Results 1 to 6 of 6

Thread: Logwatch

  1. #1
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,021

    Logwatch

    I've never had this before, but it could be more common that I've experienced.

    Since Sunday my logwatch email has been reporting a few attempts each day to ssh connect using the users:

    test
    guest
    admin

    The originating IPs do not seem related.

    Has anyone any experience of this or is this something new. Some kind of worm perhaps?

    Steve
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  2. #2
    I've been getting that a ton on the company server I (used to) maintain. IP's seemed to change, and it looked like a script at first.

    Can't give you much more information other than it doesn't ever seem to go beyond testing those three logins.

  3. #3
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,021
    I wonder if it's worth setting up a honeypot to see what would happen if the logins were available...

    If I get time later today I might see if I can, but today is 'busy, busy, busy'

    Anyone else fancy a go at this?

    Steve
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  4. #4
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Hey Hey,

    I haven't seen anything in the last few days... but I was getting that quite frequently.

    Jul 28 14:06:29 suse sshd[22473]: Illegal user test from ::ffff:62.3.209.74
    Jul 28 14:06:33 suse sshd[22475]: Illegal user guest from ::ffff:62.3.209.74
    Jul 28 15:37:24 suse sshd[22611]: Illegal user test from ::ffff:210.143.106.131
    Jul 28 15:37:26 suse sshd[22613]: Illegal user guest from ::ffff:210.143.106.131
    Jul 31 11:39:04 suse sshd[32634]: Illegal user test from ::ffff:61.144.167.78
    Jul 31 11:39:10 suse sshd[32636]: Illegal user guest from ::ffff:61.144.167.78
    Jul 31 17:19:05 suse sshd[691]: Illegal user test from ::ffff:61.144.167.78
    Jul 31 17:19:08 suse sshd[693]: Illegal user guest from ::ffff:61.144.167.78
    Aug 1 11:59:32 suse sshd[2504]: Illegal user test from ::ffff:61.187.94.210
    Aug 1 11:59:35 suse sshd[2506]: Illegal user guest from ::ffff:61.187.94.210
    Aug 1 16:44:56 suse sshd[2938]: Illegal user test from ::ffff:219.94.51.51
    Aug 1 16:45:00 suse sshd[2940]: Illegal user guest from ::ffff:219.94.51.51
    I haven't seen any for admin... but that's just me....

    I've compared these IP addresses to the addresses in my snort logs, and there's no matches... so they haven't been setting off any alarms there... this seems to be all that the attempt is.

    This is an email that I recieved from incidents digest
    Subject: [Intrusions] Linux SSH scanning - test/guest
    Importance: Low

    FYI

    We got zapped by some hackers from, I think, Romania that have a priv escalation exploit for Linux 2.4.20 http://sirzion.illusivecreations.com/loginxy

    There is also a multithreaded SSH bruteforcer called "haita"
    This attempts to login to machines using the accounts "test" and "guest", with passwords "test" & "guest" respectively. It runs from a file of addresses found by a synscan program. It identifies itself as
    SSH-2.0-libssh-0.1

    So, SSH login failures for test & guest are an indication of this thing running at the remote end.

    The two names & passwords appear to be hardcoded into the program.
    Since Linux as I recall backs off after failed attempts there wouldn't be much to gain by trying many more names, but variants may appear with other defaults.
    There has also been a conversation regarding this on Full Disclosure... If you aren't subscribed to the mailing list.. you can find the thread here: http://lists.netsys.com/pipermail/fu...ly/024340.html

    Those interested in checking out the offending software can download it from http://frauder.us/linux/ssh.tgz. (If anyone has a problem with me posting this link and wants it removed... send me a PM and I'll prolly tell you where to go.) (Use with care... I'm not sure of the details behind the software yet)

    Peace,
    HT

  5. #5
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,021
    I concur - portsetry was not tripped by these ips so it's just a straight attempt at port 22.

    Also I've only seen 2 attempts at admin, most for guest & test.

    And thanks for the info on it's probable cause.
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  6. #6
    Trumpet-Eared Gentoo Freak
    Join Date
    Jan 2003
    Posts
    992
    I have had lots of hits last couple of days too, a grab from my logs :

    Code:
    Aug 11 19:09:42 [sshd] Illegal user test from ::ffff:61.40.11.45
    Aug 11 19:09:42 [sshd] error: Could not get shadow information for NOUSER
    Aug 11 19:09:42 [sshd] Failed password for illegal user test from ::ffff:61.40.11.45 port 33094 ssh2
    Aug 11 19:09:44 [sshd] User guest not allowed because shell /dev/null is not executable
    Aug 11 19:09:44 [sshd] error: Could not get shadow information for NOUSER
    Aug 11 19:09:44 [sshd] Failed password for illegal user guest from ::ffff:61.40.11.45 port 33166 ssh2
    Aug 11 19:09:47 [sshd] Illegal user admin from ::ffff:61.40.11.45
    Aug 11 19:09:47 [sshd] error: Could not get shadow information for NOUSER
    Aug 11 19:09:47 [sshd] Failed password for illegal user admin from ::ffff:61.40.11.45 port 33236 ssh2
    Aug 11 19:09:50 [sshd] Illegal user admin from ::ffff:61.40.11.45
    Aug 11 19:09:50 [sshd] error: Could not get shadow information for NOUSER
    Aug 11 19:09:50 [sshd] Failed password for illegal user admin from ::ffff:61.40.11.45 port 33305 ssh2
    Aug 11 19:09:53 [sshd] Illegal user user from ::ffff:61.40.11.45
    Aug 11 19:09:53 [sshd] error: Could not get shadow information for NOUSER
    Aug 11 19:09:53 [sshd] Failed password for illegal user user from ::ffff:61.40.11.45 port 33376 ssh2
    Aug 11 19:09:57 [sshd] Failed password for root from ::ffff:61.40.11.45 port 33477 ssh2
    Aug 11 19:09:59 [sshd] Failed password for root from ::ffff:61.40.11.45 port 33565 ssh2
    Aug 11 19:10:02 [sshd] Failed password for root from ::ffff:61.40.11.45 port 33623 ssh2
    Aug 11 19:10:05 [sshd] Illegal user test from ::ffff:61.40.11.45
    Aug 11 19:10:05 [sshd] error: Could not get shadow information for NOUSER
    Aug 11 19:10:05 [sshd] Failed password for illegal user test from ::ffff:61.40.11.45 port 33675 ssh2
    Aug 12 04:46:28 [sshd] Illegal user test from ::ffff:217.160.240.131
    Aug 12 04:46:28 [sshd] error: Could not get shadow information for NOUSER
    Aug 12 04:46:28 [sshd] Failed password for illegal user test from ::ffff:217.160.240.131 port 37016 ssh2
    Aug 12 04:46:29 [sshd] User guest not allowed because shell /dev/null is not executable
    Aug 12 04:46:29 [sshd] error: Could not get shadow information for NOUSER
    Aug 12 04:46:29 [sshd] Failed password for illegal user guest from ::ffff:217.160.240.131 port 37084 ssh2
    Aug 12 04:46:30 [sshd] Illegal user admin from ::ffff:217.160.240.131
    Aug 12 04:46:30 [sshd] error: Could not get shadow information for NOUSER
    Aug 12 04:46:30 [sshd] Failed password for illegal user admin from ::ffff:217.160.240.131 port 37130 ssh2
    Aug 12 04:46:31 [sshd] Illegal user admin from ::ffff:217.160.240.131
    Aug 12 04:46:31 [sshd] error: Could not get shadow information for NOUSER
    Aug 12 04:46:31 [sshd] Failed password for illegal user admin from ::ffff:217.160.240.131 port 37193 ssh2
    Aug 12 04:46:32 [sshd] Illegal user user from ::ffff:217.160.240.131
    Aug 12 04:46:32 [sshd] error: Could not get shadow information for NOUSER
    Aug 12 04:46:32 [sshd] Failed password for illegal user user from ::ffff:217.160.240.131 port 37236 ssh2
    Aug 12 04:46:33 [sshd] Failed password for root from ::ffff:217.160.240.131 port 37280 ssh2
    Aug 12 04:46:34 [sshd] Failed password for root from ::ffff:217.160.240.131 port 37329 ssh2
    Aug 12 04:46:35 [sshd] Failed password for root from ::ffff:217.160.240.131 port 37380 ssh2
    Aug 12 04:46:35 [sshd] Illegal user test from ::ffff:217.160.240.131
    Aug 12 04:46:35 [sshd] error: Could not get shadow information for NOUSER
    Aug 12 04:46:35 [sshd] Failed password for illegal user test from ::ffff:217.160.240.131 port 37414 ssh2
    Aug 12 08:56:15 [sshd] Illegal user test from ::ffff:161.116.73.218
    Aug 12 08:56:15 [sshd] error: Could not get shadow information for NOUSER
    Aug 12 08:56:15 [sshd] Failed password for illegal user test from ::ffff:161.116.73.218 port 38392 ssh2
    Aug 12 08:56:15 [sshd] User guest not allowed because shell /dev/null is not executable
    Aug 12 08:56:15 [sshd] error: Could not get shadow information for NOUSER
    Aug 12 08:56:15 [sshd] Failed password for illegal user guest from ::ffff:161.116.73.218 port 38440 ssh2
    Aug 12 08:56:16 [sshd] Illegal user admin from ::ffff:161.116.73.218
    Aug 12 08:56:16 [sshd] error: Could not get shadow information for NOUSER
    Aug 12 08:56:16 [sshd] Failed password for illegal user admin from ::ffff:161.116.73.218 port 38475 ssh2
    Aug 12 08:56:17 [sshd] Illegal user admin from ::ffff:161.116.73.218
    Aug 12 08:56:17 [sshd] error: Could not get shadow information for NOUSER
    Aug 12 08:56:17 [sshd] Failed password for illegal user admin from ::ffff:161.116.73.218 port 38516 ssh2
    Aug 12 08:56:17 [sshd] Illegal user user from ::ffff:161.116.73.218
    Aug 12 08:56:17 [sshd] error: Could not get shadow information for NOUSER
    Aug 12 08:56:17 [sshd] Failed password for illegal user user from ::ffff:161.116.73.218 port 38557 ssh2
    Aug 12 08:56:18 [sshd] Failed password for root from ::ffff:161.116.73.218 port 38592 ssh2
    Aug 12 08:56:19 [sshd] Failed password for root from ::ffff:161.116.73.218 port 38635 ssh2
    Aug 12 08:56:19 [sshd] Failed password for root from ::ffff:161.116.73.218 port 38673 ssh2
    Aug 12 08:56:20 [sshd] Illegal user test from ::ffff:161.116.73.218
    Aug 12 08:56:20 [sshd] error: Could not get shadow information for NOUSER
    Aug 12 08:56:20 [sshd] Failed password for illegal user test from ::ffff:161.116.73.218 port 38715 ssh2
    Aug 12 11:29:46 [sshd] Did not receive identification string from ::ffff:67.19.83.100
    Aug 12 11:40:49 [sshd] Illegal user test from ::ffff:67.19.83.100
    Aug 12 11:40:49 [sshd] reverse mapping checking getaddrinfo for 100.67-19-83.reverse.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
    Aug 12 11:40:49 [sshd] error: Could not get shadow information for NOUSER
    Aug 12 11:40:49 [sshd] Failed password for illegal user test from ::ffff:67.19.83.100 port 49800 ssh2
    Aug 12 11:40:50 [sshd] User guest not allowed because shell /dev/null is not executable
    Aug 12 11:40:51 [sshd] reverse mapping checking getaddrinfo for 100.67-19-83.reverse.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
    Aug 12 11:40:51 [sshd] error: Could not get shadow information for NOUSER
    Aug 12 11:40:51 [sshd] Failed password for illegal user guest from ::ffff:67.19.83.100 port 49852 ssh2
    Aug 12 11:40:52 [sshd] Illegal user admin from ::ffff:67.19.83.100
    Aug 12 11:40:52 [sshd] reverse mapping checking getaddrinfo for 100.67-19-83.reverse.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
    Aug 12 11:40:52 [sshd] error: Could not get shadow information for NOUSER
    Aug 12 11:40:52 [sshd] Failed password for illegal user admin from ::ffff:67.19.83.100 port 49910 ssh2
    Aug 12 11:40:53 [sshd] Illegal user admin from ::ffff:67.19.83.100
    Aug 12 11:40:53 [sshd] reverse mapping checking getaddrinfo for 100.67-19-83.reverse.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
    Aug 12 11:40:53 [sshd] error: Could not get shadow information for NOUSER
    Aug 12 11:40:53 [sshd] Failed password for illegal user admin from ::ffff:67.19.83.100 port 49965 ssh2
    Aug 12 11:40:54 [sshd] Illegal user user from ::ffff:67.19.83.100
    Aug 12 11:40:55 [sshd] reverse mapping checking getaddrinfo for 100.67-19-83.reverse.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
    Aug 12 11:40:55 [sshd] error: Could not get shadow information for NOUSER
    Aug 12 11:40:55 [sshd] Failed password for illegal user user from ::ffff:67.19.83.100 port 50008 ssh2
    Aug 12 11:40:56 [sshd] reverse mapping checking getaddrinfo for 100.67-19-83.reverse.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
    Aug 12 11:40:56 [sshd] Failed password for root from ::ffff:67.19.83.100 port 50093 ssh2
    Aug 12 11:40:57 [sshd] reverse mapping checking getaddrinfo for 100.67-19-83.reverse.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
    Aug 12 11:40:57 [sshd] Failed password for root from ::ffff:67.19.83.100 port 50537 ssh2
    Aug 12 11:40:58 [sshd] reverse mapping checking getaddrinfo for 100.67-19-83.reverse.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
    Aug 12 11:40:58 [sshd] Failed password for root from ::ffff:67.19.83.100 port 50579 ssh2
    Aug 12 11:40:59 [sshd] Illegal user test from ::ffff:67.19.83.100
    Aug 12 11:40:59 [sshd] reverse mapping checking getaddrinfo for 100.67-19-83.reverse.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
    Aug 12 11:40:59 [sshd] error: Could not get shadow information for NOUSER
    Aug 12 11:40:59 [sshd] Failed password for illegal user test from ::ffff:67.19.83.100 port 50616 ssh2
    I had found a part of the script by reversing towards one of the ip's :

    Here's its code :
    Code:
    #!/bin/sh
    if [ $# != 1 ]
    then
        echo "Se da asa:"
        echo "$0 <clasa b>"
        echo "Exemplu:"
        echo "$0 212.93"
        echo "Daca nu prindeti ... verificati in fisieru asta sa fie pusa placa de retea care trebe adika eth0, eth1, ppp0 etc "
        exit
    fi
    rm -f bios.txt vuln.txt uniq.txt
    ./ss 22 -b $1 -i eth0 -s 6
    cat bios.txt |sort | uniq > uniq.txt
    ./haita
    You can find the ./haita and ./ss in the attached tar.

    Anyway seems not very harmfull yet annoying.

    Can anyone explain me what's with the reverse mapping the log gives ?
    is it an unmatched revers DNS or what ?

    Greetz,
    Come and check out our wargame-site @ http://www.rootcontest.org
    We chat @ irc.smdc-network.org #lobby

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •