Linode Forum
Linode Community Forums 		 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin [ Anonymous ] 
Post new topic  Reply to topic

Board index » Linux Community Forums » General Discussion
  Previous topic | Next topic 
Author Message
Ashen
PostPosted: Wed Feb 01, 2006 9:03 pm 
Offline
Senior Member

Joined: Sat Aug 30, 2003 6:35 am
Posts: 57
Hello.
Today my server got scanned using a sshd brute-forcer by 64.5.53.57/li-57.members.linode.com - here are some of the logs :

Jan 31 19:20:09 hostname sshd[4600]: Failed password for invalid user alias from 64.5.53.57 port 1481 ssh2
Jan 31 19:20:09 hostname sshd[4600]: Received disconnect from 64.5.53.57: 11: Bye Bye
Jan 31 19:20:13 hostname sshd[15730]: Invalid user office from 64.5.53.57
Jan 31 19:20:13 hostname sshd[18045]: input_userauth_request: invalid user office
Jan 31 19:20:13 hostname sshd[18045]: Failed password for invalid user office from 64.5.53.57 port 1516 ssh2
Jan 31 19:20:13 hostname sshd[18045]: Received disconnect from 64.5.53.57: 11: Bye Bye
Jan 31 19:20:14 hostname sshd[10411]: Invalid user samba from 64.5.53.57
Jan 31 19:20:14 hostname sshd[10291]: input_userauth_request: invalid user samba
Jan 31 19:20:14 hostname sshd[10291]: Failed password for invalid user samba from 64.5.53.57 port 1602 ssh2
Jan 31 19:20:14 hostname sshd[10291]: Received disconnect from 64.5.53.57: 11: Bye Bye
Jan 31 19:20:15 hostname sshd[19375]: Invalid user tomcat from 64.5.53.57
Jan 31 19:20:15 hostname sshd[19370]: input_userauth_request: invalid user tomcat
Jan 31 19:20:15 hostname sshd[19370]: Failed password for invalid user tomcat from 64.5.53.57 port 1635 ssh2
Jan 31 19:20:15 hostname sshd[19370]: Received disconnect from 64.5.53.57: 11: Bye Bye
Jan 31 19:20:19 hostname sshd[15543]: Invalid user webadmin from 64.5.53.57
Jan 31 19:20:19 hostname sshd[23343]: input_userauth_request: invalid user webadmin
Jan 31 19:20:19 hostname sshd[23343]: Failed password for invalid user webadmin from 64.5.53.57 port 1676 ssh2
Jan 31 19:20:19 hostname sshd[23343]: Received disconnect from 64.5.53.57: 11: Bye Bye
Jan 31 19:20:19 hostname sshd[1033]: Invalid user spam from 64.5.53.57
Jan 31 19:20:19 hostname sshd[1024]: input_userauth_request: invalid user spam
Jan 31 19:20:19 hostname sshd[1024]: Failed password for invalid user spam from 64.5.53.57 port 1846 ssh2
Jan 31 19:20:19 hostname sshd[1024]: Received disconnect from 64.5.53.57: 11: Bye Bye
Jan 31 19:20:20 hostname sshd[23557]: Invalid user virus from 64.5.53.57
Jan 31 19:20:20 hostname sshd[23731]: input_userauth_request: invalid user virus
Jan 31 19:20:20 hostname sshd[23731]: Failed password for invalid user virus from 64.5.53.57 port 1867 ssh2
Jan 31 19:20:20 hostname sshd[23731]: Received disconnect from 64.5.53.57: 11: Bye Bye
Jan 31 19:20:21 hostname sshd[14019]: Invalid user cyrus from 64.5.53.57
Jan 31 19:20:21 hostname sshd[1486]: input_userauth_request: invalid user cyrus
Jan 31 19:20:21 hostname sshd[1486]: Failed password for invalid user cyrus from 64.5.53.57 port 1913 ssh2
Jan 31 19:20:21 hostname sshd[1486]: Received disconnect from 64.5.53.57: 11: Bye Bye

My OpenBSD firewall detected this (by noticing it was using too many connections in too short a time span) and used PF (PacketFilter, an OBSD firewalling tool) to automatically drop all subsequent packets from this host. I also use skey authentication only, so it wasn't going to affect me. This leads me to suspect the attack was random - anyone that knew my system's security wouldn't bother with such a pointless scan.

The scan was also done by a ssh scanning tool, as detailed here : http://a.mongers.org/muppets/20040808-sshscan-1

So, it looks likely that this host is scanning portions of the internet for vulnurable ssh servers. This means that the server has either been hacked or has a bad user on it who is attempting to build himself a list of valid logins to other hosts on the internet by simply brute forcing the sshds he finds in scans.

Normally I don't bother to report such scans to the ISP of the server that does them, because many ISPs won't bother to do anything about hacked or abused servers. I used to have a linode myself though, so I'm aware of the excellent customer service here and don't want to see linodes used for evil things.

So, if Caker or another member of staff could check that the server hasn't been compromised (and take action if it has), then it would be appreciated.
I'm sure we could all do with less places on the internet randomly scanning servers with sshd brute forcing tools :)


Last edited by Ashen on Sun Apr 08, 2012 9:14 pm, edited 1 time in total.

Top
   
Reply with quote  
caker
 Post subject:
PostPosted: Wed Feb 01, 2006 9:09 pm 
Offline
Linode Staff
User avatar

Joined: Tue Apr 15, 2003 6:24 pm
Posts: 3090
Website: http://www.linode.com/
Location: Galloway, NJ
We're on it. Thanks for the report.

For future reference, we take all abuse reports very seriously, and will work with the customer until the issues are resolved. Anyone else with abuse complaints, please send an email to abuse (at) linode.com.

Thanks again,
-Chris
Top
   
Reply with quote  
Display posts from previous:  Sort by  
Post new topic  Reply to topic

Board index » Linux Community Forums » General Discussion


Who is online

Users browsing this forum: No registered users and 2 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
RSS

Powered by phpBB® Forum Software © phpBB Group