Sunday, October 4, 2009

A Third Time, Uncharmed

Spamwashers hijacked, a wake-up call for lazy sysadmins everywhere. The slow bruteforcers are back for another round.

A new round of slow, distributed bruteforce attacks is in progress. Just like the other times we know about (see references later), the initial target is root. This time around I see only one of my ssh-contactable machines targeted, and the dribble started on September 30th.

I've put the raw data so far up for study here (a total of 6067 attempts), and a list of hosts sorted by number of attempts (the first column) can be found here (770 hosts, with up to 32 attempts each). Quite likely I'll be collecting more data and publishing updates when I have a few free moments.

A number of people were kind enough to contact me in the followup of the earlier articles, and from one of my correspendents (who asked not to be named) I learned that the likely culprit is a piece of Linux malware known as dt_ssh5. If you type dt_ssh5 into your favorite search engine, it will turn up a few hits, but significantly fewer than the number of hosts in my sample. A couple of those documents have some analysis of how a badly secured web application let the miscreants in.

We should not be surprised that whoever is behind this has more than one takeover method in their arsenal. Unfortunately it should not surprise anybody either that we're now seeing a third round of those attacks. Most likely the perpetrators keep going because they occasionally succeed, and when they do, it's because every now and then they luck on a Linux machine with either

  • a maintenance regime that's disorganized enough that software with known and exploitable bugs is left in place for long enough to open the doors to undesirables, or

  • at least one user (whoever is manning root or any of the other user IDs we know they will be sniffing out later) with a guessable password and a system administration regime that lets weak passwords exist in the first place.

You see where this is heading? Over the last few years we have seen Linux and other free systems take over ever more niches and even mission critical application areas in businesses and organizations all over the world. I for one think this move to free systems with source code accessible is a good thing.

But there is a downside: In our efforts to entice the suits into the wonderful new world of free software, we likely oversold the security part.

Yes, bugs are easier to find and fix when the source code is available, yes, the Unix security model or some variant thereof is vastly preferable to that disorienting hellhole system marketed from somewhere up Seattle way, and yes, there are a few hundred more good and valid reasons (technical and otherwise) why basing your business on free license software is generally a good idea. Security-wise you have a better starting point, and with a little effort you will gain control and stay in control. But it does take some degree of effort by one or more qualified persons who are willing and able to take charge and make sensible decisions.

Looking at the data earlier I can see that one of the hosts now trying to gain illegitimate access to one of my systems was originally set up as a "spam washer" (grep for spamvask in the data). Setting up a Linux box to filter spam is likely a good idea in many contexts, but please keep this in mind: The fact that your rig runs Linux does not mean you're home free. You need to keep paying attention. When your spam washer has been hijacked and tries to break into other people's systems, you urgently need to get your act together, right now.

We do not have self-propagating worms on Linux just yet (and in all fairness the likelihood of that ever happening is rather slim), but we certainly do not have a system that will stay secure if you ignore the basics of useful system administration. This recurring episode of dt_ssh5 and the slow bruteforcers should serve as a wakeup call for system administrators everywhere: Your system stays secure only as long as you pay proper attention to maintenance. Out there in the real world there are at least 770 machines where the maintenance regime slipped, either through incompetence or work overload or a combination of the two with a dash of bad planning thrown in.

The only way to make a fourth round of slow bruteforcers not happen is to make the people responsible for the 770 hosts listed here do the right thing. I suppose we will find out soon enough how many of those domains actually have the RFC2142-mandated mailboxes in place.

References: Previous posts on this topic include A low intensity, distributed bruteforce attempt (December 2, 2008), A Small Update About The Slow Brutes (December 6, 2008), Into a new year, slowly pounding the gates (December 21, 2008), The slow brutes, a final roundup (January 22, 2009) and The slow brute zombies are back (April 12, 2009).


If you found this article useful, enjoyable or irritating, please drop me a line. Material related to this article is available free via links from my web space. Some additional material will be made available for reasonable research purposes. If you want more extensive assistance, please contact FreeCode to make arrangements.


The reason for my rather long silence in the blogosphere can be summed up in two words: Client Confidentiality. Some of the projects I've been working on might have been material for interesting articles, but separating the generally useful bits from what the customer could reasonably expect to be kept confidential has proved difficult, at least in the short run.

Update 2009-10-05 just before 10:00 CEST: Slightly newer log extracts uploaded, total attempts now 6590, from 775 hosts. I will likely upload fresher versions at intervals.

Update 2009-10-14 19:30ish: After a couple of days with literally none to three or four attempts per hour, my afternoon log check turned up activity almost at start of run levels, so total numbers are now 9405 attempts from a total of 946 unique hosts. I never bothered to change the file names, but the data have been updated a couple of times each day since I started publishing them.

Update 2009-10-29 00:10: Because a file transfer took a little longer than expected, I was awake to see what may actually be the start of the alphabetic phase -


Oct 28 23:58:35 rosalita sshd[61664]: Invalid user anthony from 62.225.63.99
Oct 28 23:58:35 rosalita sshd[61664]: error: PAM: authentication error for illegal user anthony from 62.225.63.99
Oct 28 23:58:35 rosalita sshd[61664]: Failed keyboard-interactive/pam for invalid user anthony from 62.225.63.99 port 58683 ssh2
Oct 28 23:59:43 rosalita sshd[61668]: Invalid user anthony from 217.136.253.239
Oct 28 23:59:43 rosalita sshd[61668]: error: PAM: authentication error for illegal user anthony from 239.253-136-217.adsl-static.isp.belgacom.be
Oct 28 23:59:43 rosalita sshd[61668]: Failed keyboard-interactive/pam for invalid user anthony from 217.136.253.239 port 54728 ssh2
Oct 29 00:00:26 rosalita sshd[61695]: Invalid user barbara from 112.78.124.159
Oct 29 00:00:27 rosalita sshd[61695]: error: PAM: authentication error for illegal user barbara from 112.78.124.159
Oct 29 00:00:27 rosalita sshd[61695]: Failed keyboard-interactive/pam for invalid user barbara from 112.78.124.159 port 56990 ssh2
Oct 29 00:03:42 rosalita sshd[61722]: Invalid user brian from 122.224.128.197
Oct 29 00:03:42 rosalita sshd[61722]: error: PAM: authentication error for illegal user brian from 122.224.128.197
Oct 29 00:03:42 rosalita sshd[61722]: Failed keyboard-interactive/pam for invalid user brian from 122.224.128.197 port 47058 ssh2
Oct 29 00:04:21 rosalita sshd[61725]: Invalid user brian from 218.69.27.138
Oct 29 00:04:21 rosalita sshd[61725]: error: PAM: authentication error for illegal user brian from 218.69.27.138
Oct 29 00:04:21 rosalita sshd[61725]: Failed keyboard-interactive/pam for invalid user brian from 218.69.27.138 port 41622 ssh2
Oct 29 00:05:00 rosalita sshd[61738]: Invalid user carol from 58.60.106.121
Oct 29 00:05:01 rosalita sshd[61738]: error: PAM: authentication error for illegal user carol from 58.60.106.121
Oct 29 00:05:01 rosalita sshd[61738]: Failed keyboard-interactive/pam for invalid user carol from 58.60.106.121 port 55916 ssh2
Oct 29 00:05:51 rosalita sshd[61744]: Invalid user carol from 200.248.242.218
Oct 29 00:05:52 rosalita sshd[61744]: error: PAM: authentication error for illegal user carol from 200.248.242.218
Oct 29 00:05:52 rosalita sshd[61744]: Failed keyboard-interactive/pam for invalid user carol from 200.248.242.218 port 54547 ssh2
Oct 29 00:07:24 rosalita sshd[61748]: Invalid user charles from 222.128.36.60
Oct 29 00:07:24 rosalita sshd[61748]: error: PAM: authentication error for illegal user charles from 222.128.36.60
Oct 29 00:07:24 rosalita sshd[61748]: Failed keyboard-interactive/pam for invalid user charles from 222.128.36.60 port 42322 ssh2
Oct 29 00:08:09 rosalita sshd[61755]: Invalid user christopher from 72.148.242.188
Oct 29 00:08:10 rosalita sshd[61755]: error: PAM: authentication error for illegal user christopher from adsl-072-148-242-188.sip.asm.bellsouth.net
Oct 29 00:08:10 rosalita sshd[61755]: Failed keyboard-interactive/pam for invalid user christopher from 72.148.242.188 port 37157 ssh2
Oct 29 00:09:06 rosalita sshd[61758]: Invalid user christopher from 58.223.251.232
Oct 29 00:09:06 rosalita sshd[61758]: error: PAM: authentication error for illegal user christopher from 58.223.251.232
Oct 29 00:09:06 rosalita sshd[61758]: Failed keyboard-interactive/pam for invalid user christopher from 58.223.251.232 port 46350 ssh2
Oct 29 00:09:48 rosalita sshd[61762]: Invalid user daniel from 64.69.114.115
Oct 29 00:09:49 rosalita sshd[61762]: error: PAM: authentication error for illegal user daniel from mulligan.softspike.org
Oct 29 00:09:49 rosalita sshd[61762]: Failed keyboard-interactive/pam for invalid user daniel from 64.69.114.115 port 39960 ssh2
Oct 29 00:11:29 rosalita sshd[61781]: Invalid user david from 80.255.179.150
Oct 29 00:11:29 rosalita sshd[61781]: error: PAM: authentication error for illegal user david from ppp-vpdn-80.255.179.150.yarnet.ru
Oct 29 00:11:29 rosalita sshd[61781]: Failed keyboard-interactive/pam for invalid user david from 80.255.179.150 port 49013 ssh2

More material later, for now I'd be happy to hear confirmation (reports of similar activity) if you see it in your logs.

Note: A Better Data Source Is Available
Update 2013-06-09: For a faster and more convenient way to download the data referenced here, please see my BSDCan 2013 presentation The Hail Mary Cloud And The Lessons Learned which summarizes this series of articles and provides links to all the data. The links in the presentation point to a copy stored at NUUG's server, which connects to the world through a significantly fatter pipe than BSDly.net has.

34 comments:

  1. This attack is REALLY slow!

    Since April they've taken about 180 days to capture 770 Linux boxes. That is slightly more than 4 boxes per day. At that rate it will take them only 833 years to create a Linux bot farm equal in size to the 1.3 Million Windows bot farm!

    More than likely they are employing the Linux boxes as trawlers and controllers for the Windows boxes that make up those gigantic Windows bot farms.

    Compared to the total number of Linux boxes around the globe 770 boxes is vanishingly small. To use this "threat" as an excuse to stay with Windows or move from Linux to Windows would be similar to playing Russian roulette with a fully loaded revolver.

    ReplyDelete
  2. I completely disagree with "we likely oversold the security". Just like in Windows - if you don't bother to lock things down, bad things happen.

    Why would you even leave SSH open with password login's enabled? If you have to leave SSH open, at least require encryption key authentication! It's just common sense.

    The problem is that the average joe should need a license to have a computer on the Internet, and the average network administrator should need a license in computer security to have one. Unfortunately there's a lot of people who don't know what they don't know, and that's dangerous.

    ReplyDelete
  3. Yep. Getting similar things here. Apart from the obvious .cn and .kr clowns that like to spam away at one every 5 seconds. grep'd for uniques to root in 6 days, 3000, IP's 200.

    ReplyDelete
  4. Uhh.... skapet.bsdly.net is on the list!

    ReplyDelete
  5. I had 2 boxes that had old version of Roundcube webmail. Had some sort exploit and they were both running brute scripts. Just an fyi.

    ReplyDelete
  6. Could you post a list of just the IP addresses of the 770 hosts? This could prove useful for folks who have hosts scattered across a bunch of different domains residing within the same relatively modest IP address range since they could look for their IP addresses as opposed to each of their various host and domain names. It would also defeat any reverse DNS spoofing that might be going on.

    ReplyDelete
  7. Speaking of lazy sys admins, why do you permit hosts from so many different places to connect to your SSH server? Do you really need to allow hosts in Japan to connect to your SSH server? What about Russia? You really should restrict to those few blocks from which you actually need access.

    ReplyDelete
  8. iptables -F
    iptables -t nat -F
    iptables -t mangle -F
    iptables -X

    iptables -N SSH_WHITELIST

    # My work network.
    iptables -A SSH_WHITELIST -s 1.2.3.0/24 -m recent --remove --name SSH -j ACCEPT
    # My home network
    iptables -A SSH_WHITELIST -s 4.5.6.0/24 -m recent --remove --name SSH -j ACCEPT

    iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
    iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
    iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG
    iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP

    Tune appropriately. I find that 4 per minute doesn't generate false positives but quite effectively blocks brute forcers. You could lower hitcount or increase the seconds to your liking.

    And this is just for machines where I do need multiple people to be able to login from multiple locations. On other machines I definitely use ssh key only auth via the sshd_config.

    PLUS: This proves that there ARE people out there interested in breaking into Linux boxes. It's just that this is the best way they can find to do it and I think that says a lot. So let's not hear any more of this "Linux would have viruses too if it were as popular as Windows" bull. Between this and the MySQL on Windows worm:

    http://news.cnet.com/MySQL-worm-hits-Windows-systems/2100-7349_3-5553570.html [cnet.com]

    and the recent Linux botnet perpetrated via password brute forcing:

    http://www.builderau.com.au/program/linux/soa/Linux-botnet-discovery-points-to-lazy-administrators/0,339028299,339298642,00.htm [builderau.com.au]

    you would think we could put that old chestnut to bed by now.

    ReplyDelete
  9. I found this series to be quite informative. I stumbled across this article while pinpointing some attack attempts on my own machine. I don't run a server (anymore); I only have a Linux-based notebook. However, upon installing a firewall (Firestarter), I noticed I was getting constant and persistent alerts. I'll spare you the details but let's just say that my firewall logs seem to illustrate behavior very, very similar to the intrusion attempts outlined in this series of articles.

    Fortunately my SSH and telnet ports are closed (no need for them), and I was never dumb enough to have a short, guessable password. I'm guessing that whomever was responsible for these attacks likely mistook my laptop for a server of some sort (and probably didn't think someone would be checking his logs long enough to recognize an attack pattern). FWIW, tracerouting the IP addresses showed that most of the attacks seemed to originate from China and the U.S. (in that order).

    ReplyDelete
  10. As a roud-about way to the main issue of educating the owners of errant machines, I have ben speculating on how to block those boxes from my network. I've concluded that distributed attacks need distributed responses. My dream-solution would be to keep a centralized database, which would log failed attempts on port 22. Failed attemts on port 22 to a large number of participants would trigger a firewall script to cut off all access until some admin took action to get un-blocked, presumably because they woke up at last. Any takers ?

    ReplyDelete
  11. harkon: sudo apt-get install denyhosts

    besides denyhosts there is another similar project of which I forgot the name

    My hosts.deny file currently has 27231 entries...

    ReplyDelete
  12. Many of the IPs on the list are home users with a linux box (I recognize some ISPs) - some with dynamic IPs.

    ReplyDelete
  13. I found an article on Heise security (in german) found here:
    http://www.heise.de/security/artikel/SSH-vor-Brute-Force-Angriffen-schuetzen-270140.html

    Its also about the script DenyHosts (http://denyhosts.sourceforge.net/) which extends your deny.hosts list with all hosts, trying to ssh you with wrong passwords.

    Its working good on my linux machine:
    ...
    sshd: 207.58.155.136
    sshd: 201.33.64.5
    sshd: 222.112.14.44
    sshd: 91.211.117.40
    sshd: 222.218.124.253
    sshd: 200.244.105.148
    sshd: 189.66.178.162
    sshd: 207.36.208.25
    sshd: 123.30.50.90
    sshd: 219.137.192.231
    sshd: 88.208.237.108
    sshd: 212.72.132.166
    sshd: 212.52.166.173
    sshd: 212.174.29.34
    sshd: 58.216.151.131
    sshd: 203.229.177.60
    sshd: 96.31.81.179
    sshd: 115.238.73.172
    ...

    ReplyDelete
  14. I appreciate this article but this has been going on for a long time. I tried to contact both the FBI and Homeland Security but neither was interested. Even after showing that several attacks were coming from China and Vietnam, they merely said "Just keep them out of your servers - it doesn't appear that they have broken in yet". I then gave up trying to convince them that there is a real problem coming from countries that are not the most friendly to us. Lets hope that other administrators take a tip from this site and lock down their systems. I'd rather not get attacked from everyone else's servers. :)

    Greg George
    Chief Engineer Emeritus
    Spinal Cord Resources Network

    ReplyDelete
  15. Whenever someone mentions obfuscation as a simple way to avoid a small part of these blunt, non-directed attacks, there is always some blind, narrow-minded, anal-retentive of a *nix user reading only what he/she wants to read, shouting "running services on non-standard port is 'foul'! not standard! doesn't protect you at all!", instantly ASSUMING that the person who threw the obfuscation penny into the discussion would rely on obfuscation alone to protect his/her machines.

    Of course, only obfuscation is better than NO other protection, sitting tight HOPING nothing comes knocking. No one ever said it should be the only measure taken, but how is it NOT a way of protecting yourself? Would you not recommend a person inside enemy borders to keep his/her head down when the patrols wander by? Would you instead recommend them to stand up in clear sight while coming up with a better plan? How is hiding not a way of protecting yourself?

    Thousands of *nixers have during 10 years of security discussions so far not managed to conjure up _one single DECENT reason_ why NOT to keep your head down for the wandering patrols by simply choosing another port for your sshd, as one step in securing your environment.

    ReplyDelete
  16. No self-propagating worms? Ever heard of the Morris worm...? If Linux had been around then, it surely would have been affected.

    ReplyDelete
  17. As with anything, knowing what you're doing really does help. The myth of cheap admins is a myth.

    The idea of needing a licence is interesting - a bit like the amateur radio licence that is needed to do anything more than very limited radio work. I wondered some time ago if we'd move to centrally managed systems as a solution. That has not happened. We can't completely prevent access, but maybe we could severely restrict it reducing the restrictions as the user moved up the licence ladder, much as a radio amateur (UK at least) gains more privileges the more qualifications they earn.

    Such a thing could also benefit things like preventing illegal file sharing, but have the cost of reducing the usefulness of things like BitTorrent for useful work. It may also be a blow to net anonymity and an avenue for censorship depending on how managed. Pros and cons either way.

    ReplyDelete
  18. Since I use pf, my favorite way to deal with this is:

    block in log quick on $ext_if proto tcp os Linux to $ext_if port ssh

    ReplyDelete
  19. Security relying only on a cryptographic key has the weakness that once the key is stolen all bets are off. Even if you password protect your keyfile, if someone gets hold of the file and the password that is valid for their copy of the file then no amount of changing your password will fix things. I'm afraid I've seen this flaw in a production system in a very large company and it comes down to misunderstanding.

    Multiple factor authentication helps. If you can have a key file on your laptop or netbook so you can authenticate when you SSH into your system then you also need something else like a strong password. Better are the time changing systems such as the special keyfobs or PayPal's text message to your phone (if I can get it to work on mine!)

    For home users you can (I once did) set your hosts.deny to ALL, your IPTables default policy to DENY and put the few IP addresses of the few machines you log in from in your Allow lists, if you have a relatively small allow list that can be determined before-hand. Port knocking is also interesting, or maybe a web-app you can sign in to.

    ReplyDelete
  20. Better than /etc/hosts.deny is to use /etc/hosts.allow and only allow IP addresses you WANT to connect to sshd: ( or mysqld, and other progs that use TCPwrappers.

    In your hosts.deny place this line
    ALL: PARANOID ALL

    /etc/hosts.allow add ip addresses like so..
    sshd: 123.123.123.

    You can allow an ip block or range if you get DHCP ip address assigned to you. This is by far the best way to secure sshd... hands down. It's better than any firewall.

    1) remove your attack surface by closing or making open ports to localhost (127.0.0.1) like SNMP or others where possible.

    2) only ALLOW ip address in hosts.allow and deny ALL

    3) no need for a firewall at all... in fact you can even use password root sshd access if you set up hosts.allow/deny properly. ( although not recommended, best create a completely unpriv user just for ssh log in, than su root from there.

    4) Linux default installs are already very minimal in terms of open ports... unlike the past.

    my belief is that firewalls give a false sense of security. After all, we poke holes in the firewall for all the important ports, which circumvents the firewall right there. ( IE allow port 22 and 21 and the firewall is useless. ) OUT going ports maybe a different story, and a firewall maybe useful than, however very difficult to configuring outgoing ports, so again the firewall becomes more of a pain in the arse than good.

    5) the more 'layers' of security the better... but it does get to a point of overly paranoid, when properly denying all IP addresses but a range or less is allowed with TCP wrappers.

    ReplyDelete
  21. I would encourage anyone with a Linux server to take a look at Fail2ban (http://www.fail2ban.org). In short, it watchs your logs for patterns and then takes definable action such as firewall rules or denyhosts.

    One example would be if ther are 4 failed ssh logins from the same IP in a 60 minute period, insert a firewall rule that drops packets from that IP for 8 hours.

    A dynamic approach like this keeps your denyhosts or iptables rules from growing out of control.

    ReplyDelete
  22. It's always good practice to disallow root login over SSH. Problem solved-- for this attack, anyway. Root access should be controlled by forcing a user to log in as an unprivileged account, then using tools like su or sudo.

    It's simple to disallow root. Just modify your /etc/ssh/sshd_config file and set PermitRootLogin to "no". Restart sshd and you're ready to go.

    ReplyDelete
  23. nice ... jejeje.. it has happended to all of us.. i just put some rules in my iptables and denied root access and changed sshd port. it had work for me.. at least for the moment.

    keep doing your great job.

    ReplyDelete
  24. seriously, what are you people on about? No Linux viruses? Apparently you don't know of Silvio's work or any of the similar work that has been done on ELF infectors and the like. Whatever though, you clearly don't know anything about security. And for the record, bruteforce attacks can be twarted by increasing the bruteforce complexity of your password. ;-) hey though, no need for facts on blogs, right? It's not like *actual* hackers and *actual* sec industry workers should be the ones to make comments on the industry. lol, psyche ;-)

    ReplyDelete
  25. I've also seen a number of attacks in recent weeks specifically for the root user. But also quite interesting is an alphabetical user attack eg. aa, ab, ac ,ad, etc ...

    I use Blockhosts to counter these though without any drama. Current nasties include:
    207.42.177.19
    218.206.27.9
    190.11.27.151

    ReplyDelete
  26. Thanks for the sharing this website. it is very useful professional knowledge. Great idea you know about company background.
    web application development

    ReplyDelete
  27. Using a tuned install of http://www.aczoom.com/cms/blockhosts cut many tens of thousands of auth attempts per day down to <20 on most days. We use iptables to block all services with too many ssh attempts, but you could also use TCP_wrappers.

    So far (knock on wood), we have not seen any blocks against legit users. Of course, root is disabled in sshd_config itself.

    ReplyDelete
  28. Actually, wasn't the Li0n worm, from around 2001, self-propagating? It infected systems running a vulnerable version of BIND (is "vulnerable...BIND" redundant?), installed a root kit, and then started scanning for other systems to infect.

    ReplyDelete
  29. Yea, the poster obviously doesn't know much about security or the sort of malicious code that exists on UNIX-like platforms. /me thinks he has never heard of Silvio or his work with ELF infectors. Whatever though, not like we need to get our security info from real hackers or real security industry douches. Any random Joe from the street can just begin sending out misinformation at the drop of a pin these days. And btw, have you considered evading bruteforce attacks by increasing the bruteforce complexity of your passwords? Or not using password-based authentication at all? LAWL! Anyway, firewalls are kind of redundant as well considering the fundamental flaws within the TCP/IP protocol were uncovered countless years ago (1980-something). Hell, with a (Google:) "TCP/IP sequence prediction" vuln in mind, an attacker need only subvert the algorithm the kernel uses for producing said sequences. And btw, I doubt you know what packers are or that you are familiar with the concept of obfuscation, but Windows has a distinct advantage over standard *nix installations in this department. Windows binaries are far more difficult to analyse than those of UNIX-like operating systems. And again, I'll reiterate, LINUX HAS VIRUSES. If you think it's impossible to become infected with a virus or a self-propogating worm on Linux then you're naive, should be fired from your job, and should wake the hell up and stop living in a fantasy. But I do agree with you that open source and FS does provide a better model for the detection and elimination of vulnerabilities by making the source freely accessible. However, I will point out to you that not *all* vulns manifest themselves within the source code. There are plenty of vulnerabilities that only arise after the source code has been compiled. (Due to the optimizations and modifications that a compiler performs on the source prior to outputting the ASM and linking.) This has been particularly prevalent among code compiled using GCC as of late. You can check any public secvuln forum to find the exploits that take advantage of these attack vectors. Anyway: just my two cents on the topic. This article is kind of stupid.

    ReplyDelete
  30. a friend of mine seems to be subject to the same attack you are seeing, I did some stats and out of the 596 unique hosts from his logfiles I found 429 of them in your list of 770 hosts. Didn't you write about sharing this data in a more systematic fashion at some point ? It seems like the obvious thing to do.

    ReplyDelete
  31. Hello,


    For leveraging traffic from the internet, I have manually collected a list of quality blogs and sites with whom I am interested in getting associated.

    I liked your Site/blog and i'm interested in having my blog's text link in your blog roll or Friends Section.

    To process this link exchange please place my blog on your home page using the
    below info

    Title: IT Security Consultant

    Url: http://www.adamsinfo.com/security-consultant/

    And send me your link info with confirmation of my link so that I could place
    you link on my blog. We will make link back to you on our home page (PR 5).

    I hope I will hear from you as soon as possible.
    Sincerely,
    Webmaster
    Adamsinfo.com
    seo@apnicsolutions.com

    ReplyDelete
  32. I see it too.

    Oct 29 00:00:59 valhal sshd[20700]: Failed keyboard-interactive/pam for invalid user barbara from 74.7.147.222 port 42344 ssh2
    Oct 29 00:04:01 valhal sshd[20713]: Failed keyboard-interactive/pam for invalid user brian from 86.35.93.36 port 13711 ssh2
    Oct 29 00:05:33 valhal sshd[20720]: Failed keyboard-interactive/pam for invalid user carol from 222.177.15.78 port 43907 ssh2
    Oct 29 00:11:51 valhal sshd[20760]: Failed keyboard-interactive/pam for invalid user david from 190.144.6.182 port 42392 ssh2
    Oct 29 00:17:09 valhal sshd[20889]: Failed keyboard-interactive/pam for invalid user donna from 74.212.228.162 port 8729 ssh2
    Oct 29 00:18:04 valhal sshd[20894]: Failed keyboard-interactive/pam for invalid user dorothy from 87.79.200.207 port 49228 ssh2
    Oct 29 00:19:28 valhal sshd[20899]: Failed keyboard-interactive/pam for invalid user edward from 93.162.98.174 port 17654 ssh2
    Oct 29 00:26:56 valhal sshd[20930]: Failed keyboard-interactive/pam for invalid user james from 58.62.239.150 port 29560 ssh2
    Oct 29 00:29:17 valhal sshd[20935]: Failed keyboard-interactive/pam for invalid user jeff from 203.160.81.20 port 5412 ssh2
    Oct 29 00:33:59 valhal sshd[20946]: Failed keyboard-interactive/pam for invalid user joseph from 60.250.129.103 port 33663 ssh2

    ReplyDelete
  33. Hello!
    I was noticing this myself, and I was "infected" also, and had dt_ssh5 in my /tmp directory.
    I was a little to late, but I have done everything I could think of to protect my *nix computers from this, really hope it will help.
    Thabk you for a very helpful blog.

    ReplyDelete

Note: Comments are moderated. On-topic messages will be liberated from the holding queue at semi-random (hopefully short) intervals.

I invite comment on all aspects of the material I publish and I read all submitted comments. I occasionally respond in comments, but please do not assume that your comment will compel me to produce a public or immediate response.

If your suggestions are useful enough to make me write on a specific topic, I will do my best to give credit where credit is due.