Scr1p7 K1dD135 R r374rd3d!!1

[Anti-Trend]

Geez, my buddy asked my to allow him to SSH into my machine so he can download some files. So, I forwarded port 22 on my router to my system, and left it open overnight. No problem right? I mean, SSHv2 is very secure, if set up properly. Passwords are sent over strong encryption, root is forbidden to login (at least in my sshd_config), one must guess the username as well as the password simultaneously(!) for successful entry, and last but not least incorrect login attempts are met with a 4-second cooldown before they can attempt another login (to prevent brute force attacks). Who in their right mind would try to hack a random SSH2 server on a whim? Apparently, many many script kiddies. When I checked my auth.log file this morning, lo and behold, a veritable horde of 12-year-old web gnomes had tried for the prize. Many of them even used their proper names (such as Patrick, a Pac-Bell Cable customer). What am I, a retard magnet?

 

[Addis]

I take it that they're retarded....

 

[Nic]

Yup thts pretty r374rd3d

 

[Addis]

Post the log file. Should be funny.

 

[ninja fetus]

that's gh3y 2 |)4 /\/\4X

 

[Anti-Trend]

Post the log file. Should be funny.

OK, here's a few choice sections of it:

Jan 7 01:18:51 Crow sshd[5167]: Invalid user test from ::ffff:221.146.244.170
Jan 7 01:18:51 Crow sshd[5167]: error: Could not get shadow information for NOUSER
Jan 7 01:18:51 Crow sshd[5167]: Failed password for invalid user test from ::ffff:221.146.244.170 port 56476 ssh2
Jan 7 01:18:52 Crow sshd[5169]: Invalid user guest from ::ffff:221.146.244.170
Jan 7 01:18:52 Crow sshd[5169]: error: Could not get shadow information for NOUSER
Jan 7 01:18:52 Crow sshd[5169]: Failed password for invalid user guest from ::ffff:221.146.244.170 port 56503 ssh2
Jan 7 01:18:54 Crow sshd[5171]: Invalid user admin from ::ffff:221.146.244.170
Jan 7 01:18:54 Crow sshd[5171]: error: Could not get shadow information for NOUSER
Jan 7 01:18:54 Crow sshd[5171]: Failed password for invalid user admin from ::ffff:221.146.244.170 port 56548 ssh2
Jan 7 01:18:55 Crow sshd[5173]: Invalid user admin from ::ffff:221.146.244.170
Jan 7 01:18:55 Crow sshd[5173]: error: Could not get shadow information for NOUSER
Jan 7 01:18:55 Crow sshd[5173]: Failed password for invalid user admin from ::ffff:221.146.244.170 port 56632 ssh2
Jan 7 01:18:56 Crow sshd[5175]: Invalid user user from ::ffff:221.146.244.170
Jan 7 01:18:56 Crow sshd[5175]: error: Could not get shadow information for NOUSER
Jan 7 01:18:56 Crow sshd[5175]: Failed password for invalid user user from ::ffff:221.146.244.170 port 56685 ssh2
Jan 7 01:18:58 Crow sshd[5177]: Failed password for root from ::ffff:221.146.244.170 port 56738 ssh2
Jan 7 01:18:59 Crow sshd[5179]: Failed password for root from ::ffff:221.146.244.170 port 56799 ssh2
Jan 7 01:19:01 Crow sshd[5181]: Failed password for root from ::ffff:221.146.244.170 port 56873 ssh2
Jan 7 01:19:02 Crow sshd[5183]: Invalid user test from ::ffff:221.146.244.170
Jan 7 01:19:02 Crow sshd[5183]: error: Could not get shadow information for NOUSER
Jan 7 01:19:02 Crow sshd[5183]: Failed password for invalid user test from ::ffff:221.146.244.170 port 56920 ssh2
Jan 8 19:15:06 Crow sshd[18351]: Did not receive identification string from ::ffff:69.227.227.118
Jan 8 19:17:47 Crow sshd[18352]: Failed password for nobody from ::ffff:69.227.227.118 port 33864 ssh2
Jan 8 19:17:48 Crow sshd[18354]: Invalid user patrick from ::ffff:69.227.227.118
Jan 8 19:17:48 Crow sshd[18354]: error: Could not get shadow information for NOUSER
Jan 8 19:17:48 Crow sshd[18354]: Failed password for invalid user patrick from ::ffff:69.227.227.118 port 33899 ssh2
Jan 8 19:17:49 Crow sshd[18356]: Invalid user patrick from ::ffff:69.227.227.118
Jan 8 19:17:49 Crow sshd[18356]: error: Could not get shadow information for NOUSER
Jan 8 19:17:49 Crow sshd[18356]: Failed password for invalid user patrick from ::ffff:69.227.227.118 port 33923 ssh2
Jan 8 19:17:51 Crow sshd[18358]: Failed password for root from ::ffff:69.227.227.118 port 33950 ssh2
Jan 8 19:17:52 Crow sshd[18360]: Failed password for root from ::ffff:69.227.227.118 port 33981 ssh2
Jan 8 19:17:56 Crow sshd[18362]: Failed password for root from ::ffff:69.227.227.118 port 34010 ssh2
Jan 8 19:17:57 Crow sshd[18364]: Failed password for root from ::ffff:69.227.227.118 port 34109 ssh2
Jan 8 19:17:59 Crow sshd[18366]: Failed password for root from ::ffff:69.227.227.118 port 34144 ssh2
Jan 8 19:18:00 Crow sshd[18368]: Invalid user rolo from ::ffff:69.227.227.118
Jan 8 19:18:00 Crow sshd[18368]: error: Could not get shadow information for NOUSER
Jan 8 19:18:00 Crow sshd[18368]: Failed password for invalid user rolo from ::ffff:69.227.227.118 port 34179 ssh2
Jan 8 19:18:02 Crow sshd[18370]: Invalid user iceuser from ::ffff:69.227.227.118
Jan 8 19:18:02 Crow sshd[18370]: error: Could not get shadow information for NOUSER
Jan 8 19:18:02 Crow sshd[18370]: Failed password for invalid user iceuser from ::ffff:69.227.227.118 port 34208 ssh2
Jan 8 19:18:03 Crow sshd[18372]: Invalid user horde from ::ffff:69.227.227.118
Jan 8 19:18:03 Crow sshd[18372]: error: Could not get shadow information for NOUSER
Jan 8 19:18:03 Crow sshd[18372]: Failed password for invalid user horde from ::ffff:69.227.227.118 port 34242 ssh2
Jan 8 19:18:04 Crow sshd[18374]: Invalid user cyrus from ::ffff:69.227.227.118
Jan 8 19:18:04 Crow sshd[18374]: error: Could not get shadow information for NOUSER
Jan 8 19:18:04 Crow sshd[18374]: Failed password for invalid user cyrus from ::ffff:69.227.227.118 port 34275 ssh2
Jan 8 19:18:05 Crow sshd[18376]: Invalid user www from ::ffff:69.227.227.118
Jan 8 19:18:05 Crow sshd[18376]: error: Could not get shadow information for NOUSER
Jan 8 19:18:05 Crow sshd[18376]: Failed password for invalid user www from ::ffff:69.227.227.118 port 34306 ssh2
Jan 8 19:18:10 Crow sshd[18378]: Invalid user wwwrun from ::ffff:69.227.227.118
Jan 8 19:18:10 Crow sshd[18378]: error: Could not get shadow information for NOUSER
Jan 8 19:18:10 Crow sshd[18378]: Failed password for invalid user wwwrun from ::ffff:69.227.227.118 port 34338 ssh2
Jan 8 19:18:11 Crow sshd[18380]: Invalid user matt from ::ffff:69.227.227.118
Jan 8 19:18:11 Crow sshd[18380]: error: Could not get shadow information for NOUSER
Jan 8 19:18:11 Crow sshd[18380]: Failed password for invalid user matt from ::ffff:69.227.227.118 port 34445 ssh2
Jan 8 19:18:12 Crow sshd[18382]: Invalid user test from ::ffff:69.227.227.118
Jan 8 19:18:12 Crow sshd[18382]: error: Could not get shadow information for NOUSER
Jan 8 19:18:12 Crow sshd[18382]: Failed password for invalid user test from ::ffff:69.227.227.118 port 34470 ssh2
Jan 8 19:18:13 Crow sshd[18384]: Invalid user test from ::ffff:69.227.227.118
Jan 8 19:18:13 Crow sshd[18384]: error: Could not get shadow information for NOUSER
Jan 8 19:18:13 Crow sshd[18384]: Failed password for invalid user test from ::ffff:69.227.227.118 port 34496 ssh2
Jan 8 19:18:15 Crow sshd[18386]: Invalid user test from ::ffff:69.227.227.118
Jan 8 19:18:15 Crow sshd[18386]: error: Could not get shadow information for NOUSER
Jan 8 19:18:15 Crow sshd[18386]: Failed password for invalid user test from ::ffff:69.227.227.118 port 34529 ssh2
Jan 8 19:18:16 Crow sshd[18388]: Invalid user test from ::ffff:69.227.227.118
Jan 8 19:18:16 Crow sshd[18388]: error: Could not get shadow information for NOUSER
Jan 8 19:18:16 Crow sshd[18388]: Failed password for invalid user test from ::ffff:69.227.227.118 port 34559 ssh2
Jan 8 19:18:17 Crow sshd[18390]: Invalid user www-data from ::ffff:69.227.227.118
Jan 8 19:18:17 Crow sshd[18390]: error: Could not get shadow information for NOUSER
Jan 8 19:18:17 Crow sshd[18390]: Failed password for invalid user www-data from ::ffff:69.227.227.118 port 34592 ssh2
Jan 8 19:18:19 Crow sshd[18392]: Invalid user mysql from ::ffff:69.227.227.118
Jan 8 19:18:19 Crow sshd[18392]: error: Could not get shadow information for NOUSER
Jan 8 19:18:19 Crow sshd[18392]: Failed password for invalid user mysql from ::ffff:69.227.227.118 port 34625 ssh2
Jan 8 19:18:20 Crow sshd[18394]: Failed password for operator from ::ffff:69.227.227.118 port 34658 ssh2
Jan 8 19:18:22 Crow sshd[18396]: Failed password for adm from ::ffff:69.227.227.118 port 34691 ssh2
Jan 8 19:18:23 Crow sshd[18398]: Invalid user apache from ::ffff:69.227.227.118
Jan 8 19:18:23 Crow sshd[18398]: error: Could not get shadow information for NOUSER
Jan 8 19:18:23 Crow sshd[18398]: Failed password for invalid user apache from ::ffff:69.227.227.118 port 34722 ssh2
Jan 8 19:18:24 Crow sshd[18400]: Invalid user irc from ::ffff:69.227.227.118
Jan 8 19:18:24 Crow sshd[18400]: error: Could not get shadow information for NOUSER
Jan 8 19:18:24 Crow sshd[18400]: Failed password for invalid user irc from ::ffff:69.227.227.118 port 34754 ssh2
Jan 8 19:18:25 Crow sshd[18402]: Invalid user irc from ::ffff:69.227.227.118
Jan 8 19:18:25 Crow sshd[18402]: error: Could not get shadow information for NOUSER
Jan 8 19:18:25 Crow sshd[18402]: Failed password for invalid user irc from ::ffff:69.227.227.118 port 34782 ssh2
Jan 8 19:18:26 Crow sshd[18404]: Failed password for adm from ::ffff:69.227.227.118 port 34816 ssh2

 

[Waffle]

Post the log file. Should be funny.

How is it classed as funny?

Maybe I should read into some coding and more techie stuff. :rolleyes:

 

[matttibb]

How is it classed as funny?

Maybe I should read into some coding and more techie stuff. :rolleyes:

Not funny but amusing. :good:

 

[Anti-Trend]

Some of those look like they might be worms targeting Apache (I'm not even running a web server), but there's also some random attempts in there... :p

 

[Addis]

Jan 8 19:17:51 Crow sshd[18358]: Failed password for root from ::ffff:69.227.227.118 port 33950 ssh2
Jan 8 19:17:52 Crow sshd[18360]: Failed password for root from ::ffff:69.227.227.118 port 33981 ssh2
Jan 8 19:17:56 Crow sshd[18362]: Failed password for root from ::ffff:69.227.227.118 port 34010 ssh2
Jan 8 19:17:57 Crow sshd[18364]: Failed password for root from ::ffff:69.227.227.118 port 34109 ssh2
Jan 8 19:17:59 Crow sshd[18366]: Failed password for root from ::ffff:69.227.227.118 port 34144 ssh2

That what you mean? :o

 

[Anti-Trend]

That what you mean? :o

Luckily, they didn't guess my password. Because I trust you guys, I guess I'll tell you: it's qwerty. Before that it was 1234, but Linux told me it was too short.

BTW, anybody have any idea why my CDROMs keep ejecting randomly? ;)

 

[ninja fetus]

maybe someone loves you so much they want that hot little rom tray sliding iiinnnn and ouuuuttt

 

[ninja fetus]

Luckily, they didn't guess my password. Because I trust you guys, I guess I'll tell you: it's qwerty. Before that it was 1234, but Linux told me it was too short.

BTW, anybody have any idea why my CDROMs keep ejecting randomly? ;)

You sure about that trust part?!?! MUA HA HA HA AHAHAHA!!!!

JK dawg

 

[Anti-Trend]

Yeah, I dunno why my cup holder keeps going away like that. I'm going to give eMachines a stern talking-to tomorrow!

 

[Addis]

thats a health hazard. What if theres a small child under it and the coffe spills when the drive goes in?!! :D

 

[Daniel]

Hallo,

is there any new information on this???
Does anyone know:

1. Is there any known case where this attempt to
log in was successful?

2. What happens, if such a login is successful?

I conjecture(!), it is some script. If the login is
successful, then the script will copy itself to the
hacked host and run on the hacked host.

Best regards, Daniel

 

[Anti-Trend]

None of the accounts on which attacks were launched existed, except for the root account. However, root was explicitly disallowed from logging in directly via SSH. There was only one account which was allowed to be logged into remotely, and that account was extremely limited (e.g. no access to GCC, no su, no sudo, no root path, no access to /var, no read access to /home, etc). So in other words, the attempts were unsuccessful.