Hack-a-Library Month

Well, it must be Hack-a-Library month because I was watching in real-time last night while someone set their (rather feeble) botnet to work trying to brute-force their way in to all of our externally-exposed SSH NATs.

It’s amusing to watch something try to brute force its way into a box that only accepts key-auth. This is what it looked like on our firewall:

Nov 16 23:11:00 sauron sshd[19323]: Illegal user sonny from 202.106.41.3
Nov 16 23:11:01 sauron sshd[19327]: Illegal user ronald from 202.106.41.3
Nov 16 23:11:01 sauron sshd[19325]: Illegal user hal from 203.197.97.165
Nov 16 23:11:01 sauron sshd[19326]: Illegal user isabelle from 203.197.97.165
Nov 16 23:11:02 sauron sshd[19331]: Illegal user sonny from 202.106.41.3
Nov 16 23:11:03 sauron sshd[19333]: Illegal user dujoey from 202.106.41.3
Nov 16 23:11:04 sauron sshd[19334]: Illegal user hal from 203.197.97.165
Nov 16 23:11:04 sauron sshd[19336]: Illegal user honey from 203.197.97.165
Nov 16 23:11:04 sauron sshd[19339]: Illegal user sonny from 202.106.41.3
Nov 16 23:11:06 sauron sshd[19341]: Illegal user dujoey from 202.106.41.3
Nov 16 23:11:06 sauron sshd[19343]: Illegal user hal from 203.197.97.165
Nov 16 23:11:07 sauron sshd[19344]: Illegal user honey from 203.197.97.165
Nov 16 23:11:07 sauron sshd[19346]: Illegal user joanna from 202.106.41.3
Nov 16 23:11:08 sauron sshd[19349]: Illegal user dujoey from 202.106.41.3
Nov 16 23:11:09 sauron sshd[19352]: Illegal user joanna from 202.106.41.3
Nov 16 23:11:09 sauron sshd[19351]: Illegal user hacker from 203.197.97.165
Nov 16 23:11:09 sauron sshd[19353]: Illegal user honey from 203.197.97.165
Nov 16 23:11:10 sauron sshd[19357]: Illegal user paul from 202.106.41.3
Nov 16 23:11:11 sauron sshd[19359]: Illegal user joanna from 202.106.41.3
Nov 16 23:11:12 sauron sshd[19361]: Illegal user hacker from 203.197.97.165
Nov 16 23:11:12 sauron sshd[19362]: Illegal user herbert from 203.197.97.165
Nov 16 23:11:13 sauron sshd[19365]: Illegal user paul from 202.106.41.3
Nov 16 23:11:14 sauron sshd[19367]: Illegal user jking from 202.106.41.3
Nov 16 23:11:15 sauron sshd[19369]: Illegal user hacker from 203.197.97.165
Nov 16 23:11:15 sauron sshd[19370]: Illegal user herbert from 203.197.97.165
Nov 16 23:11:15 sauron sshd[19373]: Illegal user paul from 202.106.41.3

and so on, and so on…

Simultaneously, our mail server was making friends:

Nov 16 23:11:02 opus sshd[12682]: Illegal user peaches from 202.106.41.3
Nov 16 23:11:02 opus sshd[12682]: error: Could not get shadow information for NOUSER
Nov 16 23:11:02 opus sshd[12682]: Failed password for illegal user peaches from 202.106.41.3 port 37726 ssh2
Nov 16 23:11:04 opus sshd[12684]: Illegal user merlin from 202.106.41.3
Nov 16 23:11:04 opus sshd[12684]: error: Could not get shadow information for NOUSER
Nov 16 23:11:04 opus sshd[12684]: Failed password for illegal user merlin from 202.106.41.3 port 37770 ssh2
Nov 16 23:11:07 opus sshd[12686]: Illegal user merlin from 202.106.41.3
Nov 16 23:11:07 opus sshd[12686]: error: Could not get shadow information for NOUSER
Nov 16 23:11:07 opus sshd[12686]: Failed password for illegal user merlin from 202.106.41.3 port 37816 ssh2
Nov 16 23:11:09 opus sshd[12688]: Illegal user merlin from 202.106.41.3
Nov 16 23:11:09 opus sshd[12688]: error: Could not get shadow information for NOUSER
Nov 16 23:11:09 opus sshd[12688]: Failed password for illegal user merlin from 202.106.41.3 port 37863 ssh2
Nov 16 23:11:11 opus sshd[12690]: Illegal user kayla from 202.106.41.3
Nov 16 23:11:11 opus sshd[12690]: error: Could not get shadow information for NOUSER
Nov 16 23:11:11 opus sshd[12690]: Failed password for illegal user kayla from 202.106.41.3 port 37907 ssh2
Nov 16 23:11:14 opus sshd[12692]: Illegal user kayla from 202.106.41.3
Nov 16 23:11:14 opus sshd[12692]: error: Could not get shadow information for NOUSER
Nov 16 23:11:14 opus sshd[12692]: Failed password for illegal user kayla from 202.106.41.3 port 37954 ssh2
Nov 16 23:11:16 opus sshd[12694]: Illegal user kayla from 202.106.41.3
Nov 16 23:11:16 opus sshd[12694]: error: Could not get shadow information for NOUSER
Nov 16 23:11:16 opus sshd[12694]: Failed password for illegal user kayla from 202.106.41.3 port 38002 ssh2
Nov 16 23:11:18 opus sshd[12696]: Illegal user russ from 202.106.41.3
Nov 16 23:11:18 opus sshd[12696]: error: Could not get shadow information for NOUSER
Nov 16 23:11:18 opus sshd[12696]: Failed password for illegal user russ from 202.106.41.3 port 38047 ssh2
Nov 16 23:11:21 opus sshd[12698]: Illegal user russ from 202.106.41.3
Nov 16 23:11:21 opus sshd[12698]: error: Could not get shadow information for NOUSER
Nov 16 23:11:21 opus sshd[12698]: Failed password for illegal user russ from 202.106.41.3 port 38093 ssh2
Nov 16 23:11:23 opus sshd[12701]: Illegal user russ from 202.106.41.3

That’s what it was like on every server with an SSH NAT. The attack lasted about two hours before the attacker got discouraged and gave up. Luckily it was only two bots. A significant attack could’ve amounted to a DDoS. As it is, those connections hang around long enough that I had to adjust the TTLs on the firewall just in case the attack was ramped up overnight.

This is very odd. I don’t see this kind of outright aggression very often. I wonder if my blog post had anything to do with it. Bear in mind that TLN’s hack job was against a Unix flavor too.

At any rate, it’s obvious that this is a script kiddie in charge of two bots. These two machines filling our logs are probably desktop machines, one of which is in China, the other in India. I guess China’s censorship firewall is only intended to discourage free thinking, not malicious behavior.

Anyway, be vigilant. Check your logs.


About this entry