Grupe Slike Ažuriranja Internet Katalog
Recently Visited Groups | Help | Sign in
Google Groups Home
news.admin.net-abuse.email
+ new post
About this group
Subscribe to this group
This is a Usenet group - learn more
Bot army trying to sneak under the radar
Options
There are currently too many topics in this group that display first. To make this topic appear first, remove this option from another topic.
There was an error processing your request. Please try again.
flag
   4 messages - Collapse all  -  Translate all to Translated (View all originals)
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
Kevin McMurtrie  
View profile  
 More options May 11 2008, 10:21 am
Newsgroups: news.admin.net-abuse.email
From: Kevin McMurtrie <mcmur...@dslextreme.com>
Date: Sun, 11 May 2008 01:21:14 -0700
Local: Sun, May 11 2008 10:21 am
Subject: Bot army trying to sneak under the radar
Forward | Print | Individual message | Show original | Report this message | Find messages by this author
I have heaps of log entries that look like below.  Each IP address tries
only 1 to 4 times.  It looks like a new bot army is trying to crack
servers without triggering detection.  It's not the usual attack where
one server tries hundreds of times on a small set of addresses.

If you have any intrusion detection systems expecting a single IP
address, they won't work anymore.

secure.log.4:May  7 02:34:36 pixelmemory sshd[30928]: error: PAM:
Authentication failure for root from 200.114.248.28
secure.log.4:May  7 02:36:02 pixelmemory sshd[30934]: error: PAM:
Authentication failure for root from 84.55.87.8
secure.log.4:May  7 02:39:18 pixelmemory sshd[30960]: error: PAM:
Authentication failure for root from 91.121.64.28
secure.log.4:May  7 02:40:51 pixelmemory sshd[30971]: error: PAM:
Authentication failure for root from 87.25.22.155
secure.log.4:May  7 02:41:49 pixelmemory sshd[30976]: error: PAM:
Authentication failure for root from 202.79.202.165
secure.log.4:May  7 02:43:23 pixelmemory sshd[30981]: error: PAM:
Authentication failure for root from 85.207.3.28
secure.log.4:May  7 02:45:49 pixelmemory sshd[30998]: error: PAM:
Authentication failure for root from 68.112.226.71
secure.log.4:May  7 02:47:02 pixelmemory sshd[31013]: error: PAM:
Authentication failure for root from 209.254.234.18
secure.log.4:May  7 02:48:12 pixelmemory sshd[31018]: error: PAM:
Authentication failure for root from 85.92.138.60
secure.log.4:May  7 02:50:42 pixelmemory sshd[31023]: error: PAM:
Authentication failure for root from 147.102.206.3
secure.log.4:May  7 02:52:16 pixelmemory sshd[31028]: error: PAM:
Authentication failure for root from 81.211.39.217
secure.log.4:May  7 02:53:13 pixelmemory sshd[31033]: error: PAM:
Authentication failure for root from 83.208.25.65
secure.log.4:May  7 02:54:49 pixelmemory sshd[31038]: error: PAM:
Authentication failure for root from 202.71.216.126
secure.log.4:May  7 02:56:17 pixelmemory sshd[31043]: error: PAM:
Authentication failure for root from 213.166.248.5
secure.log.4:May  7 02:58:49 pixelmemory sshd[31072]: error: PAM:
Authentication failure for root from 87.194.32.209
secure.log.4:May  7 02:59:45 pixelmemory sshd[31077]: error: PAM:
Authentication failure for root from 161.184.174.76
secure.log.4:May  7 03:01:32 pixelmemory sshd[31083]: error: PAM:
Authentication failure for root from 81.169.156.95
secure.log.4:May  7 03:02:23 pixelmemory sshd[31088]: error: PAM:
Authentication failure for root from 81.115.35.60
secure.log.4:May  7 03:03:56 pixelmemory sshd[31093]: error: PAM:
Authentication failure for root from 80.161.109.35
secure.log.4:May  7 03:05:28 pixelmemory sshd[31098]: error: PAM:
Authentication failure for root from 82.131.7.254
secure.log.4:May  7 03:07:50 pixelmemory sshd[31103]: error: PAM:
Authentication failure for root from 194.97.156.23
secure.log.4:May  7 03:08:53 pixelmemory sshd[31122]: error: PAM:
Authentication failure for root from 200.172.166.2
secure.log.4:May  7 03:11:45 pixelmemory sshd[31137]: error: PAM:
Authentication failure for root from 210.171.168.65
secure.log.4:May  7 03:13:07 pixelmemory sshd[31142]: error: PAM:
Authentication failure for root from 81.183.215.188
secure.log.4:May  7 03:15:40 pixelmemory sshd[31210]: error: PAM:
Authentication failure for root from 84.114.15.179
secure.log.4:May  7 03:17:16 pixelmemory sshd[31215]: error: PAM:
Authentication failure for root from 193.219.160.61
secure.log.4:May  7 03:19:55 pixelmemory sshd[31220]: error: PAM:
Authentication failure for root from 69.60.118.191

--
Block Google's spam and enjoy Usenet again.
Reply with Google and I won't hear from you.


    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Paulo Costa  
View profile  
 More options May 20 2008, 6:08 pm
Newsgroups: news.admin.net-abuse.email
From: "Paulo Costa" <pamgcosta@nospam_gmail.com>
Date: Tue, 20 May 2008 17:08:09 +0100
Local: Tues, May 20 2008 6:08 pm
Subject: Re: Bot army trying to sneak under the radar
Forward | Print | Individual message | Show original | Report this message | Find messages by this author

"Kevin McMurtrie" <mcmur...@dslextreme.com> escreveu na mensagem
news:mcmurtri-26FADE.01211411052008@softbank060082049208.bbtec.net...

>I have heaps of log entries that look like below.  Each IP address tries
> only 1 to 4 times.  It looks like a new bot army is trying to crack
> servers without triggering detection.  It's not the usual attack where
> one server tries hundreds of times on a small set of addresses.

<snip>

> If you have any intrusion detection systems expecting a single IP
> address, they won't work anymore.

> secure.log.4:May  7 02:34:36 pixelmemory sshd[30928]: error: PAM:
> Authentication failure for root from 200.114.248.28
> secure.log.4:May  7 02:36:02 pixelmemory sshd[30934]: error: PAM:
> secure.log.4:May  7 03:19:55 pixelmemory sshd[31220]: error: PAM:
> Authentication failure for root from 69.60.118.191

> --
> Block Google's spam and enjoy Usenet again.
> Reply with Google and I won't hear from you.

Now would be a good time to change "PermitRootLogin" to "no" in your
sshd_config, if you haven't done so...

Cheers!

--
I don't have a sig...


    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Lemat  
View profile  
 More options May 20 2008, 6:58 pm
Newsgroups: news.admin.net-abuse.email
From: Lemat <lemat_hates_s...@lemat.priv.pl>
Date: Tue, 20 May 2008 18:58:00 +0200
Subject: Re: Bot army trying to sneak under the radar
Forward | Print | Individual message | Show original | Report this message | Find messages by this author

Paulo Costa wrote:
>> If you have any intrusion detection systems expecting a single IP
>> address, they won't work anymore.

>> secure.log.4:May  7 02:34:36 pixelmemory sshd[30928]: error: PAM:
>> Authentication failure for root from 200.114.248.28
>> secure.log.4:May  7 02:36:02 pixelmemory sshd[30934]: error: PAM:
>> secure.log.4:May  7 03:19:55 pixelmemory sshd[31220]: error: PAM:
>> Authentication failure for root from 69.60.118.191

> Now would be a good time to change "PermitRootLogin" to "no" in your
> sshd_config, if you haven't done so...

It would be the time to change the ssh service port to something different
and/or permit incoming connections from known IPs only.
Use MaxAuthTries 2 with combination of ipt_recent to prevent quick
password/port scanning.
And maybe put honeypot on port 22 instead.
--
Regards
Lemat

    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Paulo Costa  
View profile  
 More options May 21 2008, 10:22 am
Newsgroups: news.admin.net-abuse.email
From: "Paulo Costa" <pamgcosta@nospam_gmail.com>
Date: Wed, 21 May 2008 09:22:52 +0100
Local: Wed, May 21 2008 10:22 am
Subject: Re: Bot army trying to sneak under the radar
Forward | Print | Individual message | Show original | Report this message | Find messages by this author

"Lemat" <lemat_hates_s...@lemat.priv.pl> escreveu na mensagem
news:g0v0bd$181$1@nemesis.news.neostrada.pl...

> It would be the time to change the ssh service port to something different
> and/or permit incoming connections from known IPs only.
> Use MaxAuthTries 2 with combination of ipt_recent to prevent quick
> password/port scanning.
> And maybe put honeypot on port 22 instead.
> --
> Regards
> Lemat

Now, that's what I call rigged up!... :)
Thanks for the tips!

Cheers!

--
I don't have a sig...


    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
End of messages
« Back to Discussions « Newer topic     Older topic »

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2010 Google