Linode Forum

Sergey Melekhin · Joined: 05 Feb 2010 Posts: 1

Few minutes ago my sshd was bruteforced by one of your accounts, namely li123-111.members.linode.com.
Looks like it has been hacked.

Here's a snipplet of auth.log (notice, that log time is gmt+10):

Code:
Feb 6 14:18:04 samolet sshd[10763]: Invalid user students from 69.164.208.111
Feb 6 14:18:04 samolet sshd[10763]: pam_unix(sshd:auth): check pass; user unknown
Feb 6 14:18:04 samolet sshd[10763]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li123-111.members.linode.com
Feb 6 14:18:06 samolet sshd[10763]: Failed password for invalid user students from 69.164.208.111 port 47634 ssh2
Feb 6 14:18:08 samolet sshd[10765]: Invalid user students from 69.164.208.111
Feb 6 14:18:08 samolet sshd[10765]: pam_unix(sshd:auth): check pass; user unknown
Feb 6 14:18:08 samolet sshd[10765]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li123-111.members.linode.com
Feb 6 14:18:10 samolet sshd[10765]: Failed password for invalid user students from 69.164.208.111 port 49052 ssh2
Feb 6 14:18:12 samolet sshd[10767]: Invalid user students from 69.164.208.111
Feb 6 14:18:12 samolet sshd[10767]: pam_unix(sshd:auth): check pass; user unknown
Feb 6 14:18:12 samolet sshd[10767]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li123-111.members.linode.com
Feb 6 14:18:14 samolet sshd[10767]: Failed password for invalid user students from 69.164.208.111 port 50710 ssh2
Feb 6 14:18:17 samolet sshd[10769]: Invalid user students from 69.164.208.111
Feb 6 14:18:17 samolet sshd[10769]: pam_unix(sshd:auth): check pass; user unknown
Feb 6 14:18:17 samolet sshd[10769]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li123-111.members.linode.com
Feb 6 14:18:19 samolet sshd[10769]: Failed password for invalid user students from 69.164.208.111 port 52243 ssh2
Feb 6 14:18:21 samolet sshd[10771]: Invalid user squid from 69.164.208.111
Feb 6 14:18:21 samolet sshd[10771]: pam_unix(sshd:auth): check pass; user unknown
Feb 6 14:18:21 samolet sshd[10771]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li123-111.members.linode.com
Feb 6 14:18:23 samolet sshd[10771]: Failed password for invalid user squid from 69.164.208.111 port 53818 ssh2
Feb 6 14:18:25 samolet sshd[10773]: Invalid user squid from 69.164.208.111
Feb 6 14:18:25 samolet sshd[10773]: pam_unix(sshd:auth): check pass; user unknown
Feb 6 14:18:25 samolet sshd[10773]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li123-111.members.linode.com
Feb 6 14:18:27 samolet sshd[10773]: Failed password for invalid user squid from 69.164.208.111 port 55409 ssh2
Feb 6 14:18:29 samolet sshd[10775]: Invalid user support from 69.164.208.111
Feb 6 14:18:29 samolet sshd[10775]: pam_unix(sshd:auth): check pass; user unknown
Feb 6 14:18:29 samolet sshd[10775]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li123-111.members.linode.com
Feb 6 14:18:31 samolet sshd[10775]: Failed password for invalid user support from 69.164.208.111 port 56912 ssh2
Feb 6 14:18:33 samolet sshd[10777]: Invalid user support from 69.164.208.111
Feb 6 14:18:33 samolet sshd[10777]: pam_unix(sshd:auth): check pass; user unknown
Feb 6 14:18:33 samolet sshd[10777]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li123-111.members.linode.com
Feb 6 14:18:35 samolet sshd[10777]: Failed password for invalid user support from 69.164.208.111 port 58437 ssh2
Feb 6 14:18:37 samolet sshd[10779]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li123-111.members.linode.com user=sys
Feb 6 14:18:39 samolet sshd[10779]: Failed password for sys from 69.164.208.111 port 60046 ssh2
Feb 6 14:18:41 samolet sshd[10781]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li123-111.members.linode.com user=sys
Feb 6 14:18:43 samolet sshd[10781]: Failed password for sys from 69.164.208.111 port 33356 ssh2
Feb 6 14:18:45 samolet sshd[10783]: Invalid user sysadmin from 69.164.208.111
Feb 6 14:18:45 samolet sshd[10783]: pam_unix(sshd:auth): check pass; user unknown
Feb 6 14:18:45 samolet sshd[10783]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li123-111.members.linode.com
Feb 6 14:18:47 samolet sshd[10783]: Failed password for invalid user sysadmin from 69.164.208.111 port 34917 ssh2
Feb 6 14:18:49 samolet sshd[10787]: Invalid user sysadmin from 69.164.208.111
Feb 6 14:18:49 samolet sshd[10787]: pam_unix(sshd:auth): check pass; user unknown
Feb 6 14:18:49 samolet sshd[10787]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li123-111.members.linode.com
Feb 6 14:18:51 samolet sshd[10787]: Failed password for invalid user sysadmin from 69.164.208.111 port 36397 ssh2
Feb 6 14:18:53 samolet sshd[10789]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li123-111.members.linode.com user=sync
Feb 6 14:18:56 samolet sshd[10789]: Failed password for sync from 69.164.208.111 port 37983 ssh2
Feb 6 14:18:58 samolet sshd[10791]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li123-111.members.linode.com user=sync
Feb 6 14:18:59 samolet sshd[10791]: Failed password for sync from 69.164.208.111 port 39625 ssh2
Feb 6 14:19:02 samolet sshd[10793]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li123-111.members.linode.com user=sync
Feb 6 14:19:03 samolet sshd[10793]: Failed password for sync from 69.164.208.111 port 41021 ssh2
Feb 6 14:19:06 samolet sshd[10795]: Invalid user tech from 69.164.208.111
Feb 6 14:19:06 samolet sshd[10795]: pam_unix(sshd:auth): check pass; user unknown
Feb 6 14:19:06 samolet sshd[10795]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li123-111.members.linode.com
Feb 6 14:19:08 samolet sshd[10795]: Failed password for invalid user tech from 69.164.208.111 port 42470 ssh2
Feb 6 14:19:10 samolet sshd[10797]: Invalid user tech from 69.164.208.111
Feb 6 14:19:10 samolet sshd[10797]: pam_unix(sshd:auth): check pass; user unknown
Feb 6 14:19:10 samolet sshd[10797]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li123-111.members.linode.com
Feb 6 14:19:12 samolet sshd[10797]: Failed password for invalid user tech from 69.164.208.111 port 44090 ssh2
Feb 6 14:19:14 samolet sshd[10799]: Invalid user telnetd from 69.164.208.111
Feb 6 14:19:14 samolet sshd[10799]: pam_unix(sshd:auth): check pass; user unknown
Feb 6 14:19:14 samolet sshd[10799]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li123-111.members.linode.com
Feb 6 14:19:15 samolet sshd[10799]: Failed password for invalid user telnetd from 69.164.208.111 port 45447 ssh2
Feb 6 14:19:18 samolet sshd[10804]: Invalid user telnetd from 69.164.208.111
Feb 6 14:19:18 samolet sshd[10804]: pam_unix(sshd:auth): check pass; user unknown
Feb 6 14:19:18 samolet sshd[10804]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li123-111.members.linode.com
Feb 6 14:19:18 samolet sshd[1228]: Received signal 15; terminating.

bdonlan · Joined: 22 Jan 2008 Posts: 103

You should send this info to abuse@linode.com

vonskippy · Joined: 27 Dec 2009 Posts: 410 Location: Colorado, USA

People still setup SSH to use passwords???

dbb · Joined: 12 Aug 2008 Posts: 55

The abuse email should be more prominent on the main site, the Contact Us page seems like a logical choice. There have been a few posts in the forums in recent weeks that should have really gone directly to abuse@linode.com.

mwalling · Joined: 10 Dec 2007 Posts: 335

The abuse contact is exactly where you'd expect it to be:

Code: mwalling@youtoo:~$ whois 69.164.208.111 | grep -i abuse
RAbuseHandle: LAS12-ARIN
RAbuseName: Linode Abuse Support
RAbusePhone: +1-609-593-7103
RAbuseEmail: abuse@linode.com
OrgAbuseHandle: LAS12-ARIN
OrgAbuseName: Linode Abuse Support
OrgAbusePhone: +1-609-593-7103
OrgAbuseEmail: abuse@linode.com

mooseday · Joined: 20 May 2008 Posts: 10

Don't know how many other people do this, but on any new install the first thing is change the SSH port from 22 to something else ( 22222 for example ).

[Edit] Sorry, misread that post as from a linode customer, not other way aroud ... my gaff :P

Key · Joined: 31 Jan 2010 Posts: 17

mooseday wrote: Don't know how many other people do this, but on any new install the first thing is change the SSH port from 22 to something else ( 22222 for example ).

[Edit] Sorry, misread that post as from a linode customer, not other way aroud ... my gaff :P

Thats exactly what i do but they still find a way to figure out the port hence why i use DenyHost :)

Ive installed DenyHost yesterday as i was reading on the linode forum that people were doing "back yard" attacks where they bruted machines on the same network!

I dont actually see the point with brute forcing.. Two of our old server were bruted into before we looked into DenyHost.. Why do people actually brute force do they actually get anything out of it?

carmp3fan · Joined: 14 Feb 2009 Posts: 113

Brute forcing is very attractive to attackers because it works. Not only has my employer fallen victim to a brute force attack, I have talked to a lot of security professionals who have experienced the same problem. Users create easily guessed passwords all the time. I used to perform password cracking at my primary place of employment (with permission) and you would be amazed by the passwords used. Want samples? Here are some off the top of my head.

Password1
Football1
Dolphin1
Zzzzzzzz
Abcd1234
Abcdefg1

While there are lots of reasons that these shouldn't even be allowed as passwords, it illustrates that users will generally choose simplicity over complexity.

kbrantley · Joined: 21 Sep 2007 Posts: 77

Key wrote: Ive installed DenyHost yesterday as i was reading on the linode forum that people were doing "back yard" attacks where they bruted machines on the same network!
This is why I firewall off my private interface. :)

That said, when computers are compromised, it is quite common that the attacker will take a look at the interfaces and then go for any other devices they can see -- with an emphasis on machines on the same LAN as the compromised host. That way, if the admin cleans one machine, they still have another... and it is likely that the admin will leave the same hole as they did previously.

Key wrote: I dont actually see the point with brute forcing.. Two of our old server were bruted into before we looked into DenyHost.. Why do people actually brute force do they actually get anything out of it?

Yes. Because people are lazy and configure accounts with dumb names and weak passwords. They don't need root to DDoS a site, just basic connectivity. When you think about it, you can do quite a lot with a regular account.

mooseday · Joined: 20 May 2008 Posts: 10

Yeh, we had a new employee set up a test linux mailserver on a spare public IP and set root as "letmein" .. got hacked via SSH within 3 days and was spamming the beans out of everything. Only detected it as our network started dying. His response was "it's linux .. it perfectly safe from hacking and viruses" ... sigh.

Key · Joined: 31 Jan 2010 Posts: 17

Oh i see.. The once back in september we got bruted and they took down the apache and mysql users and then started uploading documents that didnt look 100% legal.. Its amazing how they (well it) didnt delete any of our websites and what not

Brute forcers make me angry we now have to install extra software like DenyHost or completely disable the service to stop them attempting to break in!

There should be a way to report and take them down for good!

jonny5alive · Joined: 08 Oct 2009 Posts: 70

I've just installed this, pretty simple to install.

carmp3fan · Joined: 14 Feb 2009 Posts: 113

Key wrote: Brute forcers make me angry we now have to install extra software like DenyHost or completely disable the service to stop them attempting to break in!

There should be a way to report and take them down for good!

The business I run off of Linode is a computer security business. I am *slowly* working on scripts that will watch for brute force attempts and centralize the source IP addresses the attempts are coming from. This data will be available (not sure if it will be free or a small subscription fee) so that customers can block hosts using Netfilter/iptables based on the information gathered. Essentially a Spamhaus for SSH brute force attacks.

mnordhoff · Joined: 03 May 2008 Posts: 412

If you run DenyHosts, you can optionally make it sync with a central database. Check the config file.

kmweber · Joined: 08 Feb 2010 Posts: 16

vonskippy wrote: People still setup SSH to use passwords???

This.

No reason not to have SSH configured to allow only PK authentication.

My sshd was bruteforced!