[kwlug-disc] Identify this exploit?
Khalid Baheyeldin
kb at 2bits.com
Sun Dec 29 13:53:33 EST 2019
On Sun, Dec 29, 2019 at 12:34 PM Ron Singh <ronsingh149 at gmail.com> wrote:
> From a non-techy/new-ish to Linux guy's perspectrive, what do I take away
> from this bit of "follow the bouncing ball"?
>
> 153.126.166.203 (ik1-319-19699.vs.sakura.ne.jp)
>
>
> and googling nmp3000, I get this twitter user as a top hit and he seems to
> be a Linux-y kind of guy in Japan:
>
> https://twitter.com/nmp3000
>
> No idea if there is any meaning to be gleaned from this, but I thought it
> might be mildly interesting. I do wonder if that fella's site is hacked and
> someone is using his url for dastardly deeds. I am not at all savvy about
> how these things work, but I thought it curious.
>
The IP address that the attempts come from is (usually) irrelevant.
This guy can be a victim, rather than a perpetrator.
Usually, the ssh login attempt will come from a single IP address: some
script kiddie tries to login to hosts, using various login names (root,
mysql,
uucp, lpadmin, ...etc.) The strange thing is that I see the same attack on
more than one server, and sometimes it is all of them from the same IP
address. How did they tie the servers that I own to servers of my clients?
I have no idea, but it happens often. And they are in different data
centers,
and not in the same IP address blocks.
You can usually know who the attacker is using something like this:
https://www.whois.com/whois/153.126.166.203
This will tell you the internet provider for the IP. Sometimes it is a cloud
provider like Amazon AWS or something like that. Often, it is just an IP
address that the attacker hacked somehow, not his actual IP address.
You can file a complaint at abuse at whatever-provider (via Whois), but
it is time consuming, and a whack-a-mole scenario.
Then, there are attempts from various IP addresses, like the one I posted.
This is more sophisticated in that the attacker commandeered several
computers (and not just a single one) and using them to launch an attack.
It can be a bot net that the attacker created via malware or other means.
Sometimes they rent a bot net that someone else created, and providers
it for hire.
For this particular attack, the attacker wrote (or downloaded) a shoddy
script:
he forgot the login name in ssh for most attempts! In another place in
logwatch's
report there is:
sshd:
Authentication Failures:
*unknown* (115.160.163.195): 2 Time(s)
root (153.126.166.203): 1 Time(s)
root (92.246.17.5): 1 Time(s)
root (95.88.219.197): 1 Time(s)
*unknown* (142.4.208.131): 1 Time(s)
*unknown* (153.126.141.19): 1 Time(s)
*unknown* (63.142.97.181): 1 Time(s)
*unknown* (92.246.17.5): 1 Time(s)
Invalid Users:
Unknown Account: 6 Time(s)
While on another day, and another server, it was like this:
Very persistent, trying many permutations for the password.
sshd:
Authentication Failures:
*root* (101.78.209.150): *831* Time(s)
unknown (196.196.217.50): 134 Time(s)
*root* (196.196.217.50): 71 Time(s)
*bin* (196.196.217.50): 1 Time(s)
*daemon* (196.196.217.50): 1 Time(s)
Invalid Users:
Unknown Account: 134 Time(s)
For me, I just disable password login (rely on ssh keys) and block the IP
address
using this script:
#!/bin/sh
#
# Script to block one or more ip addresses
# Check arguments
if [ $# = 0 ]; then
# Display a usage error message
echo "Usage: `basename $0` ip-address"
exit 1
fi
for IP in $*
do
# Block the IP address
iptables -I INPUT -s $IP -j DROP
logger -t `basename $0` "Blocking IP: $IP"
done
Save it, and run it as needed.
Residual attempts will still appear in logwatch's report the following day.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20191229/581a6cbd/attachment.htm>
More information about the kwlug-disc
mailing list