Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

End of another distributed hack attempt...

damn_registrars (1103043) writes | more than 5 years ago

The Internet 10

I've mentioned a few times before that my system has been subjected to distributed attempts to hack into it. Why on earth someone would find my system to be worthwhI've mentioned a few times before that my system has been subjected to distributed attempts to hack into it. Why on earth someone would find my system to be worthwhile is beyond me; it has little data of any value that isn't shared through its web server. Getting into it wouldn't even get you to the systems on our network that do have worthwhile data as they aren't left on anyways. And on top of all that, it runs FreeBSD, so most "hackers" are too pathetic to know what to do with it even if they did manage to get in.

With that said, the two most recent attempts seem to have both subsided. I haven't gone back far enough through my logs yet to figure out exactly when each one ended.

  • The first one that started was the "James" attempt. Hundreds of systems per day trying to log in to my system under the name James. Too bad no such user exists on my system. In one 24 hour period I logged over 800 attempts from over 200 unique addresses. This attempt seems to have ended sooner, as well; though I'm not sure exactly when.
  • The usual "phone book" attempt. I've mentioned this before, where a botnet (or something similar to it) will go through a long list of common login names, from a to z. As usual the attempt gave up well before it made it all the way through the alphabet; this time the last user I saw attempted was "chanton". Again over 100 systems involved in rapid succession; I will have to go back through old log files to figure out the rate.

One of these days I'll work on my security scripts (especially now that I finally got around to setting up a database backend to store the data) and mine this data. Each line in my messages file looks something like this:

Apr 19 18:22:16 our-freebsd-box sshd[40810]: error: PAM: authentication error for illegal user chanton from 202.64.189.170

And from that there are of course several useful bits of information:

  • Date
  • Time
  • Attempted username
  • IP address

Which could be thought of as the "raw data".

I figure once I parse through a large number of lines I could derive some additional information on the nature of the attempt(s):

  • Attempts per hour (or minute or day)
  • Attempts per name
  • Attempts per IP address
  • Attempts per IP range or network

Which would reasonably be called the "meta-data".

From this I could mine a little further and get some additional bits of useful information:

  • Frequency per name
  • Frequency per address
  • Frequency per network

Which could presumably be the "meta-meta-data".

And here I thought I almost managed to escape having to learn SQL.

Obviously a useful output from all this (aside from the data described) would be to automatically write an email to the administrators of the relevant networks, with the information on what systems from their network attempted to access my system, when, and how often. This would be slightly more difficult to mine for, thanks to the arbitrary hogde-podge that we call WHOIS data.

Of course one thing that none of this will clearly tell me is why this is happening to my poor little web server. I had previously proposed that it could have been related to craigslist, as one round of attempts came shortly after I posted an ad to craigslist that included a link to my web server. However I have no such ads there currently so it seems unlikely that it is connected to someone trolling craigslist for web servers (unless they retain their lists). I suppose it may also be likely that someone is trolling address ranges for ssh servers and trying to get into them any way they can. I should check my sshd syntax to see if it is possible to get ssh to log the name of the system they tried to access (not sure how possible that would be); as I could get quite a bit of information out of knowing whether they tried to access my system by its name versus its IP address.

cancel ×

10 comments

wish I could remember the details... (1)

zogger (617870) | more than 5 years ago | (#27725311)

..forgive me if I don't get this exactly right, it is something I remember reading here perhaps as long as three years ago or so. Some guy had a way where he would direct such attempts to a honeypot machine that would let them in, then slow them down to a crawl. It's like the bot could get in just one place, then once there, never exit. IIRC it would let them access data at like one byte per second or something, just enough to keep them there but not enough to get anywhere and what they were accessing was rubbish anyway. It sort of just blackholed each bot that tried. Maybe someone else here might recall the details better, several security experts here. I remember thinking what a cool idea it was, instead of fighting it, or blocking it, you sort of used cyber aikido on them, they just fell on their face and kept falling.

Re:wish I could remember the details... (1)

damn_registrars (1103043) | more than 5 years ago | (#27725849)

That is a fantastic idea. I wonder if I could come up with a clever way to do that on my existing machine (I'm not particularly inclined to setup another computer at home, and my wife would probably rather I not anyways). Although I may need to figure out what exactly they want to access as a user... I guess my first guess would be not that they actually wanted to access any data on there anyways, but rather to try to find a mail relay to push spam through.

I'll have to look around for that and see if I can find it. Of course I could just let one in some day on a different system and see what happens. I guess I could even turn on the "more verbose" (or is it "dangerously verbose") sshd logging that saves the name and password attempted to see if they are going for blank passwords or actually trying something (don't know what one would try when only trying 2-4 times).

Re:wish I could remember the details... (1)

cmacb (547347) | more than 5 years ago | (#27726373)

I remember reading about it too. Doing some Google searches to try and refresh my memory I found this (not what I originally read I don't think, but it fills the bill):

http://www.securityfocus.com/infocus/1723 [securityfocus.com]

Also this:

http://www.citi.umich.edu/u/provos/honeyd/ [umich.edu]

Re:wish I could remember the details... (1)

damn_registrars (1103043) | more than 5 years ago | (#27728155)

Thanks for the links. The second link

http://www.citi.umich.edu/u/provos/honeyd/

Has an interesting little factoid (admittedly I haven't looked at the basis of it) claiming that 43% of spam is sent by Linux machines.

If that is true, then that could indicate that my earlier speculation that the bots are looking for the mail command could be reasonable. Though it sounds like the "tarpit" method should well be able to capture them anyways.

Thanks to both of you!

Teergrube (1)

wowbagger (69688) | more than 5 years ago | (#27734595)

http://www.google.com/search?hl=en&ei=0AP2SZL0BJWqMqL43KkP&sa=X&oi=spell&resnum=1&ct=result&cd=1&q=teergrube&spell=1 [google.com]

Teergrube - "tar baby": A honeypot that allows an attacker to gain access to a controlled server, then slows the connection to a crawl, in order to tie up the attacker.

----------

Likely your server is being attacked because it can be found. It doesn't matter if you have any good data on your server (though that is a bonus) - your server could be doing something useful, like serving Spamvertised web pages and sending spam, rather than something useless like whatever the hell you have it doing now. At least that is how the botnet wranglers see it.

If you want to cut a great deal of the BS out, just move your SSH server to a non-standard port - that will keep the scripts from hammering on it. That's no replacement for keeping up to date on security patches, and having a properly locked down system, but it just reduces the amount of crap you have to sift though.

Unless you want to sift through the crap, that is.

Me, I'm waiting until they invent a way to punch people over TCP/IP - or teleportation [abstrusegoose.com] , whichever comes first.

Re:Teergrube (1)

damn_registrars (1103043) | more than 5 years ago | (#27735535)

Likely your server is being attacked because it can be found

I have been generally gravitating towards that hypothesis.

Although it leaves open the question whether it was first found as a web server, or an ssh server.

your server could be doing something useful, like serving Spamvertised web pages

That would be a bit of a feat; my webserver configuration is pretty bare-bones (and its not Linux or windows) so they'd likely have to compile from source any additional apache modules in order to launch their fancy spamvertised web pages.

Unless, of course, they just used it as a redirect; they could put the address of my poor little web server in their spam, and then redirect the traffic from their page on my poor little web server to their optimally (for spamvertised) configured system.

sending spam

I figured that may be the most likely application of their deeds. Finding a mail command on a unix system is generally pretty trivial and for many systems if you have a login you can send out an arbitrary shit-load of mail.

Until of course they find that my system doesn't relay mail to the outside world... Or maybe they won't notice anyways.

something useless like whatever the hell you have it doing now

There is a valid argument to be made that my web pages are worthless; though that is beyond the topic of this discussion ...

move your SSH server to a non-standard port - that will keep the scripts from hammering on it

I have considered that approach, but of course then I would have to remember what port I moved it to or it wouldn't be useful for me, either. And I have a few secured systems at work that automatically call my home system; I'd have to adjust them as well.

In other words on that aspect I am at least partially too lazy to follow that method.

properly locked down system

We all know that is a moving target but I think strictly from the ssh point of view I'm doing a fairly good job on that. The number of accounts allowed in is restricted, and only a subset of them can login from anywhere they want. Root is never allowed to login from the outside world. Password policies are enforced by yours truly.

Unless you want to sift through the crap, that is.

I am willing to admit I do find the crap-sifting phase interesting. A bit overwhelming at times, but still interesting. I think there is some interesting data that could be mined from this; though whether or not it would lead anywhere is unclear at best.

You can probably guess what field I work in based on that last statement...

Two Ideas (1)

OctaneZ (73357) | more than 5 years ago | (#27733761)

I personally swear by DenyHosts [sourceforge.net] but there is also Fail2Ban [fail2ban.org] . It is at least a place to start.

A Reason (1)

fm6 (162816) | more than 5 years ago | (#27734603)

They want to hack into your system so they can delete all your content and replace it with a page that says "You've been pwned", possibly supplemented by scatalogical graphics and/or gay porn. Not exactly a compelling activity, but some people find it passes the time.

Re:A Reason (1)

damn_registrars (1103043) | more than 5 years ago | (#27735241)

They want to hack into your system so they can delete all your content and replace it with a page that says "You've been pwned", possibly supplemented by scatalogical graphics and/or gay porn. Not exactly a compelling activity, but some people find it passes the time.

That is always a possible explanation. Though these are truly desperate hackers if they are trying that hard to get into my system. And even if they did pull it off, almost nobody would ever see it, anyways. My poor little webserver sees a couple dozen hits tops on a really busy day.

Re:A Reason (1)

fm6 (162816) | more than 5 years ago | (#27735823)

It's not desperation. It's love of a challenge!

And you would see it. And be pissed off. Pissing off even one person is adequate reward for a prank.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...