ssh scanner branching out

From my latest logs:

Illegal user oracle from ...
Illegal user guest from ...
Illegal user oracle from ...
Illegal user informix from ...
Illegal user oracle9 from ...
Illegal user oracle from ...
Illegal user oracle from ...
Illegal user gateway from ...
Illegal user webadmin from ...
Illegal user webadmin from ...
Illegal user postgres from ...
Illegal user webadmin from ...
Illegal user oracle from ...
Illegal user postgres from ...
Illegal user webadmin from ...

I guess test, user, and admin got too boring.

Allen Kistler <ackistler@oohay.moc> wrote in news:wwX9d.5258$5b1.3761
@newssvr17.news.prodigy.com:

> From my latest logs:
>
> Illegal user oracle from ...
> Illegal user guest from ...
>
> I guess test, user, and admin got too boring.

Does the traceroute show something like hanaro.com and hananet.net in the
path? I had those come up when I was checking a friends logs on a very
concentrated SSH effort. I thought they looked familiar and in finally
found them in an email where I had traced a particularly well written
"login and update your account info" mailings.

It stuck in my head because the efforts are so different. Social
engineering vs scripted default probes. The probed site does have mysql
running and the domain would give the impression of having personal info
on it. Im thinking the common factor might be along those lines.

Gandalf Parker
-- Be sure to post this "protected by" sign in your yard so that anyone
pretending to be official will know who to pretend to be.

On 2004-10-09, Allen Kistler <ackistler@oohay.moc> wrote:

> From my latest logs:
>
> Illegal user oracle from ...
> Illegal user guest from ...
> Illegal user oracle from ...
> Illegal user informix from ...
> Illegal user oracle9 from ...
> Illegal user oracle from ...
> Illegal user oracle from ...
> Illegal user gateway from ...
> Illegal user webadmin from ...
> Illegal user webadmin from ...
> Illegal user postgres from ...
> Illegal user webadmin from ...
> Illegal user oracle from ...
> Illegal user postgres from ...
> Illegal user webadmin from ...
>
> I guess test, user, and admin got too boring.

I'm also seeing more personal names:

Failed password for illegal user adam
Failed password for illegal user alan
Failed password for illegal user frank
Failed password for illegal user george
Failed password for illegal user henry
Failed password for illegal user matt
Failed password for illegal user patrick
Failed password for illegal user pamela
Failed password for illegal user jane

as well as some odd ones:

Failed password for illegal user cip52
Failed password for illegal user cip51

Interestingly, nmap seems to think most of these are from linux machines.

Usually, I just ignore them, but when they insist on hammering my machine
dozens of times, I track them down and report them to their upstream
provider. This may or may not be effective, but I try anyway; I've gotten
several responses that the admins of the offending machines have been
informed and the machines taken off-line.

--

-John (john@os2.dhs.org)

John Thompson <john@starfleet.os2.dhs.org> wrote in
news:slrncmitqr.uob.john@starfleet.os2.dhs.org:

> This may or may not be effective, but I try anyway; I've gotten
> several responses that the admins of the offending machines have been
> informed and the machines taken off-line.

When I worked for an ISP it was VERY effective when someone sent us an
email like that. If they included logs which made it clear where to watch
and what to watch for, then I could quickly confirm it and delete that user
in a heartbeat. They werent worth $20/month

Gandalf Parker

>> This may or may not be effective, but I try anyway; I've gotten
>> several responses that the admins of the offending machines have been
>> informed and the machines taken off-line.

>When I worked for an ISP it was VERY effective when someone sent us an
>email like that. If they included logs which made it clear where to watch
>and what to watch for, then I could quickly confirm it and delete that user
>in a heartbeat. They werent worth $20/month

>Gandalf Parker

If the ISP client is a Linux machine,
it may well be a machine that the
cracker/spammer is using personally
(powerful script languages, expect
usually works, ie lots of tools).

But a lot of attacks come from cracked
no-security windows machines where the user that owns the ISP account doesn't
have a clue that an attack is being mounted in the background from his/her
machine.

Taking the machine permanently off-line still works, of course, but the first
type of user is culpable while the second type
may be merely not technically proficient
or under-informed by the OS vendor.



Regards,

Clayton Weaver
<mailto: cgweav@aol.com>

"Everyone is ignorant, just about different things." Will Rogers

cgweav@aol.com (Clayton Weaver) wrote in
news:20041012014221.13228.00001668@mb-m12.aol.com:

> Taking the machine permanently off-line still works, of course, but
> the first type of user is culpable while the second type
> may be merely not technically proficient
> or under-informed by the OS vendor.

Valid points of course. Often I could tell from logs if it was automated or
not. And often in the most glaring cases we didnt even get a call asking us
why it got locked out.

It didnt really matter either way. The account got locked anyway. Later we
could try and figure out why it happened and maybe fix it. In any case, the
logic for the lock held true. It wasnt worth $20/month to do it any other
way.

Gandalf Parker

On 2004-10-12, Clayton Weaver <cgweav@aol.com> wrote:

> If the ISP client is a Linux machine,
> it may well be a machine that the
> cracker/spammer is using personally
> (powerful script languages, expect
> usually works, ie lots of tools).

Most of the ssh scans I've checked with nmap appear to be coming from
linux boxes. The similarity of the attacks (e.g. same sequence of user
names attempted) from diverse IP addresses leads me to suspect that these
boxes were rooted somehow and automated scripts left to run on them.

--

-John (john@os2.dhs.org)

On 2004-10-12, John Thompson <john@starfleet.os2.dhs.org> wrote:
> On 2004-10-12, Clayton Weaver <cgweav@aol.com> wrote:
>
>> If the ISP client is a Linux machine,
>> it may well be a machine that the
>> cracker/spammer is using personally
>> (powerful script languages, expect
>> usually works, ie lots of tools).
>
> Most of the ssh scans I've checked with nmap appear to be coming from
> linux boxes. The similarity of the attacks (e.g. same sequence of user
> names attempted) from diverse IP addresses leads me to suspect that these
> boxes were rooted somehow and automated scripts left to run on them.


There's a couple different tools to do this, I've seen them. One, is
circulated as a C source to which you could add any user name you wanted, or
increase the password list, or whatever. Since, by definition, script kiddies
can't program, these beefed-up attacks are less common. The other ones are
circulating pre-compiled. It has several components, and is driven by shell
scripts. You just run the script, and it scans massive blocks looking for weak
accounts with the default user-ids/passwd's you see. When it hits, it writes
the ip address into a file. Likely, someone lets this go overnight, then gets
up in the morning and checks the file. I've seen some cases where the account
was accessed by the scanner agent (which got in, then exitted) were never
touched again. This is the automated part you usually see in your logs. Once
that file gets checked, now the attacker is visiting you personally. Typical
downloads are the orginal ssh-attack tool (to continue), irc bots & bouncers,
and maybe a rootkit now and then.
There's been logfiles saved of this stuff, and you can read about it on sites
like honeynet.org. Many times the attackers made no effort to cover their
tracks, and lacked basic unix command line skills (lots of typo's in the shell
log files. )


--
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++

jayjwa <jayjwa@nowhere.org> wrote in
news:slrncp928d.e2h.jayjwa@atr2.ath.cx:

> Once that file gets checked, now the attacker is visiting you
> personally. Typical downloads are the orginal ssh-attack tool (to
> continue), irc bots & bouncers, and maybe a rootkit now and then.
> There's been logfiles saved of this stuff, and you can read about it
> on sites like honeynet.org. Many times the attackers made no effort to
> cover their tracks, and lacked basic unix command line skills (lots of
> typo's in the shell log files. )


Thats what Ive seen in alot of my forensics. I feel that there is a lot
of emphasis on prevention (locking the doors) and not enough on detection
AFTER entry (watchdogs). Locks to keep people out are great but people
should realize thats a back and forth game. They do find ways to slip in,
and then someone posts another thing to watch for and block. But during
that gap SOME of us will get hit.

Heehee. I have seen ALOT of cases where they successfully ran a script to
find a box, then managed to run a script to get in, then followed a
string of commands to download/install something to make automatic use of
the box. And then spent days trying to figure out why commands like
"dir" didnt work. Ive gotten to where I prefer to sanitize a box instead
of destroy/reload. In fact, Ive seen on a number of clients boxes where
the invasion made changes which actually strengthened the box against the
same attack happening twice (skiddies are paranoid about other skiddies)
so after killing backdoors Ive left some of the changes in place.

By the way; IRC bots and bouncers are an interesting subculture. They
make use of the fact that they can get in but dont know what to do with
it once they have it. They are often "collectors". The bouncers prove
ownership (have gained entry) to a box. Then they sit in IRC and trade
them like trading cards. "I will give you 2 .edu and 3 .com for one .mil"

Gandalf Parker