I hope you have reported the NY IDOT to their ISP.....
I have been getting hit from Cina and Korea as well.... Mostly Port Scans
Printable View
I hope you have reported the NY IDOT to their ISP.....
I have been getting hit from Cina and Korea as well.... Mostly Port Scans
I'm actually looking for the tool itself. Has anyone actually come across the actual script or tool that's being used?
http://www.k-otik.com/exploits/08202004.brutessh2.c.php is it i believe.
MsMittens,
Along with the above link that Lumpy gave to the otik site, there is another variation of the tool that is called ssh-grinder.c which I picked up along my travels. This variation matches the bahavior you've seen and when we had the issue (late summer) we blocked all netblocks to southeast Asia, Romania and Brazil. Since then, we've had a 72% decrease in scans and grinds (of this type).
The actual code I have came to me broken. At least that's what one would think. After looking it over, there was one minor thing changed in the code that made it inoperable. My guess is that it was distributed to a known audience who knew what had to be changed to make it work again.
I'm not sure if we kept the code around after handing it over to our fine friends with the three letter acronym. I'll check out our code library later today.
This must be somewhat new, as we have been getting brute force attempts against our firewall since mid june, but the logs appear different in these latest attacks. I am guessing more and more script kiddies are finding the script.
Yup me too..
evry two secondsQuote:
Oct 27 16:20:04 copycat sshd[13787]: Failed password for root from 66.79.170.220 port 40644 ssh2
Oct 27 16:20:06 copycat sshd[13790]: Failed password for root from 66.79.170.220 port 40680 ssh2
Oct 27 16:20:08 copycat sshd[13793]: Failed password for root from 66.79.170.220 port 40713 ssh2
H'm let's try something different hey..Quote:
Oct 27 16:20:58 copycat sshd[13886]: Failed password for root from 66.79.170.220 port 41805 ssh2
Oct 27 16:21:00 copycat sshd[13889]: Failed password for root from 66.79.170.220 port 41836 ssh2
and back to root..Quote:
Oct 27 16:21:17 copycat sshd[13919]: Failed password for invalid user webmaster from 66.79.170.220 port 42186 ssh2
Oct 27 16:21:19 copycat sshd[13922]: Invalid user data from 66.79.170.220
Oct 27 16:21:19 copycat sshd[13922]: Failed password for invalid user data from 66.79.170.220 port 42221 ssh2
Oct 27 16:21:21 copycat sshd[13925]: Invalid user user from 66.79.170.220
Oct 27 16:21:21 copycat sshd[13925]: Failed password for invalid user user from 66.79.170.220 port 42268 ssh2
Oct 27 16:21:22 copycat sshd[13928]: Invalid user user from 66.79.170.220
Oct 27 16:21:22 copycat sshd[13928]: Failed password for invalid user user from 66.79.170.220 port 42299 ssh2
Oct 27 16:21:24 copycat sshd[13931]: Invalid user user from 66.79.170.220
Oct 27 16:21:24 copycat sshd[13931]: Failed password for invalid user user from 66.79.170.220 port 42338 ssh2
Oct 27 16:21:26 copycat sshd[13934]: Invalid user web from 66.79.170.220
Oct 27 16:21:26 copycat sshd[13934]: Failed password for invalid user web from 66.79.170.220 port 42374 ssh2
Oct 27 16:21:27 copycat sshd[13937]: Invalid user web from 66.79.170.220
Oct 27 16:21:27 copycat sshd[13937]: Failed password for invalid user web from 66.79.170.220 port 42417 ssh2
Oct 27 16:21:29 copycat sshd[13941]: Invalid user oracle from 66.79.170.220
Oct 27 16:21:29 copycat sshd[13941]: Failed password for invalid user oracle from 66.79.170.220 port 42454 ssh2
Oct 27 16:21:31 copycat sshd[13944]: Invalid user sybase from 66.79.170.220
Oct 27 16:21:31 copycat sshd[13944]: Failed password for invalid user sybase from 66.79.170.220 port 42483 ssh2
Oct 27 16:21:33 copycat sshd[13947]: Invalid user master from 66.79.170.220
Oct 27 16:21:33 copycat sshd[13947]: Failed password for invalid user master from 66.79.170.220 port 42524 ssh2
Oct 27 16:21:34 copycat sshd[13950]: Invalid user account from 66.79.170.220
Oct 27 16:21:34 copycat sshd[13950]: Failed password for invalid user account from 66.79.170.220 port 42560 ssh2
Oct 27 16:21:36 copycat sshd[13953]: Invalid user backup from 66.79.170.220
Oct 27 16:21:36 copycat sshd[13953]: Failed password for invalid user backup from 66.79.170.220 port 42596 ssh2
Oct 27 16:21:38 copycat sshd[13956]: Invalid user server from 66.79.170.220
Oct 27 16:21:38 copycat sshd[13956]: Failed password for invalid user server from 66.79.170.220 port 42633 ssh2
Oct 27 16:21:39 copycat sshd[13959]: Invalid user adam from 66.79.170.220
Oct 27 16:21:39 copycat sshd[13959]: Failed password for invalid user adam from 66.79.170.220 port 42663 ssh2
Oct 27 16:21:41 copycat sshd[13962]: Invalid user alan from 66.79.170.220
Oct 27 16:21:41 copycat sshd[13962]: Failed password for invalid user alan from 66.79.170.220 port 42699 ssh2
Oct 27 16:21:42 copycat sshd[13965]: Invalid user frank from 66.79.170.220
Oct 27 16:21:42 copycat sshd[13965]: Failed password for invalid user frank from 66.79.170.220 port 42726 ssh2
Oct 27 16:21:44 copycat sshd[13968]: Invalid user george from 66.79.170.220
Oct 27 16:21:44 copycat sshd[13968]: Failed password for invalid user george from 66.79.170.220 port 42764 ssh2
Oct 27 16:21:46 copycat sshd[13971]: Invalid user henry from 66.79.170.220
Oct 27 16:21:46 copycat sshd[13971]: Failed password for invalid user henry from 66.79.170.220 port 42794 ssh2
Oct 27 16:21:47 copycat sshd[13974]: Invalid user john from 66.79.170.220
Oct 27 16:21:47 copycat sshd[13974]: Failed password for invalid user john from 66.79.170.220 port 42825 ssh2
Quote:
Oct 27 16:21:49 copycat sshd[13977]: Failed password for root from 66.79.170.220 port 42858 ssh2
Oct 27 16:21:50 copycat sshd[13980]: Failed password for root from 66.79.170.220 port 42883 ssh2
Oct 27 16:21:52 copycat sshd[13983]: Failed password for root from 66.79.170.220 port 42923 ssh2
Oct 27 16:21:54 copycat sshd[13986]: Failed password for root from 66.79.170.220 port 42950 ssh2
Oct 27 16:21:55 copycat sshd[13989]: Failed password for root from 66.79.170.220 port 42988 ssh2
I nmapped the dude..
and what do you think...Code:PORT STATE SERVICE VERSION
1/tcp open tcpmux?
21/tcp open ftp?
22/tcp open ssh OpenSSH 3.6.1p2 (protocol 1.99)
25/tcp open smtp Exim smtpd 4.24
80/tcp open http Apache httpd 1.3.29
111/tcp open rpcbind?
135/tcp filtered msrpc
143/tcp open imap UW imapd 2003.338rh
443/tcp open http Apache httpd 1.3.29
445/tcp filtered microsoft-ds
465/tcp open ssl/smtp Exim smtpd 4.24
993/tcp open ssl/imap UW imapd 2003.338rh
995/tcp open pop3s?
1337/tcp open irc-proxy psyBNC 2.3.2-4
3306/tcp open mysql MySQL (unauthorized)
6667/tcp filtered irc
6668/tcp filtered irc
7000/tcp filtered afs3-fileserver
31337/tcp open irc-proxy psyBNC 2.3.1
H'm an irc proxy (bot?).. but it needs a password.. if I were just as lame.. I'd just brute force it ;)Quote:
telnet 66.79.170.220 1337
Trying 66.79.170.220...
Connected to 66.79.170.220.
Escape character is '^]'.
:Welcome!psyBNC@lam3rz.de NOTICE * :psyBNC2.3.2-4