BlackBoard | Druckvorschau: neuer Wurm mit SSH-Angriff

Geschrieben von Misel am 19.09.2004 um 23:33:

neuer Wurm mit SSH-Angriff

Hallo,

mir ist es heute schon 2 mal passiert, dass Leute versucht haben sich von außen auf meinen PC via SSH einzuloggen.

hier die beiden Ausschnitte aus meiner /var/log/messages

code:

1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:

Sep 19 18:26:09 misel sshd[28698]: Invalid user test from ::ffff:205.209.XXX.XXX                                                             
Sep 19 18:26:09 misel sshd[28698]: Failed password for invalid user test from ::ffff:205.209.XXX.XXX port 33096 ssh2                         
Sep 19 18:26:15 misel sshd[28716]: Invalid user guest from ::ffff:205.209.XXX.XXX                                                            
Sep 19 18:26:15 misel sshd[28716]: Failed password for invalid user guest from ::ffff:205.209.XXX.XXX port 33320 ssh2                        
Sep 19 18:26:16 misel sshd[28737]: Invalid user admin from ::ffff:205.209.XXX.XXX                                                            
Sep 19 18:26:16 misel sshd[28737]: Failed password for invalid user admin from ::ffff:205.209.XXX.XXX port 33566 ssh2                        
Sep 19 18:26:19 misel sshd[28739]: Invalid user admin from ::ffff:205.209.XXX.XXX                                                            
Sep 19 18:26:19 misel sshd[28739]: Failed password for invalid user admin from ::ffff:205.209.XXX.XXX port 33632 ssh2                        
Sep 19 18:26:21 misel sshd[28745]: Invalid user user from ::ffff:205.209.XXX.XXX                                                             
Sep 19 18:26:21 misel sshd[28745]: Failed password for invalid user user from ::ffff:205.209.XXX.XXX port 33726 ssh2                         
Sep 19 18:26:23 misel sshd[28747]: Failed password for root from ::ffff:205.209.XXX.XXX port 33817 ssh2                                      
Sep 19 18:26:24 misel sshd[28749]: Failed password for root from ::ffff:205.209.XXX.XXX port 33880 ssh2                                      
Sep 19 18:26:28 misel sshd[28755]: Failed password for root from ::ffff:205.209.XXX.XXX port 33946 ssh2                                      
Sep 19 18:26:33 misel sshd[28757]: Invalid user test from ::ffff:205.209.XXX.XXX                                                             
Sep 19 18:26:33 misel sshd[28757]: Failed password for invalid user test from ::ffff:205.209.XXX.XXX port 34083 ssh2
.
.
.


Sep 19 22:31:32 misel sshd[6683]: Invalid user test from ::ffff:203.71.XXX.XXX                                                                 
Sep 19 22:31:32 misel sshd[6683]: Failed password for invalid user test from ::ffff:203.71.XXX.XXX port 58300 ssh2                             
Sep 19 22:31:35 misel sshd[6685]: Invalid user guest from ::ffff:203.71.XXX.XXX                                                                
Sep 19 22:31:35 misel sshd[6685]: Failed password for invalid user guest from ::ffff:203.71.XXX.XXX port 58540 ssh2                            
Sep 19 22:31:41 misel sshd[6687]: Invalid user admin from ::ffff:203.71.XXX.XXX                                                                
Sep 19 22:31:41 misel sshd[6687]: Failed password for invalid user admin from ::ffff:203.71.XXX.XXX port 58784 ssh2                            
Sep 19 22:31:46 misel sshd[6689]: Invalid user admin from ::ffff:203.71.XXX.XXX                                                                
Sep 19 22:31:46 misel sshd[6689]: Failed password for invalid user admin from ::ffff:203.71.XXX.XXX port 59284 ssh2                            
Sep 19 22:31:49 misel sshd[6691]: Invalid user user from ::ffff:203.71.XXX.XXX                                                                 
Sep 19 22:31:49 misel sshd[6691]: Failed password for invalid user user from ::ffff:203.71.XXX.XXX port 59623 ssh2                             
Sep 19 22:31:55 misel sshd[6693]: Failed password for root from ::ffff:203.71.XXX.XXX port 59837 ssh2                                          
Sep 19 22:31:58 misel sshd[6695]: Failed password for root from ::ffff:203.71.XXX.XXX port 60386 ssh2                                          
Sep 19 22:32:01 misel sshd[6697]: Failed password for root from ::ffff:203.71.XXX.XXX port 60609 ssh2                                          
Sep 19 22:32:04 misel sshd[6699]: Invalid user test from ::ffff:203.71.XXX.XXX                                                                 
Sep 19 22:32:04 misel sshd[6699]: Failed password for invalid user test from ::ffff:203.71.XXX.XXX port 60849 ssh2

hat jemand ähnliches erfahren und/oder weiß mehr?

Geschrieben von Menetekel23 am 20.09.2004 um 10:27:

Kann ich nicht bestätigen. Vielleicht ist es kein Wurm sondern dein persönliches Script Kiddie.
Was ist das überhaupt für ein IP-Range 205.209.X.X ?

Geschrieben von Misel am 20.09.2004 um 12:09:

ich frag nur, weil Blackstar im Channel dasselbe Problem hat

Geschrieben von Black Star am 20.09.2004 um 20:21:

Das war ja mal ein richtiger Griff ins Klo *rofl*

Aber ich hab ein aehnliches Problem (sind auch wirklich meine eigenen Logfiles

)

Zitat:

Sep 19 20:05:09 odin sshd[17360]: Accepted keyboard-interactive/pam for root from 192.168.0.2 port 35501 ssh2
Sep 19 20:05:09 odin sshd(pam_unix)[29692]: session opened for user root by root(uid=0)
Sep 19 20:37:30 odin sshd[30980]: Illegal user test from 192.203.139.221
Sep 19 20:37:31 odin sshd[30980]: error: Could not get shadow information for NOUSER
Sep 19 20:37:31 odin sshd[30980]: Failed password for illegal user test from 192.203.139.221 port 49173 ssh2
Sep 19 20:37:34 odin sshd[7243]: User guest not allowed because shell /dev/null is not executable
Sep 19 20:37:35 odin sshd[7243]: error: Could not get shadow information for NOUSER
Sep 19 20:37:35 odin sshd[7243]: Failed password for illegal user guest from 192.203.139.221 port 49281 ssh2
Sep 19 20:37:38 odin sshd[4042]: Illegal user admin from 192.203.139.221
Sep 19 20:37:38 odin sshd[4042]: error: Could not get shadow information for NOUSER
Sep 19 20:37:38 odin sshd[4042]: Failed password for illegal user admin from 192.203.139.221 port 49358 ssh2
Sep 19 20:37:41 odin sshd[24004]: Illegal user admin from 192.203.139.221
Sep 19 20:37:41 odin sshd[24004]: error: Could not get shadow information for NOUSER
Sep 19 20:37:41 odin sshd[24004]: Failed password for illegal user admin from 192.203.139.221 port 49443 ssh2
Sep 19 20:37:44 odin sshd[16886]: Illegal user user from 192.203.139.221
Sep 19 20:37:44 odin sshd[16886]: error: Could not get shadow information for NOUSER
Sep 19 20:37:44 odin sshd[16886]: Failed password for illegal user user from 192.203.139.221 port 49525 ssh2
Sep 19 20:37:47 odin sshd[1767]: Failed password for root from 192.203.139.221 port 49601 ssh2
Sep 19 20:37:50 odin sshd[9021]: Failed password for root from 192.203.139.221 port 49687 ssh2
Sep 19 20:37:54 odin sshd[28091]: Failed password for root from 192.203.139.221 port 49763 ssh2
Sep 19 20:37:57 odin sshd[11679]: Illegal user test from 192.203.139.221
Sep 19 20:37:57 odin sshd[11679]: error: Could not get shadow information for NOUSER
Sep 19 20:37:57 odin sshd[11679]: Failed password for illegal user test from 192.203.139.221 port 49838 ssh2
Sep 19 23:39:52 odin sshd(pam_unix)[22743]: session closed for user ulli

Geschrieben von Menetekel23 am 20.09.2004 um 21:07:

Er scheint konsequent die User test, admin, guest, user und Root auszuprobieren - sieht mehr nach BruceForce aus.
Bei Black-Star tauchen andere IP-Ranges auf, also doch ein Wurm?

Habe gerade etwas gefunden:
http://www.unixboard.de/vb3/showthread.php?t=8900&page=1&pp=15

Das sollte es erklären:
http://www.dslreports.com/forum/remark,10854834~mode=flat~days=9999