[kwlug-disc] Identify this exploit?

Mikalai Birukou mb at 3nsoft.com
Sun Dec 29 14:12:58 EST 2019


There are examples where people run ssh shell behind Tor proxy.

This way you are never getting this attack, cause noone knows .onion 
address.

On 2019-12-29 1:53 p.m., Khalid Baheyeldin wrote:
>
> On Sun, Dec 29, 2019 at 12:34 PM Ron Singh <ronsingh149 at gmail.com 
> <mailto:ronsingh149 at gmail.com>> wrote:
>
>     From a non-techy/new-ish to Linux guy's perspectrive, what do I
>     take away from this bit of "follow the bouncing ball"?
>
>     153.126.166.203 (ik1-319-19699.vs.sakura.ne.jp
>     <http://ik1-319-19699.vs.sakura.ne.jp>)
>
>
>     and googling nmp3000, I get this twitter user as a top hit and he
>     seems to be a Linux-y kind of guy in Japan:
>
>     https://twitter.com/nmp3000
>
>     No idea if there is any meaning to be gleaned from this, but I
>     thought it might be mildly interesting. I do wonder if that
>     fella's site is hacked and someone is using his url for dastardly
>     deeds. I am not at all savvy about how these things work, but I
>     thought it curious.
>
>
> The IP address that the attempts come from is (usually) irrelevant.
> This guy can be a victim, rather than a perpetrator.
>
> Usually, the ssh login attempt will come from a single IP address: some
> script kiddie tries to login to hosts, using various login names 
> (root, mysql,
> uucp, lpadmin, ...etc.) The strange thing is that I see the same 
> attack on
> more than one server, and sometimes it is all of them from the same IP
> address. How did they tie the servers that I own to servers of my clients?
> I have no idea, but it happens often. And they are in different data 
> centers,
> and not in the same IP address blocks.
>
> You can usually know who the attacker is using something like this:
>
> https://www.whois.com/whois/153.126.166.203
>
> This will tell you the internet provider for the IP. Sometimes it is a 
> cloud
> provider like Amazon AWS or something like that. Often, it is just an IP
> address that the attacker hacked somehow, not his actual IP address.
> You can file a complaint at abuse at whatever-provider (via Whois), but
> it is time consuming, and a whack-a-mole scenario.
>
> Then, there are attempts from various IP addresses, like the one I posted.
> This is more sophisticated in that the attacker commandeered several
> computers (and not just a single one) and using them to launch an attack.
> It can be a bot net that the attacker created via malware or other means.
> Sometimes they rent a bot net that someone else created, and providers
> it for hire.
>
> For this particular attack, the attacker wrote (or downloaded) a 
> shoddy script:
> he forgot the login name in ssh for most attempts! In another place in 
> logwatch's
> report there is:
>
>  sshd:
>     Authentication Failures:
> *unknown* (115.160.163.195): 2 Time(s)
>        root (153.126.166.203): 1 Time(s)
>        root (92.246.17.5): 1 Time(s)
>        root (95.88.219.197): 1 Time(s)
> *unknown* (142.4.208.131): 1 Time(s)
> *unknown* (153.126.141.19): 1 Time(s)
> *unknown* (63.142.97.181): 1 Time(s)
> *unknown* (92.246.17.5): 1 Time(s)
>     Invalid Users:
>        Unknown Account: 6 Time(s)
>
> While on another day, and another server, it was like this:
>
> Very persistent, trying many permutations for the password.
>
>  sshd:
> Authentication Failures:
> *root* (101.78.209.150): *831* Time(s)
>        unknown (196.196.217.50): 134 Time(s)
> *root* (196.196.217.50): 71 Time(s)
> *bin* (196.196.217.50): 1 Time(s)
> *daemon* (196.196.217.50): 1 Time(s)
>     Invalid Users:
>        Unknown Account: 134 Time(s)
>
> For me, I just disable password login (rely on ssh keys) and block the 
> IP address
> using this script:
>
> #!/bin/sh
> #
> # Script to block one or more ip addresses
>
> # Check arguments
> if [ $# = 0 ]; then
>   # Display a usage error message
>   echo "Usage: `basename $0` ip-address"
>   exit 1
> fi
>
> for IP in $*
> do
>   # Block the IP address
>   iptables -I INPUT -s $IP -j DROP
>   logger -t `basename $0` "Blocking IP: $IP"
> done
>
> Save it, and run it as needed.
> Residual attempts will still appear in logwatch's report the following 
> day.
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
-- 
Mikalai Birukou
CEO | 3NSoft Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20191229/1d164c40/attachment.htm>


More information about the kwlug-disc mailing list