IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Security Forum / Ok, so I have been seeing...
Post #169,321
by folkert
Picture of folkert
8/14/04 11:30:13 AM
Reply
New Ok, so I have been seeing...
SSH Scans... not the typical one saying in the Agent string "Just version mapping, Don't Panic)

The ones I have been seeing started about July 23 with log entries like this from syslog:
Jul 23 16:02:19 knight sshd[23572]: reverse mapping checking getaddrinfo for pib4.catv-bauer.at failed - POSSIBLE BREAKIN ATTEMPT!\nJul 23 16:02:19 knight sshd[23576]: reverse mapping checking getaddrinfo for pib4.catv-bauer.at failed - POSSIBLE BREAKIN ATTEMPT!\nJul 23 16:02:19 knight sshd[23588]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=212.152.182.90  user=root\nJul 23 16:02:20 knight sshd[23582]: reverse mapping checking getaddrinfo for pib4.catv-bauer.at failed - POSSIBLE BREAKIN ATTEMPT!\nJul 23 16:02:20 knight sshd[23584]: reverse mapping checking getaddrinfo for pib4.catv-bauer.at failed - POSSIBLE BREAKIN ATTEMPT!\nJul 23 16:02:20 knight sshd[23589]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=212.152.182.90  user=root\nJul 23 16:02:20 knight sshd[23590]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=212.152.182.90  user=root\nJul 23 16:02:20 knight sshd[23591]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=212.152.182.90  user=root\nJul 23 16:02:21 knight sshd[23572]: error: PAM: Authentication failure for root from 212.152.182.90\nJul 23 16:02:21 knight sshd[23576]: error: PAM: Authentication failure for root from 212.152.182.90\nJul 23 16:02:22 knight sshd[23582]: error: PAM: Authentication failure for root from 212.152.182.90\nJul 23 16:02:22 knight sshd[23584]: error: PAM: Authentication failure for root from 212.152.182.90\nJul 23 16:02:23 knight sshd[23573]: reverse mapping checking getaddrinfo for pib4.catv-bauer.at failed - POSSIBLE BREAKIN ATTEMPT!\nJul 23 16:02:24 knight sshd[23571]: Did not receive identification string from 212.152.182.90\nJul 23 16:02:24 knight sshd[23572]: fatal: PAM: authentication thread exited unexpectedly\nJul 23 16:02:24 knight sshd[23576]: fatal: PAM: authentication thread exited unexpectedly\nJul 23 16:02:24 knight sshd[23578]: reverse mapping checking getaddrinfo for pib4.catv-bauer.at failed - POSSIBLE BREAKIN ATTEMPT!\nJul 23 16:02:24 knight sshd[23582]: fatal: PAM: authentication thread exited unexpectedly\nJul 23 16:02:24 knight sshd[23584]: fatal: PAM: authentication thread exited unexpectedly\nJul 23 16:02:29 knight sshd[23583]: reverse mapping checking getaddrinfo for pib4.catv-bauer.at failed - POSSIBLE BREAKIN ATTEMPT!\nJul 23 16:02:32 knight sshd[23577]: reverse mapping checking getaddrinfo for pib4.catv-bauer.at failed - POSSIBLE BREAKIN ATTEMPT!\nJul 23 16:11:56 knight sshd[23785]: Illegal user test from 193.145.87.3\nJul 23 16:11:57 knight sshd[23785]: Failed password for illegal user test from 193.145.87.3 port 37509 ssh2\nJul 23 16:11:57 knight sshd[23785]: error: Could not get shadow information for NOUSER\nJul 23 16:11:59 knight sshd[23787]: Illegal user guest from 193.145.87.3\nJul 23 16:12:00 knight sshd[23787]: Failed password for illegal user guest from 193.145.87.3 port 37599 ssh2\nJul 23 16:12:00 knight sshd[23787]: error: Could not get shadow information for NOUSER\n


Now about Aug 1st it got transformed into a streamlined scan:
Aug  1 18:27:45 knight sshd[20325]: Illegal user test from 218.49.183.17\nAug  1 18:27:46 knight sshd[20325]: Failed password for illegal user test from 218.49.183.17 port 48849 ssh2\nAug  1 18:27:46 knight sshd[20325]: error: Could not get shadow information for NOUSER\nAug  1 18:27:48 knight sshd[20327]: Illegal user guest from 218.49.183.17\nAug  1 18:27:49 knight sshd[20327]: Failed password for illegal user guest from 218.49.183.17 port 49090 ssh2\nAug  1 18:27:49 knight sshd[20327]: error: Could not get shadow information for NOUSER\nAug  1 18:27:52 knight sshd[20329]: Failed password for admin from 218.49.183.17 port 49266 ssh2\nAug  1 18:27:56 knight sshd[20331]: Failed password for admin from 218.49.183.17 port 49468 ssh2\nAug  1 18:27:58 knight sshd[20334]: Illegal user user from 218.49.183.17\nAug  1 18:27:59 knight sshd[20334]: Failed password for illegal user user from 218.49.183.17 port 49680 ssh2\nAug  1 18:27:59 knight sshd[20334]: error: Could not get shadow information for NOUSER\nAug  1 18:28:02 knight sshd[20336]: Failed password for root from 218.49.183.17 port 49869 ssh2\nAug  1 18:28:05 knight sshd[20347]: Failed password for root from 218.49.183.17 port 50063 ssh2\nAug  1 18:28:12 knight sshd[20349]: Failed password for root from 218.49.183.17 port 50245 ssh2\nAug  1 18:28:14 knight sshd[20352]: Illegal user test from 218.49.183.17\nAug  1 18:28:19 knight sshd[20352]: Failed password for illegal user test from 218.49.183.17 port 50671 ssh2\nAug  1 18:28:19 knight sshd[20352]: error: Could not get shadow information for NOUSER\nAug  1 18:29:55 knight sshd[20402]: Illegal user test from 218.49.183.17\nAug  1 18:29:56 knight sshd[20402]: Failed password for illegal user test from 218.49.183.17 port 52244 ssh2\nAug  1 18:29:56 knight sshd[20402]: error: Could not get shadow information for NOUSER\nAug  1 18:29:58 knight sshd[20404]: Illegal user guest from 218.49.183.17\nAug  1 18:30:02 knight sshd[20406]: Illegal user test from 218.49.183.17\nAug  1 18:30:03 knight sshd[20404]: Failed password for illegal user guest from 218.49.183.17 port 52416 ssh2\nAug  1 18:30:03 knight sshd[20404]: error: Could not get shadow information for NOUSER\nAug  1 18:30:03 knight sshd[20406]: Failed password for illegal user test from 218.49.183.17 port 52558 ssh2\nAug  1 18:30:03 knight sshd[20406]: error: Could not get shadow information for NOUSER\nAug  1 18:30:05 knight sshd[20439]: Failed password for illegal user guest from 218.49.183.17 port 52818 ssh2\nAug  1 18:30:05 knight sshd[20439]: Illegal user guest from 218.49.183.17\nAug  1 18:30:05 knight sshd[20439]: error: Could not get shadow information for NOUSER\nAug  1 18:30:06 knight sshd[20441]: Failed password for admin from 218.49.183.17 port 52851 ssh2\nAug  1 18:30:08 knight sshd[20443]: Failed password for admin from 218.49.183.17 port 53014 ssh2\nAug  1 18:30:09 knight sshd[20445]: Failed password for admin from 218.49.183.17 port 53040 ssh2\nAug  1 18:30:11 knight sshd[20447]: Failed password for admin from 218.49.183.17 port 53192 ssh2\nAug  1 18:30:11 knight sshd[20449]: Illegal user user from 218.49.183.17\nAug  1 18:30:12 knight sshd[20449]: Failed password for illegal user user from 218.49.183.17 port 53230 ssh2\nAug  1 18:30:12 knight sshd[20449]: error: Could not get shadow information for NOUSER\nAug  1 18:30:13 knight sshd[20451]: Illegal user user from 218.49.183.17\nAug  1 18:30:14 knight sshd[20451]: Failed password for illegal user user from 218.49.183.17 port 53404 ssh2\nAug  1 18:30:14 knight sshd[20451]: error: Could not get shadow information for NOUSER\nAug  1 18:30:14 knight sshd[20453]: Failed password for root from 218.49.183.17 port 53425 ssh2\nAug  1 18:30:21 knight sshd[20455]: Failed password for root from 218.49.183.17 port 53571 ssh2\nAug  1 18:30:22 knight sshd[20457]: Failed password for root from 218.49.183.17 port 53615 ssh2\nAug  1 18:30:24 knight sshd[20476]: Failed password for root from 218.49.183.17 port 54033 ssh2\nAug  1 18:30:24 knight sshd[20484]: Failed password for root from 218.49.183.17 port 54078 ssh2\nAug  1 18:30:26 knight sshd[20488]: Illegal user test from 218.49.183.17\nAug  1 18:30:27 knight sshd[20486]: Failed password for root from 218.49.183.17 port 54243 ssh2\nAug  1 18:30:27 knight sshd[20488]: Failed password for illegal user test from 218.49.183.17 port 54285 ssh2\nAug  1 18:30:27 knight sshd[20488]: error: Could not get shadow information for NOUSER\nAug  1 18:30:29 knight sshd[20490]: Illegal user test from 218.49.183.17\nAug  1 18:30:34 knight sshd[20490]: Failed password for illegal user test from 218.49.183.17 port 54423 ssh2\nAug  1 18:30:34 knight sshd[20490]: error: Could not get shadow information for NOUSER\nAug  1 18:35:53 knight sshd[20658]: Illegal user test from 218.49.183.17\nAug  1 18:35:54 knight sshd[20658]: Failed password for illegal user test from 218.49.183.17 port 39604 ssh2\nAug  1 18:35:54 knight sshd[20658]: error: Could not get shadow information for NOUSER\nAug  1 18:35:56 knight sshd[20660]: Illegal user guest from 218.49.183.17\nAug  1 18:35:57 knight sshd[20660]: Failed password for illegal user guest from 218.49.183.17 port 39811 ssh2\nAug  1 18:35:57 knight sshd[20660]: error: Could not get shadow information for NOUSER\nAug  1 18:36:00 knight sshd[20664]: Failed password for admin from 218.49.183.17 port 40009 ssh2\nAug  1 18:36:04 knight sshd[20666]: Failed password for admin from 218.49.183.17 port 40217 ssh2\nAug  1 18:36:06 knight sshd[20675]: Illegal user user from 218.49.183.17\nAug  1 18:36:11 knight sshd[20675]: Failed password for illegal user user from 218.49.183.17 port 40470 ssh2\nAug  1 18:36:11 knight sshd[20675]: error: Could not get shadow information for NOUSER\nAug  1 18:36:14 knight sshd[20677]: Failed password for root from 218.49.183.17 port 40973 ssh2\nAug  1 18:36:21 knight sshd[20679]: Failed password for root from 218.49.183.17 port 41159 ssh2\nAug  1 18:36:24 knight sshd[20681]: Failed password for root from 218.49.183.17 port 41541 ssh2\nAug  1 18:36:27 knight sshd[20683]: Illegal user test from 218.49.183.17\nAug  1 18:36:28 knight sshd[20683]: Failed password for illegal user test from 218.49.183.17 port 41630 ssh\nAug  1 18:36:28 knight sshd[20683]: error: Could not get shadow information for NOUSER
So, I have been tracking this a bit. Stumbled onto a neat little episode Archived mail from Dshield:
[link|http://lists.sans.org/pipermail/list/2004-July/061219.html|(Dshield) SSH Scanner?]

Seems to be someone trying a new TACK on SSH compromises.
--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey
No matter how much Microsoft supporters whine about how Linux and other operating systems have just as many bugs as their operating systems do, the bottom line is that the serious, gut-wrenching problems happen on Windows, not on Linux, not on Mac OS. -- [link|http://www.eweek.com/article2/0,1759,1622086,00.asp|source]
Here is an example: [link|http://www.greymagic.com/security/advisories/gm001-ie/|Executing arbitrary commands without Active Scripting or ActiveX when using Windows]
Post #169,334
by boxley
8/14/04 4:08:14 PM
Reply
New tries rlogin via ssh then probes
a couple of buffer overflows then a script. Dunno about the rlogin stuff because you would first need an entry in the .rhosts for that machine he is coming from. Why would he think that entry is there?
thanx,.
bill
"delayed incessantly by people whose prevalent qualification was an excess of free-time" Philip Atkinson
questions, help? [link|mailto:pappas@catholic.org|email pappas at catholic.org]
     Ok, so I have been seeing... - (folkert) - (1) - Aug. 14, 2004, 11:30:13 AM EDT
         tries rlogin via ssh then probes - (boxley) - Aug. 14, 2004, 04:08:14 PM EDT

They had me at, “Get the Hot Wheels Rally Case!”
31 ms