I am not the paranoid type, but I caught someone trying to hack into my computer this afternoon. That blows my mind! Especially after reading the article on the BBC about China hacking the Dalai Llama's network.
Anyway, I was cruising the 'net, looking for information regarding the War in Iraq for my Mom, when I got a kernel fault, which is weird, because my Fedora 10 install is pretty stable. It made me wonder, so I looked into the several sysadmin logs that Linux writes, and saw that, for about an hour, someone was trying to log into my computer with various usernames, including "root", which is the superuser, or all-powerful user. (When logged in as "root", a person can do anything to the computer, unlike when logged in as a regular user)
Mar 29 04:33:39 localhost sshd[7653]: Did not receive identification string from 93.100.242.3
Mar 29 04:42:31 localhost unix_chkpwd[7656]: password check failed for user (root)
Mar 29 04:42:31 localhost sshd[7654]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=93.100.242.3 user=root
Mar 29 04:42:33 localhost sshd[7654]: Failed password for root from 93.100.242.3 port 52449 ssh2
Mar 29 04:42:33 localhost sshd[7655]: Received disconnect from 93.100.242.3: 11: Bye Bye
He tried logging in as root 12 times. Then he tried to log in with other usernames, interspersed with more tries as "root". Here's a sample of the log file:
Mar 29 04:43:00 localhost unix_chkpwd[7687]: password check failed for user (root)
Mar 29 04:43:03 localhost unix_chkpwd[7690]: password check failed for user (root)
Mar 29 04:43:05 localhost sshd[7691]: Invalid user admin from 93.100.242.3
Mar 29 04:43:05 localhost sshd[7688]: Failed password for root from 93.100.242.3 port 59174 ssh2
Mar 29 04:43:07 localhost sshd[7691]: Failed password for invalid user admin from 93.100.242.3 port 59546 ssh2
Mar 29 04:43:07 localhost unix_chkpwd[7695]: password check failed for user (root)
Mar 29 04:43:09 localhost sshd[7696]: Invalid user miquelfi from 93.100.242.3
Mar 29 04:43:09 localhost sshd[7693]: Failed password for root from 93.100.242.3 port 59997 ssh2
Mar 29 04:43:11 localhost unix_chkpwd[7700]: password check failed for user (root)
Mar 29 04:43:11 localhost sshd[7696]: Failed password for invalid user miquelfi from 93.100.242.3 port 60401 ssh2
Mar 29 04:43:13 localhost sshd[7698]: Failed password for root from 93.100.242.3 port 60823 ssh2
Mar 29 04:43:13 localhost unix_chkpwd[7704]: password check failed for user (root)
Mar 29 04:43:15 localhost sshd[7703]: Invalid user fax from 93.100.242.3
Mar 29 04:43:15 localhost sshd[7701]: Failed password for root from 93.100.242.3 port 33103 ssh2
Mar 29 04:43:15 localhost unix_chkpwd[7708]: password check failed for user (root)
Mar 29 04:43:17 localhost sshd[7703]: Failed password for invalid user fax from 93.100.242.3 port 33508 ssh2
Mar 29 04:43:17 localhost unix_chkpwd[7711]: password check failed for user (root)
Mar 29 04:43:17 localhost sshd[7706]: Failed password for root from 93.100.242.3 port 33609 ssh2
Mar 29 04:43:19 localhost sshd[7709]: Failed password for root from 93.100.242.3 port 33946 ssh2
Mar 29 04:43:19 localhost sshd[7712]: Invalid user pgsl from 93.100.242.3
Mar 29 04:43:19 localhost unix_chkpwd[7716]: password check failed for user (root)
Mar 29 04:43:20 localhost sshd[7712]: Failed password for invalid user pgsl from 93.100.242.3 port 34365 ssh2
Mar 29 04:43:21 localhost sshd[7714]: Failed password for root from 93.100.242.3 port 34440 ssh2
Mar 29 04:43:21 localhost sshd[7717]: Invalid user admin from 93.100.242.3
Mar 29 04:43:22 localhost sshd[7719]: Invalid user postgres from 93.100.242.3
Mar 29 04:43:23 localhost unix_chkpwd[7723]: password check failed for user (root)
Mar 29 04:43:24 localhost sshd[7717]: Failed password for invalid user admin from 93.100.242.3 port 34817 ssh2
Mar 29 04:43:24 localhost sshd[7719]: Failed password for invalid user postgres from 93.100.242.3 port 35137 ssh2
Mar 29 04:43:25 localhost sshd[7721]: Failed password for root from 93.100.242.3 port 35251 ssh2
Mar 29 04:43:26 localhost unix_chkpwd[7730]: password check failed for user (root)
Mar 29 04:43:27 localhost sshd[7726]: Invalid user postgres from 93.100.242.3
Mar 29 04:43:27 localhost unix_chkpwd[7731]: password check failed for user (root)
Mar 29 04:43:28 localhost sshd[7724]: Failed password for root from 93.100.242.3 port 35927 ssh2
Mar 29 04:43:29 localhost sshd[7728]: Failed password for root from 93.100.242.3 port 36219 ssh2
Mar 29 04:43:30 localhost unix_chkpwd[7738]: password check failed for user (root)
Mar 29 04:43:31 localhost unix_chkpwd[7739]: password check failed for user (root)
That's 30 SECONDS of trying to get in!!
You can see that he tried different ports, different usernames, root, and different shells (ssh, and ssh2), and in combinations. For an hour. He may be trying to get in right now, while I'm writing this blog, though I did disable the secure shell program (ssh, ssh2). Secure shell is used to remotely operate a computer.
Just for kicks, I checked out his IP number: 93.100.242.3 and found this information with the "whois" command:
[Sun Mar 29 19:46:12 scarter@hawkeye ~]$ whois 93.100.242.3
[Querying whois.arin.net]
[Redirected to whois.ripe.net:43]
[Querying whois.ripe.net]
[whois.ripe.net]
% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% I'm taking this line out because it's a web address that could possibly install malware on your computer if you check it out.
% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '93.100.240.0 - 93.100.255.255'
inetnum: 93.100.240.0 - 93.100.255.255
netname: PULNET
descr: LLC "Pulnet" Network
country: RU
admin-c: AKA36-RIPE
tech-c: AKA36-RIPE
status: ASSIGNED PA
mnt-by: MNT-SKNT
source: RIPE # Filtered
person: Anton Korbin
address: 196240 Saint-Petersburg
address: Varshavskaya 79
phone: +7 812 325 23 25
e-mail: noc@pulnet.ru
nic-hdl: AKA36-RIPE
source: RIPE # Filtered
% Information related to '93.100.240.0/20AS35807'
route: 93.100.240.0/20
descr: LLC "Pulnet" Network
origin: AS35807
mnt-by: MNT-SKNT
source: RIPE # Filtered
% Information related to '93.100.0.0/16AS35807'
route: 93.100.0.0/16
descr: SkyNet Networks
origin: AS35807
mnt-by: MNT-SKNT
source: RIPE # Filtered
% Information related to '93.100.128.0/17AS35807'
route: 93.100.128.0/17
descr: SkyNet Networks
origin: AS35807
mnt-by: MNT-SKNT
source: RIPE # Filtered
% Information related to '93.100.192.0/18AS35807'
route: 93.100.192.0/18
descr: SkyNet Networks
origin: AS35807
mnt-by: MNT-SKNT
source: RIPE # Filtered
So that tells me the IP number is from Russia (country: RU). I don't know if this information is real.
Further along, he started using much different usernames:
Mar 29 05:30:53 localhost sshd[21721]: input_userauth_request: invalid user mapview
Mar 29 05:30:58 localhost sshd[21724]: pam_succeed_if(sshd:auth): error retrieving information about user helpdesk
Mar 29 05:30:59 localhost sshd[21722]: Failed password for invalid user chris from 93.100.242.3 port 35013 ssh2
Mar 29 05:31:02 localhost sshd[21728]: Invalid user frank from 93.100.242.3
Mar 29 05:31:08 localhost sshd[21733]: input_userauth_request: invalid user agencia
Mar 29 05:33:38 localhost sshd[21808]: Failed password for invalid user contabilida
and many, many more.
Then someone else got into the action:
Mar 29 17:43:15 localhost sshd[3113]: Failed password for root from 173.45.67.210 port 54402 ssh2
Mar 29 17:43:25 localhost sshd[3126]: Failed password for root from 173.45.67.210 port 55901 ssh2
et cetera, et cetera, et cetera...
whois for 173.45.67.210 gives the following information:
[Sun Mar 29 21:38:32 scarter@hawkeye ~]$ whois 173.45.67.210
[Querying whois.arin.net]
[whois.arin.net]
eNET Inc. ENET-XLHOST-2 (NET-173-45-64-0-1)
173.45.64.0 - 173.45.95.255
XLHost.com Inc XLHOST-MPATEL1-5073 (NET-173-45-67-208-1)
173.45.67.208 - 173.45.67.223
# ARIN WHOIS database, last updated 2009-03-29 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
This pretty much shocked the hell out of me. So far, I haven't seen any new syslog messages regarding the secure shell. (But it's shut down, remember?)
I called my friend, Jim up, who does system administration for a living. He told me this happens all the time. He was a bit concerned that they actually got to the open ports, that maybe my modem has been compromised also. He figures they are just looking for another bot for their botnet. You can tell that the log in attempts were run by a program.
Jim suggested I install Wireshark, which is a packet sniffing program. It'll tell me where my incoming and outgoing packets are coming from, and going to. I'm downloading it now. I'll let it run overnight.
I don't have anything on this computer to worry about, and I plan to install Fedora 11 when it comes out in a couple of months, which would mean a hard disc wipe anyway. So in the mean time, I'll have fun snooping around.
I wonder how easy it would be to get into a Windows machine....
EDIT:
I just looked at the syslog for last week, and all I can say is "HOLY SHIT!!" For hours upon hours, nearly every day, there was someone from Poland trying to get into my computer:
[Sun Mar 29 22:20:13 scarter@hawkeye ~]$ whois 212.2.125.67
[Querying whois.ripe.net]
[whois.ripe.net]
% This is the RIPE Whois query server #3.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html
% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '212.2.96.0 - 212.2.127.255'
inetnum: 212.2.96.0 - 212.2.127.255
org: ORG-PN5-RIPE
netname: PL-PLUSGSM-990819
descr: Polkomtel S.A.
country: PL
admin-c: PKL1-RIPE
tech-c: PKL1-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: POLKOMTEL-MNT
source: RIPE # Filtered
organisation: ORG-PN5-RIPE
org-name: Polkomtel S.A.
org-type: LIR
address: Polkomtel S.A.
Ireneusz Neska
ul. Postepu 3
02-676 Warsaw
POLAND
phone: +48 22 426 5709
fax-no: +48 22 426 0088
abuse-mailbox: abuse@polkomtel.com.pl
admin-c: AS114-RIPE
admin-c: IN3-RIPE
admin-c: KK1860-RIPE
admin-c: SO1236-RIPE
mnt-ref: POLKOMTEL-MNT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered
role: PlusGSM IP Team
address: Polkomtel S.A.
address: ul. Postepu 3
address: 02-676 Warszawa
address: Poland
phone: +48 22 4261599
phone: +48 601 131599
fax-no: +48 22 4260099
remarks: Plus (pl.plusgsm) registry administration
remarks: ---
remarks: Registry contact: registry@plus.pl
remarks: Spam and abuse reports: abuse@plus.pl
remarks: ---
abuse-mailbox: abuse@plus.pl
admin-c: IN3-RIPE
tech-c: KK1860-RIPE
tech-c: SO1236-RIPE
tech-c: DCH3-RIPE
nic-hdl: PKL1-RIPE
mnt-by: POLKOMTEL-MNT
source: RIPE # Filtered
% Information related to '212.2.96.0/19AS8374'
route: 212.2.96.0/19
descr: PlusGSM Net
descr: Warsaw, Poland
origin: AS8374
mnt-by: POLKOMTEL-MNT
source: RIPE # Filtered
5 years ago
3 comments:
That is crazy!
Weird.
I always knew you were a secret agent man!
Check out denyhosts (http://denyhosts.sourceforge.net/); after X failed attempts, the IP is blocked for Y days (user-configurable). I use it on any *nix box accessible from the internet. These bots are very common, but fairly easy to block.
Where there are multiple valid accounts, some with easy-to-guess passwords, (such as on the family PC which my wife and kids use) I simply disable ssh for all accounts except for my own.
Post a Comment