blyberg.net
Hack-a-Library Month

Filed Under: Library, Network Administration

Well, it must be Hack-a-Library month because I was watching in real-time last night while someone set their (rather feeble) botnet to work trying to brute-force their way in to all of our externally-exposed SSH NATs.

It’s amusing to watch something try to brute force its way into a box that only accepts key-auth. This is what it looked like on our firewall:

Nov 16 23:11:00 sauron sshd[19323]: Illegal user sonny from 202.106.41.3
Nov 16 23:11:01 sauron sshd[19327]: Illegal user ronald from 202.106.41.3
Nov 16 23:11:01 sauron sshd[19325]: Illegal user hal from 203.197.97.165
Nov 16 23:11:01 sauron sshd[19326]: Illegal user isabelle from 203.197.97.165
Nov 16 23:11:02 sauron sshd[19331]: Illegal user sonny from 202.106.41.3
Nov 16 23:11:03 sauron sshd[19333]: Illegal user dujoey from 202.106.41.3
Nov 16 23:11:04 sauron sshd[19334]: Illegal user hal from 203.197.97.165
Nov 16 23:11:04 sauron sshd[19336]: Illegal user honey from 203.197.97.165
Nov 16 23:11:04 sauron sshd[19339]: Illegal user sonny from 202.106.41.3
Nov 16 23:11:06 sauron sshd[19341]: Illegal user dujoey from 202.106.41.3
Nov 16 23:11:06 sauron sshd[19343]: Illegal user hal from 203.197.97.165
Nov 16 23:11:07 sauron sshd[19344]: Illegal user honey from 203.197.97.165
Nov 16 23:11:07 sauron sshd[19346]: Illegal user joanna from 202.106.41.3
Nov 16 23:11:08 sauron sshd[19349]: Illegal user dujoey from 202.106.41.3
Nov 16 23:11:09 sauron sshd[19352]: Illegal user joanna from 202.106.41.3
Nov 16 23:11:09 sauron sshd[19351]: Illegal user hacker from 203.197.97.165
Nov 16 23:11:09 sauron sshd[19353]: Illegal user honey from 203.197.97.165
Nov 16 23:11:10 sauron sshd[19357]: Illegal user paul from 202.106.41.3
Nov 16 23:11:11 sauron sshd[19359]: Illegal user joanna from 202.106.41.3
Nov 16 23:11:12 sauron sshd[19361]: Illegal user hacker from 203.197.97.165
Nov 16 23:11:12 sauron sshd[19362]: Illegal user herbert from 203.197.97.165
Nov 16 23:11:13 sauron sshd[19365]: Illegal user paul from 202.106.41.3
Nov 16 23:11:14 sauron sshd[19367]: Illegal user jking from 202.106.41.3
Nov 16 23:11:15 sauron sshd[19369]: Illegal user hacker from 203.197.97.165
Nov 16 23:11:15 sauron sshd[19370]: Illegal user herbert from 203.197.97.165
Nov 16 23:11:15 sauron sshd[19373]: Illegal user paul from 202.106.41.3

and so on, and so on…

Simultaneously, our mail server was making friends:

Nov 16 23:11:02 opus sshd[12682]: Illegal user peaches from 202.106.41.3
Nov 16 23:11:02 opus sshd[12682]: error: Could not get shadow information for NOUSER
Nov 16 23:11:02 opus sshd[12682]: Failed password for illegal user peaches from 202.106.41.3 port 37726 ssh2
Nov 16 23:11:04 opus sshd[12684]: Illegal user merlin from 202.106.41.3
Nov 16 23:11:04 opus sshd[12684]: error: Could not get shadow information for NOUSER
Nov 16 23:11:04 opus sshd[12684]: Failed password for illegal user merlin from 202.106.41.3 port 37770 ssh2
Nov 16 23:11:07 opus sshd[12686]: Illegal user merlin from 202.106.41.3
Nov 16 23:11:07 opus sshd[12686]: error: Could not get shadow information for NOUSER
Nov 16 23:11:07 opus sshd[12686]: Failed password for illegal user merlin from 202.106.41.3 port 37816 ssh2
Nov 16 23:11:09 opus sshd[12688]: Illegal user merlin from 202.106.41.3
Nov 16 23:11:09 opus sshd[12688]: error: Could not get shadow information for NOUSER
Nov 16 23:11:09 opus sshd[12688]: Failed password for illegal user merlin from 202.106.41.3 port 37863 ssh2
Nov 16 23:11:11 opus sshd[12690]: Illegal user kayla from 202.106.41.3
Nov 16 23:11:11 opus sshd[12690]: error: Could not get shadow information for NOUSER
Nov 16 23:11:11 opus sshd[12690]: Failed password for illegal user kayla from 202.106.41.3 port 37907 ssh2
Nov 16 23:11:14 opus sshd[12692]: Illegal user kayla from 202.106.41.3
Nov 16 23:11:14 opus sshd[12692]: error: Could not get shadow information for NOUSER
Nov 16 23:11:14 opus sshd[12692]: Failed password for illegal user kayla from 202.106.41.3 port 37954 ssh2
Nov 16 23:11:16 opus sshd[12694]: Illegal user kayla from 202.106.41.3
Nov 16 23:11:16 opus sshd[12694]: error: Could not get shadow information for NOUSER
Nov 16 23:11:16 opus sshd[12694]: Failed password for illegal user kayla from 202.106.41.3 port 38002 ssh2
Nov 16 23:11:18 opus sshd[12696]: Illegal user russ from 202.106.41.3
Nov 16 23:11:18 opus sshd[12696]: error: Could not get shadow information for NOUSER
Nov 16 23:11:18 opus sshd[12696]: Failed password for illegal user russ from 202.106.41.3 port 38047 ssh2
Nov 16 23:11:21 opus sshd[12698]: Illegal user russ from 202.106.41.3
Nov 16 23:11:21 opus sshd[12698]: error: Could not get shadow information for NOUSER
Nov 16 23:11:21 opus sshd[12698]: Failed password for illegal user russ from 202.106.41.3 port 38093 ssh2
Nov 16 23:11:23 opus sshd[12701]: Illegal user russ from 202.106.41.3

That’s what it was like on every server with an SSH NAT. The attack lasted about two hours before the attacker got discouraged and gave up. Luckily it was only two bots. A significant attack could’ve amounted to a DDoS. As it is, those connections hang around long enough that I had to adjust the TTLs on the firewall just in case the attack was ramped up overnight.

This is very odd. I don’t see this kind of outright aggression very often. I wonder if my blog post had anything to do with it. Bear in mind that TLN’s hack job was against a Unix flavor too.

At any rate, it’s obvious that this is a script kiddie in charge of two bots. These two machines filling our logs are probably desktop machines, one of which is in China, the other in India. I guess China’s censorship firewall is only intended to discourage free thinking, not malicious behavior.

Anyway, be vigilant. Check your logs.

These icons link to social bookmarking sites where readers can share and discover new web pages.
  • blinkbits
  • blogmarks
  • co.mments
  • del.icio.us
  • De.lirio.us
  • digg
  • Furl
  • LinkaGoGo
  • Ma.gnolia
  • scuttle
  • Shadows
  • Simpy
  • TailRank
  • YahooMyWeb

posted by john on 11.17.05 @ 11:05 am


4 Comments so far
Leave a comment

I see this on my personal servers all the time. My friends do to. Pretty much anything with SSH gets hit by bots, not just libraries. I get hit probably every couple days. Some of my friends get hit almost constantly.

If you run linux (you should) then you may like the sshdfilter script or the second page that shows how to throttle invalid attempts using iptables, etc. I’ve found that it helps cut down on traffic, logs and attempts.

http://www.csc.liv.ac.uk/~greg/sshdfilter/
http://la-samhna.de/library/brutessh.html

By Eby on 11.17.05 5:34 pm | Permalink

I’ve seen it too, what caught my attention was the coordinated nature of the attack, and the simultaneous start/stop times of each.

By john on 11.17.05 10:24 pm | Permalink

I can only see an increase in the future. Libraries often have useful data on patrons, some even Social Security numbers from what I’ve read. Compared to other services that have such information, libraries are probably an easy target. One more reason to be careful what you store and where. An unfortunate example:

http://techbase.msu.edu/viewpathfinder.asp?id=3142&service=help

By Eby on 11.17.05 10:50 pm | Permalink

at my library, there is no internet. the computers are old compaq deskpros locked on their website. you cant minimize or bring the toolbars up. how do i bypass this?

By MACK on 11.05.07 7:34 pm | Permalink

RSS feed for comments on this post. TrackBack URI


Leave a comment
Line and paragraph breaks automatic, e-mail address never displayed, HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

(required)

(required)