Koozali.org: home of the SME Server

Legacy Forums => Experienced User Forum => Topic started by: GetRighT on October 11, 2004, 04:07:01 PM

Title: New SSh Worm?
Post by: GetRighT on October 11, 2004, 04:07:01 PM

from my logs:


Failed logins from these:
   account/password from 24.24.50.227: 1 Time(s)
   adam/password from 24.24.50.227: 1 Time(s)
   adm/password from 24.24.50.227: 2 Time(s)
   admin/password from 66.220.27.241: 2 Time(s)
   alan/password from 24.24.50.227: 1 Time(s)
   apache/password from 24.24.50.227: 1 Time(s)
   backup/password from 24.24.50.227: 1 Time(s)
   cip51/password from 24.24.50.227: 1 Time(s)
   cip52/password from 24.24.50.227: 1 Time(s)
   cosmin/password from 24.24.50.227: 1 Time(s)
   cyrus/password from 24.24.50.227: 1 Time(s)
   data/password from 24.24.50.227: 1 Time(s)
   frank/password from 24.24.50.227: 1 Time(s)
   george/password from 24.24.50.227: 1 Time(s)
   guest/password from 66.220.27.241: 1 Time(s)
   henry/password from 24.24.50.227: 1 Time(s)
   horde/password from 24.24.50.227: 1 Time(s)
   iceuser/password from 24.24.50.227: 1 Time(s)
   irc/password from 24.24.50.227: 2 Time(s)
   jane/password from 24.24.50.227: 1 Time(s)
   john/password from 24.24.50.227: 1 Time(s)
   master/password from 24.24.50.227: 1 Time(s)
   matt/password from 24.24.50.227: 1 Time(s)
   mysql/password from 24.24.50.227: 1 Time(s)
   nobody/password from 24.24.50.227: 1 Time(s)
   noc/password from 24.24.50.227: 1 Time(s)
   operator/password from 24.24.50.227: 1 Time(s)
   oracle/password from 24.24.50.227: 1 Time(s)
   pamela/password from 24.24.50.227: 1 Time(s)
   patrick/password from 24.24.50.227: 2 Time(s)
   rolo/password from 24.24.50.227: 1 Time(s)
   root/password from 24.24.50.227: 59 Time(s)
   root/password from 66.220.27.241: 3 Time(s)
   server/password from 24.24.50.227: 1 Time(s)
   sybase/password from 24.24.50.227: 1 Time(s)
   test/password from 24.24.50.227: 5 Time(s)
   test/password from 66.220.27.241: 2 Time(s)
   user/password from 24.24.50.227: 3 Time(s)
   user/password from 66.220.27.241: 1 Time(s)
   web/password from 24.24.50.227: 2 Time(s)
   webmaster/password from 24.24.50.227: 1 Time(s)
   www-data/password from 24.24.50.227: 1 Time(s)
   www/password from 24.24.50.227: 1 Time(s)
   wwwrun/password from 24.24.50.227: 1 Time(s)

Illegal user patrick from 24.24.50.227
Illegal user patrick from 24.24.50.227
Illegal user rolo from 24.24.50.227
Illegal user iceuser from 24.24.50.227
Illegal user horde from 24.24.50.227
Illegal user cyrus from 24.24.50.227
Illegal user wwwrun from 24.24.50.227
Illegal user matt from 24.24.50.227
Illegal user test from 24.24.50.227
Illegal user test from 24.24.50.227
Illegal user test from 24.24.50.227
Illegal user test from 24.24.50.227
Illegal user www-data from 24.24.50.227
Illegal user irc from 24.24.50.227
Illegal user irc from 24.24.50.227
Illegal user jane from 24.24.50.227
Illegal user pamela from 24.24.50.227
Illegal user cosmin from 24.24.50.227
Illegal user cip52 from 24.24.50.227
Illegal user cip51 from 24.24.50.227
Illegal user noc from 24.24.50.227
Illegal user webmaster from 24.24.50.227
Illegal user data from 24.24.50.227
Illegal user user from 24.24.50.227
Illegal user user from 24.24.50.227
Illegal user user from 24.24.50.227
Illegal user web from 24.24.50.227
Illegal user web from 24.24.50.227
Illegal user oracle from 24.24.50.227
Illegal user sybase from 24.24.50.227
Illegal user master from 24.24.50.227
Illegal user account from 24.24.50.227
Illegal user backup from 24.24.50.227
Illegal user server from 24.24.50.227
Illegal user adam from 24.24.50.227
Illegal user alan from 24.24.50.227
Illegal user frank from 24.24.50.227
Illegal user george from 24.24.50.227
Illegal user henry from 24.24.50.227
Illegal user john from 24.24.50.227
Illegal user test from 24.24.50.227
Illegal user test from 66.220.27.241
Illegal user guest from 66.220.27.241
Illegal user user from 66.220.27.241
Illegal user test from 66.220.27.241

And I have log from another day, and it tries with different users which is not "worm-like" unless it has some sort of engine / IQ?

A new variant of the admin, root, test worm with intelligence?  :-P

anybody else get these attacks?  :hammer:

NB: sorry, I posted the IP's but they are fake so...

Title: New SSh Worm?
Post by: Smitro on March 28, 2005, 10:58:38 PM

I'm hearing you brother...

Failed logins from these:
   admin/password from 210.0.141.89: 4 Time(s)
   admin/password from 218.188.9.202: 4 Time(s)
   andrew/password from 65.75.186.180: 2 Time(s)
   angel/password from 65.75.186.180: 2 Time(s)
   barbara/password from 65.75.186.180: 2 Time(s)
   ben/password from 65.75.186.180: 2 Time(s)
   betty/password from 65.75.186.180: 2 Time(s)
   billy/password from 65.75.186.180: 2 Time(s)
   black/password from 65.75.186.180: 2 Time(s)
   blue/password from 65.75.186.180: 2 Time(s)
   brandon/password from 65.75.186.180: 2 Time(s)
   brian/password from 65.75.186.180: 2 Time(s)
   buddy/password from 65.75.186.180: 2 Time(s)
   carmen/password from 65.75.186.180: 2 Time(s)
   charlie/password from 65.75.186.180: 2 Time(s)
   daniel/password from 65.75.186.180: 2 Time(s)
   david/password from 65.75.186.180: 2 Time(s)
   dog/password from 65.75.186.180: 2 Time(s)
   emily/password from 65.75.186.180: 2 Time(s)
   eric/password from 65.75.186.180: 2 Time(s)
   god/password from 65.75.186.180: 2 Time(s)
   green/password from 65.75.186.180: 2 Time(s)
   guest/password from 210.0.141.89: 2 Time(s)
   guest/password from 218.188.9.202: 2 Time(s)
   henry/password from 65.75.186.180: 2 Time(s)
   jane/password from 65.75.186.180: 2 Time(s)
   jason/password from 65.75.186.180: 2 Time(s)
   jeremy/password from 65.75.186.180: 2 Time(s)
   joe/password from 65.75.186.180: 2 Time(s)
   johnny/password from 65.75.186.180: 2 Time(s)
   jordan/password from 65.75.186.180: 2 Time(s)
   justin/password from 65.75.186.180: 2 Time(s)
   larisa/password from 65.75.186.180: 2 Time(s)
   lion/password from 65.75.186.180: 2 Time(s)
   lp/password from 65.75.186.180: 2 Time(s)
   lucy/password from 65.75.186.180: 2 Time(s)
   magic/password from 65.75.186.180: 2 Time(s)
   mail/password from 65.75.186.180: 2 Time(s)
   maria/password from 65.75.186.180: 2 Time(s)
   market/password from 65.75.186.180: 2 Time(s)
   matthew/password from 65.75.186.180: 2 Time(s)
   max/password from 65.75.186.180: 2 Time(s)
   michael/password from 65.75.186.180: 2 Time(s)
   nathan/password from 65.75.186.180: 2 Time(s)
   nicholas/password from 65.75.186.180: 2 Time(s)
   nicole/password from 65.75.186.180: 2 Time(s)
   operator/password from 65.75.186.180: 2 Time(s)
   pub/password from 65.75.186.180: 2 Time(s)
   red/password from 65.75.186.180: 2 Time(s)
   robin/password from 65.75.186.180: 2 Time(s)
   root/password from 210.0.141.89: 6 Time(s)
   root/password from 218.188.9.202: 6 Time(s)
   rose/password from 65.75.186.180: 2 Time(s)
   shell/password from 65.75.186.180: 2 Time(s)
   stephen/password from 65.75.186.180: 2 Time(s)
   steven/password from 65.75.186.180: 2 Time(s)
   system/password from 65.75.186.180: 2 Time(s)
   test/password from 210.0.141.89: 4 Time(s)
   test/password from 218.188.9.202: 4 Time(s)
   tom/password from 65.75.186.180: 2 Time(s)
   user/password from 210.0.141.89: 2 Time(s)
   user/password from 218.188.9.202: 2 Time(s)
   vampire/password from 65.75.186.180: 2 Time(s)
   william/password from 65.75.186.180: 2 Time(s)
   yellow/password from 65.75.186.180: 2 Time(s)

Illegal users from these:
   andrew/none from 65.75.186.180: 2 Time(s)
   andrew/password from 65.75.186.180: 2 Time(s)
   angel/none from 65.75.186.180: 2 Time(s)
   angel/password from 65.75.186.180: 2 Time(s)
   barbara/none from 65.75.186.180: 2 Time(s)
   barbara/password from 65.75.186.180: 2 Time(s)
   ben/none from 65.75.186.180: 2 Time(s)
   ben/password from 65.75.186.180: 2 Time(s)
   betty/none from 65.75.186.180: 2 Time(s)
   betty/password from 65.75.186.180: 2 Time(s)
   billy/none from 65.75.186.180: 2 Time(s)
   billy/password from 65.75.186.180: 2 Time(s)
   black/none from 65.75.186.180: 2 Time(s)
   black/password from 65.75.186.180: 2 Time(s)
   blue/none from 65.75.186.180: 2 Time(s)
   blue/password from 65.75.186.180: 2 Time(s)
   brandon/none from 65.75.186.180: 2 Time(s)
   brandon/password from 65.75.186.180: 2 Time(s)
   brian/none from 65.75.186.180: 2 Time(s)
   brian/password from 65.75.186.180: 2 Time(s)
   buddy/none from 65.75.186.180: 2 Time(s)
   buddy/password from 65.75.186.180: 2 Time(s)
   carmen/none from 65.75.186.180: 2 Time(s)
   carmen/password from 65.75.186.180: 2 Time(s)
   charlie/none from 65.75.186.180: 2 Time(s)
   charlie/password from 65.75.186.180: 2 Time(s)
   daniel/none from 65.75.186.180: 2 Time(s)
   daniel/password from 65.75.186.180: 2 Time(s)
   david/none from 65.75.186.180: 2 Time(s)
   david/password from 65.75.186.180: 2 Time(s)
   dog/none from 65.75.186.180: 2 Time(s)
   dog/password from 65.75.186.180: 2 Time(s)
   emily/none from 65.75.186.180: 2 Time(s)
   emily/password from 65.75.186.180: 2 Time(s)
   eric/none from 65.75.186.180: 2 Time(s)
   eric/password from 65.75.186.180: 2 Time(s)
   god/none from 65.75.186.180: 2 Time(s)
   god/password from 65.75.186.180: 2 Time(s)
   green/none from 65.75.186.180: 2 Time(s)
   green/password from 65.75.186.180: 2 Time(s)
   guest/none from 210.0.141.89: 2 Time(s)
   guest/none from 218.188.9.202: 2 Time(s)
   guest/password from 210.0.141.89: 2 Time(s)
   guest/password from 218.188.9.202: 2 Time(s)
   henry/none from 65.75.186.180: 2 Time(s)
   henry/password from 65.75.186.180: 2 Time(s)
   jane/none from 65.75.186.180: 2 Time(s)
   jane/password from 65.75.186.180: 2 Time(s)
   jason/none from 65.75.186.180: 2 Time(s)
   jason/password from 65.75.186.180: 2 Time(s)
   jeremy/none from 65.75.186.180: 2 Time(s)
   jeremy/password from 65.75.186.180: 2 Time(s)
   joe/none from 65.75.186.180: 2 Time(s)
   joe/password from 65.75.186.180: 2 Time(s)
   johnny/none from 65.75.186.180: 2 Time(s)
   johnny/password from 65.75.186.180: 2 Time(s)
   jordan/none from 65.75.186.180: 2 Time(s)
   jordan/password from 65.75.186.180: 2 Time(s)
   justin/none from 65.75.186.180: 2 Time(s)
   justin/password from 65.75.186.180: 2 Time(s)
   larisa/none from 65.75.186.180: 2 Time(s)
   larisa/password from 65.75.186.180: 2 Time(s)
   lion/none from 65.75.186.180: 2 Time(s)
   lion/password from 65.75.186.180: 2 Time(s)
   lucy/none from 65.75.186.180: 2 Time(s)
   lucy/password from 65.75.186.180: 2 Time(s)
   magic/none from 65.75.186.180: 2 Time(s)
   magic/password from 65.75.186.180: 2 Time(s)
   maria/none from 65.75.186.180: 2 Time(s)
   maria/password from 65.75.186.180: 2 Time(s)
   market/none from 65.75.186.180: 2 Time(s)
   market/password from 65.75.186.180: 2 Time(s)
   matthew/none from 65.75.186.180: 2 Time(s)
   matthew/password from 65.75.186.180: 2 Time(s)
   max/none from 65.75.186.180: 2 Time(s)
   max/password from 65.75.186.180: 2 Time(s)
   michael/none from 65.75.186.180: 2 Time(s)
   michael/password from 65.75.186.180: 2 Time(s)
   nathan/none from 65.75.186.180: 2 Time(s)
   nathan/password from 65.75.186.180: 2 Time(s)
   nicholas/none from 65.75.186.180: 2 Time(s)
   nicholas/password from 65.75.186.180: 2 Time(s)
   nicole/none from 65.75.186.180: 2 Time(s)
   nicole/password from 65.75.186.180: 2 Time(s)
   pub/none from 65.75.186.180: 2 Time(s)
   pub/password from 65.75.186.180: 2 Time(s)
   red/none from 65.75.186.180: 2 Time(s)
   red/password from 65.75.186.180: 2 Time(s)
   robin/none from 65.75.186.180: 2 Time(s)
   robin/password from 65.75.186.180: 2 Time(s)
   rose/none from 65.75.186.180: 2 Time(s)
   rose/password from 65.75.186.180: 2 Time(s)
   shell/none from 65.75.186.180: 2 Time(s)
   shell/password from 65.75.186.180: 2 Time(s)
   stephen/none from 65.75.186.180: 2 Time(s)
   stephen/password from 65.75.186.180: 2 Time(s)
   steven/none from 65.75.186.180: 2 Time(s)
   steven/password from 65.75.186.180: 2 Time(s)
   system/none from 65.75.186.180: 2 Time(s)
   system/password from 65.75.186.180: 2 Time(s)
   test/none from 210.0.141.89: 4 Time(s)
   test/none from 218.188.9.202: 4 Time(s)
   test/password from 210.0.141.89: 4 Time(s)
   test/password from 218.188.9.202: 4 Time(s)
   tom/none from 65.75.186.180: 2 Time(s)
   tom/password from 65.75.186.180: 2 Time(s)
   user/none from 210.0.141.89: 2 Time(s)
   user/none from 218.188.9.202: 2 Time(s)
   user/password from 210.0.141.89: 2 Time(s)
   user/password from 218.188.9.202: 2 Time(s)
   vampire/none from 65.75.186.180: 2 Time(s)
   vampire/password from 65.75.186.180: 2 Time(s)
   william/none from 65.75.186.180: 2 Time(s)
   william/password from 65.75.186.180: 2 Time(s)
   yellow/none from 65.75.186.180: 2 Time(s)
   yellow/password from 65.75.186.180: 2 Time(s)

Failed logins from these:
   admin/password from 200.225.159.88: 2 Time(s)
   guest/password from 200.225.159.88: 1 Time(s)
   root/password from 200.225.159.88: 3 Time(s)
   test/password from 200.225.159.88: 2 Time(s)
   user/password from 200.225.159.88: 1 Time(s)

Illegal users from these:
   guest/none from 200.225.159.88: 1 Time(s)
   guest/password from 200.225.159.88: 1 Time(s)
   test/none from 200.225.159.88: 2 Time(s)
   test/password from 200.225.159.88: 2 Time(s)
   user/none from 200.225.159.88: 1 Time(s)
   user/password from 200.225.159.88: 1 Time(s)

Failed logins from these:
   admin/password from 211.176.33.46: 4 Time(s)
   guest/password from 211.176.33.46: 2 Time(s)
   oracle/password from 210.103.67.65: 2 Time(s)
   root/password from 211.176.33.46: 6 Time(s)
   slapme/password from 210.103.67.65: 2 Time(s)
   test/password from 211.176.33.46: 4 Time(s)
   user/password from 211.176.33.46: 2 Time(s)
   www/password from 210.103.67.65: 2 Time(s)

Illegal users from these:
   guest/none from 211.176.33.46: 2 Time(s)
   guest/password from 211.176.33.46: 2 Time(s)
   oracle/none from 210.103.67.65: 2 Time(s)
   oracle/password from 210.103.67.65: 2 Time(s)
   slapme/none from 210.103.67.65: 2 Time(s)
   slapme/password from 210.103.67.65: 2 Time(s)
   test/none from 211.176.33.46: 4 Time(s)
   test/password from 211.176.33.46: 4 Time(s)
   user/none from 211.176.33.46: 2 Time(s)
   user/password from 211.176.33.46: 2 Time(s)


Any ideas on what this might be? And is there a way to stop it, and is it something I should be really worried about?

Title: New SSh Worm?
Post by: Normando on March 29, 2005, 04:30:45 AM

I have the same problem!! :evil:

Title: New SSh Worm?
Post by: raem on March 29, 2005, 06:32:02 AM

Smitro

> And is there a way to stop it, and is it something I should be really worried about?

Turn off Public ssh access & use Public/Private keys instead. There is a good HOWTO so search.

Title: New SSh Worm?
Post by: cc_skavenger on March 29, 2005, 06:58:43 AM

I have never been able to get private keys to work on ssh, so I changed the port that sshd listens on; ie. from 22 to 35107 or something like that.

Title: New SSh Worm?
Post by: raem on March 29, 2005, 08:41:48 AM

cc_skavenger

> I have never been able to get private keys to work on ssh

This explains it quite well. Works fine on 6.0.
http://no.longer.valid/phpwiki/index.php/SSH%20Public-Private%20Keys

Title: New SSh Worm?
Post by: Smitro on March 29, 2005, 10:46:05 AM

Quote from: "RayMitchell"

Turn off Public ssh access & use Public/Private keys instead.

It's funny you say turn off public SSH access, the reason I turned it on was so that remote users could access user-manager pages. If I didn't have that so secure then I wouldn't have the problem.

Title: New SSh Worm?
Post by: raem on March 29, 2005, 06:17:39 PM

Smitro

> It's funny you say turn off public SSH access......
> If I didn't have that so secure then I wouldn't have the problem.

I should have more accurately said:
Turn off ssh access using standard passwords ie use ssh but with Public/Private keys rather than passwords. It's more secure than using passwords and no unauthorised login attempts can occur.

From server manager remote access panel:
Allow administrative command line access over secure shell   NoYes
Allow secure shell access using standard passwords   NoYes