tag:blogger.com,1999:blog-8616610987649128333.post3033358031247382542..comments2024-03-07T18:07:32.939+01:00Comments on That grumpy BSD guy: So somebody is throwing HTML at your sshd. What to do?Peter N. M. Hansteenhttp://www.blogger.com/profile/12852746787621165833noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-8616610987649128333.post-4782703721778150122016-12-28T17:18:25.718+01:002016-12-28T17:18:25.718+01:00Yes, it does look like their backend was broken fo...Yes, it does look like their backend was broken for a while, and these traces show coordination of several hosts. <br /><br />It would of course be useful to see auth logs data for roughly the same period from elsewhere, in order to identify more hosts in the coordinated set, but I suspect most people do not keep their logs around that long. Peter N. M. Hansteenhttps://www.blogger.com/profile/12852746787621165833noreply@blogger.comtag:blogger.com,1999:blog-8616610987649128333.post-73586558308521085342016-12-28T16:51:00.488+01:002016-12-28T16:51:00.488+01:00It's simpler than you think :-)
SSH mass scan...It's simpler than you think :-)<br /><br />SSH mass scans are more than widespread. On one of my Internet facing machines, there are 20k bruteforce attempts each month. <br /><br />In your case it looks like an attacker used some static logins plus a login list, which was downloaded from location, where it's already gone (and never checked for contents). <br />Another way is that some lists were concatenated, where last one was 403'd. Such list given as a parameter to some bruteforce bot can cause identical behaviour. <br /><br /><br />evulhttps://www.blogger.com/profile/06270127599120246636noreply@blogger.comtag:blogger.com,1999:blog-8616610987649128333.post-42451002235291099682016-12-25T19:49:16.932+01:002016-12-25T19:49:16.932+01:00We have a lot of these on two our machines for mor...We have a lot of these on two our machines for more than a half year. Almost every day.<br /><br /># zcat /var/log/auth.log.*.bz2 | grep 'GET / HTTP'<br />Dec 19 07:20:11 MyHost sshd[14793]: Bad protocol version identification 'GET / HTTP/1.1' from 46.235.158.196 port 59817<br />Dec 19 17:25:12 MyHost sshd[76582]: Bad protocol version identification 'GET / HTTP/1.1' from 46.235.158.196 port 37817<br />Dec 20 07:15:12 MyHost sshd[61303]: Bad protocol version identification 'GET / HTTP/1.1' from 46.235.158.196 port 36558<br />Dec 20 17:15:14 MyHost sshd[23506]: Bad protocol version identification 'GET / HTTP/1.1' from 46.235.158.196 port 52326<br />Dec 21 07:20:12 MyHost sshd[10057]: Bad protocol version identification 'GET / HTTP/1.1' from 46.235.158.196 port 33720<br />Dec 21 17:25:12 MyHost sshd[76284]: Bad protocol version identification 'GET / HTTP/1.1' from 46.235.158.196 port 32966<br />Dec 13 07:25:17 MyHost sshd[26646]: Bad protocol version identification 'GET / HTTP/1.1' from 46.235.158.196 port 62313<br />Dec 13 17:30:13 MyHost sshd[88136]: Bad protocol version identification 'GET / HTTP/1.1' from 46.235.158.196 port 60471<br />Dec 14 07:15:11 MyHost sshd[71605]: Bad protocol version identification 'GET / HTTP/1.1' from 46.235.158.196 port 60037<br />Dec 14 17:20:11 MyHost sshd[37482]: Bad protocol version identification 'GET / HTTP/1.1' from 46.235.158.196 port 37506<br />Dec 15 07:20:11 MyHost sshd[20664]: Bad protocol version identification 'GET / HTTP/1.1' from 46.235.158.196 port 58248<br />Dec 15 17:25:11 MyHost sshd[84836]: Bad protocol version identification 'GET / HTTP/1.1' from 46.235.158.196 port 43397<br />Dec 16 07:50:11 MyHost sshd[86760]: Bad protocol version identification 'GET / HTTP/1.1' from 46.235.158.196 port 49417<br />Dec 16 17:55:12 MyHost sshd[47666]: Bad protocol version identification 'GET / HTTP/1.1' from 46.235.158.196 port 51202<br />Dec 8 17:55:12 MyHost sshd[60806]: Bad protocol version identification 'GET / HTTP/1.1' from 46.235.158.196 port 58734<br />Dec 9 07:15:12 MyHost sshd[42073]: Bad protocol version identification 'GET / HTTP/1.1' from 46.235.158.196 port 58881<br />Dec 9 17:20:11 MyHost sshd[3626]: Bad protocol version identification 'GET / HTTP/1.1' from 46.235.158.196 port 54401<br />Dec 12 07:45:11 MyHost sshd[82174]: Bad protocol version identification 'GET / HTTP/1.1' from 46.235.158.196 port 58818<br />Dec 12 17:45:13 MyHost sshd[43618]: Bad protocol version identification 'GET / HTTP/1.1' from 46.235.158.196 port 33835<br />Dec 5 07:20:12 MyHost sshd[51490]: Bad protocol version identification 'GET / HTTP/1.1' from 46.235.158.196 port 50872<br />Dec 5 17:25:12 MyHost sshd[12979]: Bad protocol version identification 'GET / HTTP/1.1' from 46.235.158.196 port 37062<br />Dec 6 07:15:11 MyHost sshd[96566]: Bad protocol version identification 'GET / HTTP/1.1' from 46.235.158.196 port 44851<br />Dec 6 17:20:11 MyHost sshd[58017]: Bad protocol version identification 'GET / HTTP/1.1' from 46.235.158.196 port 34036<br />Dec 7 08:10:11 MyHost sshd[47704]: Bad protocol version identification 'GET / HTTP/1.1' from 46.235.158.196 port 53449<br />Dec 7 18:15:11 MyHost sshd[14013]: Bad protocol version identification 'GET / HTTP/1.1' from 46.235.158.196 port 55395<br />Dec 8 07:50:12 MyHost sshd[96518]: Bad protocol version identification 'GET / HTTP/1.1' from 46.235.158.196 port 61339<br />Nov 30 07:05:14 MyHost sshd[13793]: Bad protocol version identification 'GET / HTTP/1.1' from 46.235.158.196 port 54288<br />Nov 30 17:10:12 MyHost sshd[79548]: Bad protocol version identification 'GET / HTTP/1.1' from 46.235.158.196 port 57325<br />Dec 2 07:20:12 MyHost sshd[15070]: Bad protocol version identification 'GET / HTTP/1.1' from 46.235.158.196 port 61535<br />Dec 2 17:25:12 MyHost sshd[76530]: Bad protocol version identification 'GET / HTTP/1.1' from 46.235.158.196 port 61352Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8616610987649128333.post-77800233607296723502016-12-24T16:47:15.460+01:002016-12-24T16:47:15.460+01:00Very odd.
I've been seeing weird being sent t...Very odd.<br /><br />I've been seeing weird being sent to TCP/587 (SMTP Submission port):<br /><br />Dec 24 12:45:41 postfix/submission/smtpd[27730]: warning: non-SMTP command from unknown[113.240.250.156]: GET / HTTP/1.0<br />Dec 24 12:46:29 postfix/submission/smtpd[6157]: warning: non-SMTP command from unknown[113.240.250.156]: Via: SIP/2.0/TCP nm;branch=foo<br />Dec 24 12:46:29 postfix/submission/smtpd[92587]: warning: non-SMTP command from unknown[113.240.250.156]: GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0Anonymousnoreply@blogger.com