07:58.86 LOGFAIL NETWORK AS600 admin
    >>>12-JUL-2007 01:07:59.43 LOGFAIL NETWORK AS600 admin
    >>>12-JUL-2007 01:08:00.01 LOGFAIL NETWORK AS600 admin
    >>>12-JUL-2007 01:08:00.72 LOGFAIL NETWORK AS600 admin
    >>>12-JUL-2007 01:08:01.43 BREAKIN NETWORK AS600 admin
    >>>12-JUL-2007 01:08:02.26 BREAKIN NETWORK AS600 guest
    >>>12-JUL-2007 01:08:02.91 BREAKIN NETWORK AS600 guest
    >>>12-JUL-2007 01:08:03.56 BREAKIN NETWORK AS600 guest
    >>>12-JUL-2007 01:08:04.17 BREAKIN NETWORK AS600 guest
    >>>12-JUL-2007 01:08:04.89 BREAKIN NETWORK AS600 guest
    >>>12-JUL-2007 01:08:05.72 BREAKIN NETWORK AS600 guest
    >>>12-JUL-2007 01:08:06.57 BREAKIN NETWORK AS600 Administrato
    >>>12-JUL-2007 01:08:07.43 BREAKIN NETWORK AS600 Administrato
    >>>12-JUL-2007 01:08:08.14 BREAKIN NETWORK AS600 Administrato
    >>>12-JUL-2007 01:08:08.65 BREAKIN NETWORK AS600 Administrato
    >>>12-JUL-2007 01:08:09.26 BREAKIN NETWORK AS600 Administrato
    >>>12-JUL-2007 01:08:09.88 BREAKIN NETWORK AS600 Administrato

    >>
    >>
    >> From ssh? I don't think so... Here is what I see for both LOGFAIL and
    >> BREAKIN event types in my AUDIT logs:
    >>
    >> Date / Time Type Subtype Node Username ID Term
    >> 18-JUL-2007 07:55:26.57 BREAKIN NETWORK ****** TCPIP$SSH 20200D4F
    >>
    >> 18-JUL-2007 07:54:56.92 LOGFAIL NETWORK ****** TCPIP$SSH 20200D4A
    >>
    >>
    >>
    >> Using HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 6
    >>

    >
    >Don't you have a router and/or firewall that you can configure to block
    >access from the source IP or network?


    Of course. That's really not the issue. I can't completely block ssh as
    I use it when on-the-road and I never know what my IP address will be. I
    am just curious, as others have pointed out, whether or not it is a legit
    attack or some moron using Administrator or root.

    --
    VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM

    "Well my son, life is like a beanstalk, isn't it?"

    http://tmesis.com/sig.jpg

  7. Re: these sshmucks are at it again...

    VAXman- @SendSpamHere.ORG writes:

    >In article <1184785605_1913@sp12lax.superfeed.net>, Jeff Campbell writes:
    >>> This is TCPIP services ssh, BTW. If anybody has a quick and dirty to get
    >>> the username under attack, I'd appreciate it. HP, if you are listening,
    >>> this would be a nice feature if it doesn't already exist (I didn't see a
    >>> way get it when I perused the ssh doc).


    Unfortunately, SSH doesn't report the username to the audit server
    properly. See below.

    >>ANAL/AUDI will show you the attempted user names. On my system I see:


    >From ssh? I don't think so... Here is what I see for both LOGFAIL and
    >BREAKIN event types in my AUDIT logs:


    > Date / Time Type Subtype Node Username ID Term
    >18-JUL-2007 07:55:26.57 BREAKIN NETWORK ****** TCPIP$SSH 20200D4F


    >18-JUL-2007 07:54:56.92 LOGFAIL NETWORK ****** TCPIP$SSH 20200D4A




    >Using HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 6


    I wrote a little program that listens to the audit server, and when it
    detects a TCPIP breakin attempt, it'll disable the attacking IP address.
    Except it's not all there. I do detect the breakin and figure out the
    IP address to disable, but don't actually disable anything. It knows
    about SSH, FTP and TELNET breakin attempts. What I found that makes this
    a mess:

    There is a "remote node address" field where I'd think the IP address of
    the attacker would go. TELNET puts it there. So does FTP, but in the
    reverse byte order of TELNET! (Big-endian vs. little endian issue)
    SSH doesn't use the field at all! I can figure out the SSH attacker
    address via a hack.

    FTP and TELNET do tell you the username being attacked. SSH does - only
    if it exists on the system! Otherwise it uses the username TCPIP$SSH.

    What's stopping me from the final touch and give it to you:
    Being busy, and writing a simple LIB$SPAWN to do either a:
    $ TCPIP SET COMMUNICATION/REJECT=ip.add.re.ss or
    $ TCPIP SET ROUTE ip.add.re.ss /GATEWAY=black.hole or something, and
    a LIB$SPAWN to do a SET AUDIT, plus cleanup. The hard part is done
    and working.

    Does anyone know of a system service or $QIO that will do the above TCPIP
    commands, or the equivalent of a $ SET AUDIT/LISTENER=mailbox and
    $ SET AUDIT/NOLISTEN ? I especially want the latter in an exit handler,
    because if the program doesn't shut down properly, the mailbox gets full
    and the audit server gets upset and starts suspending all the processes!
    I don't want anyone getting pissed off at me because this program hung
    your system, even if it's the audit server at fault. If you try to log in
    to fix it, the audit server suspends the process before you get a chance
    to do anything!


  8. Re: these sshmucks are at it again...

    In article , VAXman- @SendSpamHere.ORG wrote:
    [...]
    >I
    >am just curious, as others have pointed out, whether or not it is a legit
    >attack or some moron using Administrator or root.
    >


    Most of the ssh "attacks" that I "suffer" seem to come from folks attempting to
    login as "SSH" (TCPware 5-7.2 on Alpha VMS 8.3); however, I'm confident enough
    that none of them will "break-in", and so I leave the normal SSH port "open",
    as kind of a "poor man's Teergrube". :-) The more time the b****rds spend
    trying to break into my system, the less time they have to break into some
    other poor schmuck's system. A public service, I call it. :-)
    [...]


  9. Re: these sshmucks are at it again...

    Michael Moroney wrote:
    >[snipage]
    >
    > Does anyone know of a system service or $QIO that will do the above TCPIP
    > commands, or the equivalent of a $ SET AUDIT/LISTENER=mailbox and
    > $ SET AUDIT/NOLISTEN ? I especially want the latter in an exit handler,
    > because if the program doesn't shut down properly, the mailbox gets full
    > and the audit server gets upset and starts suspending all the processes!
    > I don't want anyone getting pissed off at me because this program hung
    > your system, even if it's the audit server at fault. If you try to log in
    > to fix it, the audit server suspends the process before you get a chance
    > to do anything!
    >


    In a previous life, I wrote a program that listened to audit server
    messages also. I came to the conclusion that the best way to do the
    SET AUDIT/NOLISTEN was to declare an exit handler to generate an OPCOM
    message (just to let people know what's going on) and then create a
    detached process to perform the SET AUDIT/NOLISTEN.

    For the SET AUDIT/LISTEN, I just have a command procedure to start the
    program as a detached process, and wait in a loop for the appropriate
    mailbox logical to appear.

    I'm unaware of any documented ways to perform these actions under
    program control. If you have access to the source listings however...

    HTH

    Jim.
    --
    www.eight-cubed.com

  10. Re: these sshmucks are at it again...

    Brad Hamilton wrote:
    >The more time the b****rds spend
    > trying to break into my system, the less time they have to break into some
    > other poor schmuck's system. A public service, I call it. :-)


    Then the owners of VMS should port SSH to VAX so that hobbysist could
    let the sshmucks try to login on all mighty microvax IIs :-) That would
    slow them down :-)

  11. Re: these sshmucks are at it again...

    JF Mezei wrote:
    > Brad Hamilton wrote:
    >
    >> The more time the b****rds spend
    >> trying to break into my system, the less time they have to break into
    >> some
    >> other poor schmuck's system. A public service, I call it. :-)

    >
    >
    > Then the owners of VMS should port SSH to VAX so that hobbysist could
    > let the sshmucks try to login on all mighty microvax IIs :-) That would
    > slow them down :-)


    The VAX version of TCPware (and presumably Multinet) supports SSH.


    --
    John Santos
    Evans Griffiths & Hart, Inc.
    781-861-0670 ext 539

  12. Re: these sshmucks are at it again...

    In article ,
    Rob Brown wrote:

    > On Wed, 18 Jul 2007, Richard B. Gilbert wrote:
    >
    > > Don't you have a router and/or firewall that you can configure to
    > > block access from the source IP or network?

    >
    > Last time I took a look at these SSH attacks, no two sets of attacks
    > came from the same place.


    I have a feeling these things are driven by zombies. I got fed up and
    blocked ssh at my router for several months. When I put it back, I chose
    a different port.

    But on the spam side, I can go several hours with no attempts, then
    suddenly get attacks from 2 or 3 addresses within the space of 1 minute.
    A simultaneous attack from Brazil, Portugal and Lithuania does point to
    zombies.

    --
    Paul Sture

  13. Re: these sshmucks are at it again...

    In article ,
    bradhamilton@comcast.net (Brad Hamilton) wrote:

    > In article , VAXman- @SendSpamHere.ORG
    > wrote:
    > [...]
    > >I
    > >am just curious, as others have pointed out, whether or not it is a legit
    > >attack or some moron using Administrator or root.
    > >

    >
    > Most of the ssh "attacks" that I "suffer" seem to come from folks attempting
    > to
    > login as "SSH" (TCPware 5-7.2 on Alpha VMS 8.3); however, I'm confident
    > enough
    > that none of them will "break-in", and so I leave the normal SSH port "open",
    > as kind of a "poor man's Teergrube". :-) The more time the b****rds spend
    > trying to break into my system, the less time they have to break into some
    > other poor schmuck's system. A public service, I call it. :-)
    > [...]


    Yes, I've taken that attitude sometimes as well.

    My problem is that I can hear the disk activity; such an attack results in a
    recognizable rhythm, and I get fed up of that.

    PS. Now I think of it, I was a teergube myself back when I bought my first
    house. The area was newly built and plagued with window and insulation
    salesmen. I saw it my public duty to tie them up for as long as possible
    as a service to my neighbours :-)

    --
    Paul Sture

  14. Re: these sshmucks are at it again...

    In article <469eb405@dnews.tpgi.com.au>, Jim Duff
    wrote:

    > Michael Moroney wrote:
    > >[snipage]
    > >
    > > Does anyone know of a system service or $QIO that will do the above TCPIP
    > > commands, or the equivalent of a $ SET AUDIT/LISTENER=mailbox and
    > > $ SET AUDIT/NOLISTEN ? I especially want the latter in an exit handler,
    > > because if the program doesn't shut down properly, the mailbox gets full
    > > and the audit server gets upset and starts suspending all the processes!
    > > I don't want anyone getting pissed off at me because this program hung
    > > your system, even if it's the audit server at fault. If you try to log in
    > > to fix it, the audit server suspends the process before you get a chance
    > > to do anything!
    > >

    >
    > In a previous life, I wrote a program that listened to audit server
    > messages also. I came to the conclusion that the best way to do the
    > SET AUDIT/NOLISTEN was to declare an exit handler to generate an OPCOM
    > message (just to let people know what's going on) and then create a
    > detached process to perform the SET AUDIT/NOLISTEN.
    >
    > For the SET AUDIT/LISTEN, I just have a command procedure to start the
    > program as a detached process, and wait in a loop for the appropriate
    > mailbox logical to appear.


    FWIW, the early 1990s code snippet I have does (did?) a spawn for SET
    AUDIT/(NO)LISTEN.

    Can a call to spawn work if the audit mailbox is already there and full?
    There's some error processing in this routine which does a

    "COPY NL:"

    if the SET AUDIT/LISTEN command fails. It does this with a 12 second
    timeout since you won't see an EOF from the mailbox.

    > I'm unaware of any documented ways to perform these actions under
    > program control. If you have access to the source listings however...
    >


    I've just scanned the V8.3 System Services manual, but didn't find
    anything obvious.

    --
    Paul Sture

  15. Re: these sshmucks are at it again...

    P. Sture wrote:
    > In article ,
    > bradhamilton@comcast.net (Brad Hamilton) wrote:
    >
    >
    >>In article , VAXman- @SendSpamHere.ORG
    >>wrote:
    >>[...]
    >>
    >>>I
    >>>am just curious, as others have pointed out, whether or not it is a legit
    >>>attack or some moron using Administrator or root.
    >>>

    >>
    >>Most of the ssh "attacks" that I "suffer" seem to come from folks attempting
    >>to
    >>login as "SSH" (TCPware 5-7.2 on Alpha VMS 8.3); however, I'm confident
    >>enough
    >>that none of them will "break-in", and so I leave the normal SSH port "open",
    >>as kind of a "poor man's Teergrube". :-) The more time the b****rds spend
    >>trying to break into my system, the less time they have to break into some
    >>other poor schmuck's system. A public service, I call it. :-)
    >>[...]

    >
    >
    > Yes, I've taken that attitude sometimes as well.
    >
    > My problem is that I can hear the disk activity; such an attack results in a
    > recognizable rhythm, and I get fed up of that.
    >




    Consider getting a cheap router/firewall from Linksys, DLink, etc. Mine
    does not allow ANY incoming traffic that is not in response to some
    outgoing traffic! IOW, don't call me, I'll call you!!

    Just for grins, I look at the logs this thing keeps and see three to six
    attempts per minute around the clock! Most probes go to ports 1028 and
    1029; I've never figured out what that's supposed to accomplish.

    I suppose it's not much help if you are trying to maintain a website but
    otherwise. . . .



  16. Re: these sshmucks are at it again...

    In article <469F526A.6070404@comcast.net>,
    "Richard B. Gilbert" writes:
    > P. Sture wrote:
    >> In article ,
    >> bradhamilton@comcast.net (Brad Hamilton) wrote:
    >>
    >>
    >>>In article , VAXman- @SendSpamHere.ORG
    >>>wrote:
    >>>[...]
    >>>
    >>>>I
    >>>>am just curious, as others have pointed out, whether or not it is a legit
    >>>>attack or some moron using Administrator or root.
    >>>>
    >>>
    >>>Most of the ssh "attacks" that I "suffer" seem to come from folks attempting
    >>>to
    >>>login as "SSH" (TCPware 5-7.2 on Alpha VMS 8.3); however, I'm confident
    >>>enough
    >>>that none of them will "break-in", and so I leave the normal SSH port "open",
    >>>as kind of a "poor man's Teergrube". :-) The more time the b****rds spend
    >>>trying to break into my system, the less time they have to break into some
    >>>other poor schmuck's system. A public service, I call it. :-)
    >>>[...]

    >>
    >>
    >> Yes, I've taken that attitude sometimes as well.
    >>
    >> My problem is that I can hear the disk activity; such an attack results in a
    >> recognizable rhythm, and I get fed up of that.
    >>

    >
    >
    >
    > Consider getting a cheap router/firewall from Linksys, DLink, etc. Mine
    > does not allow ANY incoming traffic that is not in response to some
    > outgoing traffic! IOW, don't call me, I'll call you!!
    >
    > Just for grins, I look at the logs this thing keeps and see three to six
    > attempts per minute around the clock! Most probes go to ports 1028 and
    > 1029; I've never figured out what that's supposed to accomplish.


    Windows Messenger

    bill

    --
    Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
    bill@cs.scranton.edu | and a sheep voting on what's for dinner.
    University of Scranton |
    Scranton, Pennsylvania | #include

  17. Re: these sshmucks are at it again...

    In article <469F526A.6070404@comcast.net>, "Richard B. Gilbert" writes:
    >
    >
    >P. Sture wrote:
    >> In article ,
    >> bradhamilton@comcast.net (Brad Hamilton) wrote:
    >>
    >>
    >>>In article , VAXman- @SendSpamHere.ORG
    >>>wrote:
    >>>[...]
    >>>
    >>>>I
    >>>>am just curious, as others have pointed out, whether or not it is a legit
    >>>>attack or some moron using Administrator or root.
    >>>>
    >>>
    >>>Most of the ssh "attacks" that I "suffer" seem to come from folks attempting
    >>>to
    >>>login as "SSH" (TCPware 5-7.2 on Alpha VMS 8.3); however, I'm confident
    >>>enough
    >>>that none of them will "break-in", and so I leave the normal SSH port "open",
    >>>as kind of a "poor man's Teergrube". :-) The more time the b****rds spend
    >>>trying to break into my system, the less time they have to break into some
    >>>other poor schmuck's system. A public service, I call it. :-)
    >>>[...]

    >>
    >>
    >> Yes, I've taken that attitude sometimes as well.
    >>
    >> My problem is that I can hear the disk activity; such an attack results in a
    >> recognizable rhythm, and I get fed up of that.
    >>

    >
    >
    >
    >Consider getting a cheap router/firewall from Linksys, DLink, etc. Mine
    >does not allow ANY incoming traffic that is not in response to some
    >outgoing traffic! IOW, don't call me, I'll call you!!


    I have a not so cheap router and a Juniper NetScreen 5GT firewall. This
    still doesn't get to the issue I was trying to make and that is to log in
    the security messages/audit trail the username being attempted.


    >Just for grins, I look at the logs this thing keeps and see three to six
    >attempts per minute around the clock! Most probes go to ports 1028 and
    >1029; I've never figured out what that's supposed to accomplish.


    IANA's list shows 1028 deprecated and 1029 is called "Solid Mux Server".
    I don't know why they'd look to probe these other than there may be some
    way to distinguish from the reponse whether or not there's some firewall
    in the mix.


    --
    VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM

    "Well my son, life is like a beanstalk, isn't it?"

    http://tmesis.com/sig.jpg

  18. Re: these sshmucks are at it again...

    In article , JF Mezei writes:
    >
    > Then the owners of VMS should port SSH to VAX so that hobbysist could
    > let the sshmucks try to login on all mighty microvax IIs :-) That would
    > slow them down :-)


    ?

    My VAXen have been running SSH for years.


  19. Re: these sshmucks are at it again...

    VAXman- wrote:
    > In article <469F526A.6070404@comcast.net>, "Richard B. Gilbert" writes:
    >
    >>
    >>P. Sture wrote:
    >>
    >>>In article ,
    >>> bradhamilton@comcast.net (Brad Hamilton) wrote:
    >>>
    >>>
    >>>
    >>>>In article , VAXman- @SendSpamHere.ORG
    >>>>wrote:
    >>>>[...]
    >>>>
    >>>>
    >>>>>I
    >>>>>am just curious, as others have pointed out, whether or not it is a legit
    >>>>>attack or some moron using Administrator or root.
    >>>>>
    >>>>
    >>>>Most of the ssh "attacks" that I "suffer" seem to come from folks attempting
    >>>>to
    >>>>login as "SSH" (TCPware 5-7.2 on Alpha VMS 8.3); however, I'm confident
    >>>>enough
    >>>>that none of them will "break-in", and so I leave the normal SSH port "open",
    >>>>as kind of a "poor man's Teergrube". :-) The more time the b****rds spend
    >>>>trying to break into my system, the less time they have to break into some
    >>>>other poor schmuck's system. A public service, I call it. :-)
    >>>>[...]
    >>>
    >>>
    >>>Yes, I've taken that attitude sometimes as well.
    >>>
    >>>My problem is that I can hear the disk activity; such an attack results in a
    >>>recognizable rhythm, and I get fed up of that.
    >>>

    >>
    >>
    >>
    >>Consider getting a cheap router/firewall from Linksys, DLink, etc. Mine
    >>does not allow ANY incoming traffic that is not in response to some
    >>outgoing traffic! IOW, don't call me, I'll call you!!

    >
    >
    > I have a not so cheap router and a Juniper NetScreen 5GT firewall. This
    > still doesn't get to the issue I was trying to make and that is to log in
    > the security messages/audit trail the username being attempted.
    >
    >




    If you had the perp's name and address, what could you do? Odds are
    that he's in Peking or Singapore or is relaying through a zombie
    somewhere. . . . This sort of **** hits the bit-bucket at my router and
    I simply ignore it.



  20. Re: these sshmucks are at it again...

    In article <469F526A.6070404@comcast.net>,
    "Richard B. Gilbert" wrote:

    > P. Sture wrote:
    >
    > > My problem is that I can hear the disk activity; such an attack results in
    > > a recognizable rhythm, and I get fed up of that.
    > >

    >
    >
    >
    > Consider getting a cheap router/firewall from Linksys, DLink, etc. Mine
    > does not allow ANY incoming traffic that is not in response to some
    > outgoing traffic! IOW, don't call me, I'll call you!!
    >



    I already have an el cheapo, and it does block unsolicited incoming
    connections unless I deliberately enable them. Unfortunately the logging
    function has never worked.

    --
    Paul Sture

+ Reply to Thread
Page 1 of 2 1 2 LastLast