Results 1 to 4 of 4
  1. #1
    Join Date
    Jun 2005
    Posts
    98

    abusive users (not clients)

    I seem to be getting this alot lately - shools out for summer so kids are playing with stuff or what?

    kouta# cat /var/log/auth.log
    Jul 9 03:00:00 kouta newsyslog[32844]: logfile turned over due to size>100K
    Jul 9 04:24:40 kouta sshd[34462]: Failed password for root from 211.55.29.125 port 56773 ssh2
    Jul 9 04:24:40 kouta sshd[34461]: Failed password for root from 211.55.29.125 port 56757 ssh2
    Jul 9 04:24:41 kouta sshd[34465]: Illegal user fluffy from 211.55.29.125
    Jul 9 04:24:41 kouta sshd[34467]: Illegal user fluffy from 211.55.29.125
    Jul 9 04:24:42 kouta sshd[34469]: Illegal user admin from 211.55.29.125
    Jul 9 04:24:42 kouta sshd[34471]: Illegal user admin from 211.55.29.125
    Jul 9 04:24:44 kouta sshd[34473]: Illegal user test from 211.55.29.125
    Jul 9 04:24:45 kouta sshd[34475]: Illegal user guest from 211.55.29.125
    Jul 9 04:24:46 kouta sshd[34477]: Illegal user webmaster from 211.55.29.125
    Jul 9 04:24:47 kouta sshd[34479]: Failed password for mysql from 211.55.29.125 port 57168 ssh2
    Jul 9 04:24:48 kouta sshd[34481]: Illegal user test from 211.55.29.125
    Jul 9 04:24:48 kouta sshd[34483]: Illegal user oracle from 211.55.29.125
    Jul 9 04:24:49 kouta sshd[34486]: Illegal user library from 211.55.29.125
    Jul 9 04:24:49 kouta sshd[34485]: Illegal user guest from 211.55.29.125
    Jul 9 04:24:50 kouta sshd[34489]: Illegal user webmaster from 211.55.29.125
    Jul 9 04:24:52 kouta sshd[34491]: Failed password for mysql from 211.55.29.125 port 57361 ssh2
    Jul 9 04:24:56 kouta sshd[34493]: Illegal user oracle from 211.55.29.125
    Jul 9 04:24:57 kouta sshd[34495]: Illegal user library from 211.55.29.125
    Jul 9 04:25:03 kouta sshd[34506]: Illegal user info from 211.55.29.125
    Jul 9 04:25:04 kouta sshd[34508]: Illegal user shell from 211.55.29.125
    Jul 9 04:25:10 kouta sshd[34514]: Illegal user linux from 211.55.29.125
    Jul 9 04:25:12 kouta sshd[34516]: Illegal user unix from 211.55.29.125
    Jul 9 04:25:13 kouta sshd[34518]: Illegal user webadmin from 211.55.29.125
    Jul 9 04:25:14 kouta sshd[34520]: Failed password for ftp from 211.55.29.125 port 58266 ssh2
    Jul 9 04:25:15 kouta sshd[34522]: Illegal user test from 211.55.29.125
    Jul 9 04:25:16 kouta sshd[34524]: Failed password for root from 211.55.29.125 port 58347 ssh2
    Jul 9 04:25:17 kouta sshd[34526]: Illegal user admin from 211.55.29.125
    Jul 9 04:25:18 kouta sshd[34529]: Illegal user guest from 211.55.29.125
    Jul 9 04:25:19 kouta sshd[34533]: Illegal user master from 211.55.29.125
    Jul 9 04:25:20 kouta sshd[34535]: Illegal user apache from 211.55.29.125
    Jul 9 04:25:21 kouta sshd[34537]: Failed password for root from 211.55.29.125 port 58534 ssh2
    Jul 9 04:25:24 kouta sshd[34539]: Failed password for root from 211.55.29.125 port 58574 ssh2
    Jul 9 04:25:25 kouta sshd[34541]: Illegal user network from 211.55.29.125
    Jul 9 04:25:31 kouta sshd[34543]: Illegal user word from 211.55.29.125
    Jul 9 04:25:32 kouta sshd[34545]: Failed password for root from 211.55.29.125 port 58963 ssh2
    Jul 9 04:25:35 kouta sshd[34547]: Failed password for root from 211.55.29.125 port 59009 ssh2
    Jul 9 04:25:36 kouta sshd[34550]: Failed password for root from 211.55.29.125 port 59105 ssh2
    Jul 9 04:25:37 kouta sshd[34552]: Failed password for root from 211.55.29.125 port 59139 ssh2
    Jul 9 04:25:38 kouta sshd[34554]: Failed password for root from 211.55.29.125 port 59180 ssh2
    Jul 9 04:25:39 kouta sshd[34556]: Failed password for root from 211.55.29.125 port 59222 ssh2
    Jul 9 04:25:41 kouta sshd[34558]: Failed password for root from 211.55.29.125 port 59252 ssh2
    Jul 9 04:25:42 kouta sshd[34560]: Failed password for root from 211.55.29.125 port 59305 ssh2
    Jul 9 04:25:43 kouta sshd[34562]: Failed password for root from 211.55.29.125 port 59347 ssh2
    Jul 9 04:25:44 kouta sshd[34564]: Failed password for root from 211.55.29.125 port 59372 ssh2
    Jul 9 04:25:45 kouta sshd[34566]: Failed password for root from 211.55.29.125 port 59414 ssh2
    Jul 9 04:25:46 kouta sshd[34568]: Failed password for root from 211.55.29.125 port 59455 ssh2
    Jul 9 04:25:48 kouta sshd[34570]: Failed password for root from 211.55.29.125 port 59491 ssh2
    Jul 9 04:25:49 kouta sshd[34572]: Failed password for root from 211.55.29.125 port 59535 ssh2
    Jul 9 04:25:50 kouta sshd[34574]: Illegal user admin from 211.55.29.125
    Jul 9 04:25:51 kouta sshd[34577]: Illegal user admin from 211.55.29.125
    Jul 9 04:25:52 kouta sshd[34581]: Illegal user admin from 211.55.29.125
    Jul 9 04:25:53 kouta sshd[34583]: Illegal user admin from 211.55.29.125
    Jul 9 04:25:54 kouta sshd[34585]: Failed password for root from 211.55.29.125 port 59751 ssh2
    Jul 9 04:25:55 kouta sshd[34587]: Failed password for root from 211.55.29.125 port 59783 ssh2
    Jul 9 04:25:56 kouta sshd[34589]: Illegal user test from 211.55.29.125
    Jul 9 04:25:57 kouta sshd[34591]: Illegal user test from 211.55.29.125
    Jul 9 04:25:58 kouta sshd[34593]: Illegal user webmaster from 211.55.29.125
    Jul 9 04:26:00 kouta sshd[34595]: Illegal user user from 211.55.29.125
    Jul 9 04:26:04 kouta sshd[34601]: Illegal user username from 211.55.29.125
    Jul 9 04:26:04 kouta sshd[34603]: Illegal user username from 211.55.29.125
    Jul 9 04:26:08 kouta sshd[34605]: Illegal user user from 211.55.29.125
    Jul 9 04:26:10 kouta sshd[34607]: Failed password for root from 211.55.29.125 port 60269 ssh2
    Jul 9 04:26:11 kouta sshd[34609]: Illegal user admin from 211.55.29.125
    Jul 9 04:26:12 kouta sshd[34611]: Illegal user test from 211.55.29.125
    Jul 9 04:26:13 kouta sshd[34613]: Failed password for root from 211.55.29.125 port 60382 ssh2
    Jul 9 04:26:14 kouta sshd[34615]: Failed password for root from 211.55.29.125 port 60424 ssh2
    Jul 9 04:26:20 kouta sshd[34618]: Failed password for root from 211.55.29.125 port 60629 ssh2
    Jul 9 04:26:21 kouta sshd[34620]: Failed password for root from 211.55.29.125 port 60661 ssh2
    Jul 9 04:26:22 kouta sshd[34623]: Illegal user danny from 211.55.29.125
    Jul 9 04:26:23 kouta sshd[34626]: Illegal user sharon from 211.55.29.125
    Jul 9 04:26:24 kouta sshd[34628]: Illegal user aron from 211.55.29.125
    Jul 9 04:26:25 kouta sshd[34630]: Illegal user alex from 211.55.29.125
    Jul 9 04:26:26 kouta sshd[34632]: Illegal user brett from 211.55.29.125
    Jul 9 04:26:30 kouta sshd[34634]: Illegal user mike from 211.55.29.125
    Jul 9 04:26:31 kouta sshd[34636]: Illegal user alan from 211.55.29.125
    Jul 9 04:26:32 kouta sshd[34638]: Illegal user data from 211.55.29.125
    Jul 9 04:26:33 kouta sshd[34640]: Illegal user www-data from 211.55.29.125
    Jul 9 04:26:34 kouta sshd[34642]: Illegal user http from 211.55.29.125
    Jul 9 04:26:36 kouta sshd[34644]: Illegal user httpd from 211.55.29.125
    Jul 9 04:26:37 kouta sshd[34646]: Failed password for nobody from 211.55.29.125 port 32973 ssh2
    Jul 9 04:26:38 kouta sshd[34648]: Failed password for root from 211.55.29.125 port 33010 ssh2
    Jul 9 04:26:39 kouta sshd[34650]: Illegal user backup from 211.55.29.125
    Jul 9 04:26:40 kouta sshd[34652]: Illegal user info from 211.55.29.125
    Jul 9 04:26:42 kouta sshd[34654]: Illegal user shop from 211.55.29.125
    Jul 9 04:26:43 kouta sshd[34656]: Illegal user sales from 211.55.29.125
    Jul 9 04:26:44 kouta sshd[34658]: Illegal user web from 211.55.29.125
    Jul 9 04:26:45 kouta sshd[34660]: Failed password for www from 211.55.29.125 port 33301 ssh2
    Jul 9 04:26:46 kouta sshd[34662]: Illegal user wwwrun from 211.55.29.125
    Jul 9 04:26:48 kouta sshd[34664]: Illegal user adam from 211.55.29.125
    Jul 9 04:26:49 kouta sshd[34666]: Illegal user stephen from 211.55.29.125
    Jul 9 04:26:50 kouta sshd[34668]: Illegal user richard from 211.55.29.125
    Jul 9 04:26:51 kouta sshd[34670]: Illegal user george from 211.55.29.125
    Jul 9 04:26:52 kouta sshd[34672]: Illegal user michael from 211.55.29.125
    Jul 9 04:26:53 kouta sshd[34675]: Illegal user john from 211.55.29.125
    Jul 9 04:26:54 kouta sshd[34677]: Illegal user david from 211.55.29.125
    Jul 9 04:26:55 kouta sshd[34679]: Illegal user paul from 211.55.29.125
    Jul 9 04:26:57 kouta sshd[34681]: Failed password for news from 211.55.29.125 port 33702 ssh2
    Jul 9 04:26:58 kouta sshd[34683]: Illegal user angel from 211.55.29.125
    Jul 9 04:26:59 kouta sshd[34685]: Failed password for games from 211.55.29.125 port 33787 ssh2
    Jul 9 04:27:00 kouta sshd[34687]: Illegal user pgsql from 211.55.29.125
    Jul 9 04:27:01 kouta sshd[34689]: Illegal user pgsql from 211.55.29.125
    Jul 9 04:27:02 kouta sshd[34695]: Illegal user mail from 211.55.29.125
    Jul 9 04:27:03 kouta sshd[34697]: Illegal user adm from 211.55.29.125
    Jul 9 04:27:04 kouta sshd[34699]: Illegal user ident from 211.55.29.125
    Jul 9 04:27:05 kouta sshd[34701]: Illegal user resin from 211.55.29.125
    Jul 9 04:27:06 kouta sshd[34703]: Illegal user mikael from 211.55.29.125
    Jul 9 04:27:07 kouta sshd[34705]: Illegal user mike from 211.55.29.125
    Jul 9 04:27:08 kouta sshd[34707]: Illegal user suva from 211.55.29.125
    Jul 9 04:27:09 kouta sshd[34709]: Illegal user webpop from 211.55.29.125
    Jul 9 04:27:10 kouta sshd[34711]: Illegal user technicom from 211.55.29.125
    Jul 9 04:27:11 kouta sshd[34713]: Illegal user susan from 211.55.29.125
    Jul 9 04:27:12 kouta sshd[34715]: Illegal user sunsun from 211.55.29.125
    Jul 9 04:27:13 kouta sshd[34718]: Failed password for root from 211.55.29.125 port 34216 ssh2
    Jul 9 04:27:14 kouta sshd[34722]: Illegal user sunny from 211.55.29.125
    Jul 9 04:27:15 kouta sshd[34728]: Illegal user steven from 211.55.29.125
    Jul 9 04:27:16 kouta sshd[34730]: Illegal user ssh from 211.55.29.125
    Jul 9 04:27:17 kouta sshd[34732]: Illegal user search from 211.55.29.125
    Jul 9 04:27:18 kouta sshd[34734]: Illegal user sara from 211.55.29.125
    Jul 9 04:27:19 kouta sshd[34736]: Illegal user robert from 211.55.29.125
    Jul 9 04:27:20 kouta sshd[34738]: Illegal user richard from 211.55.29.125
    Jul 9 04:27:21 kouta sshd[34740]: Illegal user postmaster from 211.55.29.125
    Jul 9 04:27:28 kouta sshd[34742]: Illegal user party from 211.55.29.125
    Jul 9 04:27:29 kouta sshd[34744]: Illegal user michael from 211.55.29.125
    Jul 9 04:27:35 kouta sshd[34746]: Illegal user amanda from 211.55.29.125
    Jul 9 04:27:36 kouta sshd[34748]: Failed password for mysql from 211.55.29.125 port 34704 ssh2
    Jul 9 04:27:37 kouta sshd[34750]: Illegal user rpm from 211.55.29.125
    Jul 9 04:27:38 kouta sshd[34752]: Failed password for operator from 211.55.29.125 port 34740 ssh2
    Jul 9 04:27:39 kouta sshd[34754]: Illegal user sgi from 211.55.29.125
    Jul 9 04:27:45 kouta sshd[34760]: Illegal user Aaliyah from 211.55.29.125
    Jul 9 06:04:13 kouta sshd[35838]: Accepted password for root from (me) port 4367 ssh2
    Currently i've been just tossing logs together and tossing them at the netblock owners abuse emails and hoping it goes to the right person - I don't want this to turn into a security debate, on most of my boxes i have sshd locked to staff's static ip's.. but this ones new and i haven't yet - this popular or is it just me ?

    Anyway i'm just asking what other people do with stuff like this? Make sure they can't break in and ignore it ? report it? if so to whom?
    Thanks for your input!

  2. #2
    Join Date
    Feb 2003
    Location
    San Jose, California
    Posts
    410
    The ssh crackers have been around a long time. We have a script that looks for this on some of our machines and automatically begins generating abuse notifies to all upstreams and netblock admins.

    It's a never ending cycle and is not going away any time soon.

    Maybe times the originating IP's are not really the kiddies themselves. They use proxies, and other hacked accounts to in turn try to exploit you.

    In your case, the crack attempts are coming from Korea.

    query: 211.55.29.125

    # ENGLISH

    KRNIC is not a ISP but a National Internet Registry similar to APNIC.
    The IPv4 address is allocated and still held by the following ISP, or
    its Whois information is not updated after assigned to end-users.

    Please see the following ISP contacts for further information
    or network abuse.

    [ ISP Organization Information ]
    Org Name : Korea Telecom
    Service Name : KORNET
    Org Address : 206, Jungja-dong, Bundang-gu, Sungnam-ci

    [ ISP IP Admin Contact Information ]
    Name : IP Administrator
    Phone : +82-2-3674-5708
    Fax : +82-2-747-8701
    E-Mail : [email protected]

    [ ISP IP Tech Contact Information ]
    Name : IP Manager
    Phone : +82-2-3674-5708
    Fax : +82-2-747-8701
    E-mail : [email protected]

    [ ISP Network Abuse Contact Information ]
    Name : Network Abuse
    Phone : +82-2-3675-1499
    Fax : +82-2-747-8701
    E-mail : [email protected]


    Good Luck.

  3. #3
    Join Date
    Jun 2005
    Posts
    98
    Yeah i'm aware of where they are coming from and i've already contacted the netblock owner - I suppose i'll just continue what i'm doing currently - you say "We have a script that looks for this on some of our machines and automatically begins generating abuse notifies to all upstreams and netblock admins."
    Is this a home brew script or something thats widely available that i've just never seen? I'd be interested in something similiar..

  4. #4
    Join Date
    Jan 2004
    Location
    North Yorkshire, UK
    Posts
    4,163
    Brute force attack ...

    Looks like someone either running an automated probe on your machine, or a compromised machine is scanning your box.

    I'd install APF + BFD which will firewall users who try to login and continuously fail...

    E-Mailing upstreams really has no effect, infact the majority of abuse departments in the world are a load of %$! unless it's spam that's concerned.

    Dan

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •