

SSH scans - I caught one - mcgin
http://seclists.org/fulldisclosure/2010/Nov/228

======
mrshoe
I was the victim of an SSH scan once. I set up an old box as a dev server in
my apartment for a project course in college. I was in a group of about 12
students. One of them whose username was robert set his password to robert (a
brilliant move).

We only realized the machine was compromised because the interloper decided to
pick two user accounts at random and delete them (another brilliant move).

Upon investigation I found that a keylogger had been installed in order to
discover the root password. I inspected the output of the keylogger to trace
the attacker's steps. Similar to the SSH scan in the article, the attacker had
logged into his own FTP server to download various scripts and crackers. Well,
the keylogger had logged his FTP password as well (whoops). Naturally I logged
in and deleted absolutely everything in sight. :-P

~~~
BrandonM
> Naturally I logged in and deleted absolutely everything in sight. :-P

...and you probably completely screwed over some hapless soul who was a victim
of the same guy who cracked you. Do you think these guys put their IP address
and FTP password out there for anyone to collect as evidence? Most likely, he
hacked into an FTP server and hosted his malicious files there along with
everything else that was already hosted there. Congratulations on breaking the
law and ruining someone's day.

~~~
mrshoe
I should have mentioned that I definitely thought of this scenario before I
deleted anything and confirmed, via the hostname of the server, directory
names, and file names, that everything on that server was for h4x0ring (at
least for that user account).

I also thought of more subtle and clever ways to exact revenge, but decided I
was too busy to pursue any of them.

Also: _Do you think these guys put their IP address and FTP password out there
for anyone to collect as evidence?_

Yes, I do. You're giving the script kiddies far too much credit.

~~~
BrandonM
I'm glad to hear that, thanks for clearing it up. Of course, I also intended
my comment as a warning to others that the origination of hacking might not
necessarily be the culprit.

------
runjake
Lots of needless clutter in the discussion, so I thought I'd drop a quick
comment with clarifications:

1\. As far as I can tell, this specific attack is meant to target MIPS-based
OpenWRT/DD-WRT devices, like the Linksys WRT series.

2\. lsof and all that crap isn't available by default. So, use 'ps' and
'netstat -a', and 'ls -la /var/tmp' to poke around your router.

3\. Go into the web admin interface and disable sshd on the WAN interface, if
it isn't already (it's off by default). In DD-WRT, go to
Administration->Management-> and ensure "SSH management" is disabled.

------
WestCoastJustin
Interesting idea. Reading through the threads it becomes apparent that the
attackers are targeting home wired/wifi routers. The attacker sits on your
gateway and passively monitors your traffic with you being none the wiser!

~~~
AdamTReineke
How would you detect if your router was compromised?

~~~
grav1tas
Analyze the firmware. If it doesn't pass a checksum, it could be compromised.
If the software doesn't pass a checksum, it's compromised. Strange traffic
coming out of the router is a bad sign. If the router is running analysis on
your packet, you will likely experience diminished throughput on the high end
because of limited resources on the router.

I think if you can go without enabling remote access to a router, then you
should. This will protect the router itself from direct login attacks from the
outside, but if somebody compromises a machine on your LAN, you're boned. If
you can't, and you have security concerns, you need to establish metrics of
verifying whether or not the router is behaving the same way it was when it
came out of the box and (presumably) was not compromised. Like I mentioned,
software/firmware checksums are a possibility (these could be hard,
though...getting a router to dump its internals out probably isn't a feasible
solution for everything), but YMMV depending on what you do and what you need
your router to do. My biggest guess at the tell-tale sign of a compromised
router is that it just starts slowing down.

~~~
jerf
Another "defense in depth" step would be to move your router off of
192.168.1.1. I recall seeing some browse-to-evil-webpage based attacks a while
ago, and if the evil webpage can't guess your router IP (and it's not like it
has access to your TCP settings in general) that can't work.

Obviously, just like moving SSH off of 22, this isn't a real defense, but
it'll make it that much harder.

------
iuguy
The correct way to address this is not to rely on fail2ban or start moving
ports around (although these will remove noise from your logs, they shouldn't
be solely relied upon) but to use public key authentication. It's not hard to
set up and once you disable password authentication support on OpenSSH then
the scans can try all they like, but they're not getting anywhere.

<http://wiki.centos.org/HowTos/Network/SecuringSSH>

~~~
younata
I have this problem right now.

A botnet found one of my computers. Most likely through IRC. They have been
trying relentlessly to get my computer added.

They have no chance of getting in - using public key authentication - but it
still takes quite a toll on my network speed.

That said, I have a file containing about 366 IPs belonging to this botnet, as
well as a half-meg file containing nmap scans of all these IPs. What should I
do with it?

~~~
iuguy
With the places you access the computer from do you use dynamic or static IP
addresses?

If they're all static IP addresses, try to block everything on port 22 except
for your static IPs.

If it's dynamic you should have a pool address block, you can add the block in
but there's a risk that if your block is in an ISPs home user pool that the
botnet could infect people in your block.

If you can't use upstream filtering then I'd suggest you configure a firewall
to do the same thing, either in hardware (preferable) or software.

------
udp
A friend had me look at a server that had been compromised by SSH bruteforce a
few months ago. The intruder was using it as an IRC bouncer, and he was a
romanian named Alexino.

I actually found him on the IRC network, and he tried to get me to pay him to
tell me how he got in :)

------
burgerbrain
This gentleman is illegally hosting my tools, which are copyrighted and not
licensed for redistribution. Just because I try to pwn your box doesn't mean
you have the right to violate my copyrights. Expect to hear from my lawyers.

~~~
jeebusroxors
Would you care to post a quick synopsis of what these tools are doing/their
purpose? The thread mentions targeting routers - can you confirm?

~~~
burgerbrain
I say, that's a joke son. </foghorn leghorn>

~~~
jeebusroxors
That's what my original thought was, but it didn't contribute anything to the
discussion and wasn't really funny, or witty Given HNs population I had hoped
you did author these tools. That you have so many votes is disheartening.

~~~
burgerbrain
When it comes to investigating these sorts of thing, gray areas often pop up.
Now, is fetching the payload yourself and hosting it for the world without the
author's in this gray area? Probably not, definitely in the very light side of
things if it is at all. It's not completely unworthy of thought and
consideration however.

>wasn't really funny

Well, that's your opinion, and you are welcome to it. Do try not to be so
puzzled that other people don't share your sense of humor though.

------
iuguy
I've seen similar things come up before on HN and on mailing lists I'm on.
Rather than keep repeating myself whenever this crops up, I've posted here:
[http://www.minklinks.com/weblog/2010/11/19/practical-
guide-s...](http://www.minklinks.com/weblog/2010/11/19/practical-guide-
securing-openssh/)

------
rasur
That's really quite sad - are the script kidiots hoping to take over a bunch
of SGI's?

edit: I stand corrected..

------
DanielBMarkham
Looks like it tracks to a server/VPS place in The Netherlands

Wonder if he followed-up with the hosting service by reporting the address as
being used in an attack. It would be interesting to turn the tables and listen
in on some of his traffic going to that address.

~~~
nowarninglabel
Anyone had much luck lately reporting to hosting companies/ISPs? I've reported
7 IPs in the last couple months (4 for malicious/bot activity, 3 for
spambots), and never got any responses. Granted, they were all located in
Hungary, Romania, or China.

~~~
_Lemon_
As someone who runs a hosting company -- yes I fully investigate with the
information given. Just please try to give as much as possible and make it
easy for me to easily pinpoint things.

Oh, and please don't come with a snooty attitude, it's not pleasant to work
with.

~~~
dorianj
Do you respond to abuse reports? I've sent a bunch, and while I'd imagine at
least some were actually followed up on, I've never received even one thank-
you.

~~~
_Lemon_
I'm not actually an ISP so my perspective is different but yeah I do, and I
know the ISPs that I work with do too (Leaseweb, OVH). I have to work to keep
things clean on my servers and to take reasonable steps to abide by their
policies and inform my customers (although this kind of goes without saying).

One of the problems I imagine is size, I can still handle my couple of
thousand customers and provide "good" support with enough time to investigate
something that is described as a slowloris attack. I can open a dialogue with
the customer and tell them that what they did was a little bit stupid and for
the most part, the customer will understand and stop.

Although there was a time when I did investigate, couldn't find anything
immediate (I'm spending say 5-10 minutes pruning a few TB of data here...) so
the next point was to catch them in the act with a few iptables rules. Then
the person who e-mailed me (and my host) pretty much turned hostile/gained a
sense of entitlement and that was that. I wasn't much interesting in putting
more time into it (so, didn't!). However this guy only produced a few text
logs that could have been easily forged and I never heard more about it... who
knows?

That also leads to another angle, how do you know who is telling the truth?
The hosts are likely to side with the paying customer (well you never know
with OVH) and there is little an outsider can do to prove their case in point
except with easily fabricated text logs and events.

It's strange really, some of the people who I have followed up on have been
very grateful (perhaps because they got their way), much in the same way going
the extra mile for a customer might.

------
akkartik
book recommendation: [http://www.amazon.com/Cuckoos-Egg-Clifford-
Stoll/dp/06717268...](http://www.amazon.com/Cuckoos-Egg-Clifford-
Stoll/dp/0671726889)

------
adam0101
I blocked all of China and my logs decreased 65%.

------
hackermom
There will always be the usual crowd of "conservatives-just-for-the-sake-of-
being-conservative" crying out whenever this advice is given, but here goes:
if possible in your environment, and for your users, just run your SSHd on a
non-standard port, and the problem of automated scans will be a non-problem.

------
devmonk
_cd /var/tmp;_

When I see things like this it makes me think that if standard paths weren't
used, then it would it at least make things a little more interesting for the
hacker. (They'd have to find a location first.)

~~~
dionysiac

      find / -maxdepth 3 -perm -7 -type d -print

and tweak as needed.

~~~
devmonk
But a find on root takes a _lot_ of time in some cases, during which the
attacker could be compromised. And the scripts might not use it for that
reason. The script could use it as a backup only if the standard one doesn't
exist, but still, it is a bump in the road, and might be worth it to cause the
script to use find and delay it.

~~~
dionysiac
Hence the -maxdepth 3 param:

    
    
      # time find / -maxdepth 3 -perm -7 -type d -print
      /tmp
      /var/tmp
    
      real    0m0.034s
      user    0m0.005s
      sys     0m0.028s
    

This was run on a pretty anemic VPS. Might have to up the depth to 4 if it
doesn't return anything, but IMO that's pretty unlikely.

