I'm kind of out of time to do this test (I'd have to set up a special machine for it), but here is some supplement information...
Interesting to note on this sample of log entries, real accounts 'greg' and 'cheryl' are tested, no other 'first name' accounts are. On Jun 14, a more random first-name list was attempted from the same IP address. It appears that the bot came back with a more defined list built from its first session. Regards, Greg Jun 19 13:56:24 buster sshd[30500]: Failed password for mail from 140.109.33.37 port 47339 ssh2 Jun 19 13:56:27 buster sshd[30502]: Failed password for mail from 140.109.33.37 port 47531 ssh2 Jun 19 13:56:30 buster sshd[30504]: Failed password for mail from 140.109.33.37 port 47687 ssh2 Jun 19 13:58:40 buster sshd[30690]: Failed password for news from 140.109.33.37 port 53750 ssh2 Jun 19 13:58:43 buster sshd[30692]: Failed password for news from 140.109.33.37 port 53929 ssh2 Jun 19 13:58:46 buster sshd[30694]: Failed password for news from 140.109.33.37 port 54067 ssh2 Jun 19 13:59:23 buster sshd[30744]: Failed password for sshd from 140.109.33.37 port 55749 ssh2 Jun 19 13:59:26 buster sshd[30746]: Failed password for sshd from 140.109.33.37 port 55932 ssh2 Jun 19 13:59:30 buster sshd[30748]: Failed password for sshd from 140.109.33.37 port 56083 ssh2 Jun 19 14:07:20 buster sshd[31475]: Failed password for backup from 140.109.33.37 port 48315 ssh2 Jun 19 14:07:24 buster sshd[31477]: Failed password for backup from 140.109.33.37 port 48465 ssh2 Jun 19 14:07:27 buster sshd[31479]: Failed password for backup from 140.109.33.37 port 48599 ssh2 Jun 19 14:08:57 buster sshd[31609]: Failed password for nobody from 140.109.33.37 port 52531 ssh2 Jun 19 14:09:00 buster sshd[31611]: Failed password for nobody from 140.109.33.37 port 52656 ssh2 Jun 19 14:09:04 buster sshd[31613]: Failed password for nobody from 140.109.33.37 port 52770 ssh2 Jun 19 14:14:24 buster sshd[32100]: Failed password for mail from 140.109.33.37 port 38314 ssh2 Jun 19 14:14:26 buster sshd[32102]: Failed password for mail from 140.109.33.37 port 38468 ssh2 Jun 19 14:14:30 buster sshd[32104]: Failed password for mail from 140.109.33.37 port 38593 ssh2 Jun 19 14:26:49 buster sshd[797]: Failed password for sync from 140.109.33.37 port 41650 ssh2 Jun 19 14:26:52 buster sshd[799]: Failed password for sync from 140.109.33.37 port 41787 ssh2 Jun 19 14:26:55 buster sshd[801]: Failed password for sync from 140.109.33.37 port 41933 ssh2 Jun 19 14:28:37 buster sshd[947]: Failed password for cheryl from 140.109.33.37 port 46263 ssh2 Jun 19 14:28:40 buster sshd[949]: Failed password for cheryl from 140.109.33.37 port 46386 ssh2 Jun 19 14:28:43 buster sshd[951]: Failed password for cheryl from 140.109.33.37 port 46529 ssh2 Jun 19 14:30:52 buster sshd[1158]: Failed password for www-data from 140.109.33.37 port 52081 ssh2 Jun 19 14:30:55 buster sshd[1160]: Failed password for www-data from 140.109.33.37 port 52222 ssh2 Jun 19 14:30:58 buster sshd[1162]: Failed password for www-data from 140.109.33.37 port 52362 ssh2 Jun 19 14:31:02 buster sshd[1164]: Failed password for games from 140.109.33.37 port 52480 ssh2 Jun 19 14:31:05 buster sshd[1166]: Failed password for games from 140.109.33.37 port 52626 ssh2 Jun 19 14:31:08 buster sshd[1168]: Failed password for games from 140.109.33.37 port 52761 ssh2 Jun 19 14:31:45 buster sshd[1218]: Failed password for operator from 140.109.33.37 port 54322 ssh2 Jun 19 14:31:48 buster sshd[1220]: Failed password for operator from 140.109.33.37 port 54476 ssh2 Jun 19 14:31:52 buster sshd[1222]: Failed password for operator from 140.109.33.37 port 54608 ssh2 Jun 19 14:32:45 buster sshd[1296]: Failed password for irc from 140.109.33.37 port 56857 ssh2 Jun 19 14:32:48 buster sshd[1298]: Failed password for irc from 140.109.33.37 port 57033 ssh2 Jun 19 14:32:53 buster sshd[1300]: Failed password for irc from 140.109.33.37 port 57159 ssh2 Jun 19 14:36:02 buster sshd[1594]: Failed password for lp from 140.109.33.37 port 37138 ssh2 Jun 19 14:36:05 buster sshd[1596]: Failed password for lp from 140.109.33.37 port 37269 ssh2 Jun 19 14:36:08 buster sshd[1598]: Failed password for lp from 140.109.33.37 port 37392 ssh2 Jun 19 14:36:16 buster sshd[1606]: Failed password for bin from 140.109.33.37 port 37699 ssh2 Jun 19 14:36:19 buster sshd[1608]: Failed password for bin from 140.109.33.37 port 37849 ssh2 Jun 19 14:36:23 buster sshd[1610]: Failed password for bin from 140.109.33.37 port 38005 ssh2 Jun 19 14:36:26 buster sshd[1612]: Failed password for postfix from 140.109.33.37 port 38177 ssh2 Jun 19 14:36:30 buster sshd[1614]: Failed password for postfix from 140.109.33.37 port 38314 ssh2 Jun 19 14:36:33 buster sshd[1616]: Failed password for postfix from 140.109.33.37 port 38459 ssh2 Jun 19 14:40:47 buster sshd[2007]: Failed password for uucp from 140.109.33.37 port 49391 ssh2 Jun 19 14:40:51 buster sshd[2009]: Failed password for uucp from 140.109.33.37 port 49522 ssh2 Jun 19 14:40:54 buster sshd[2011]: Failed password for uucp from 140.109.33.37 port 49670 ssh2 Jun 19 14:43:32 buster sshd[2239]: Failed password for greg from 140.109.33.37 port 56496 ssh2 Jun 19 14:43:35 buster sshd[2241]: Failed password for greg from 140.109.33.37 port 56642 ssh2 Jun 19 14:43:39 buster sshd[2243]: Failed password for greg from 140.109.33.37 port 56786 ssh2 Jun 19 14:49:12 buster sshd[2746]: Failed password for sys from 140.109.33.37 port 42917 ssh2 Jun 19 14:49:15 buster sshd[2748]: Failed password for sys from 140.109.33.37 port 43076 ssh2 Jun 19 14:49:18 buster sshd[2750]: Failed password for sys from 140.109.33.37 port 43209 ssh2 On Sun, 2005-06-19 at 13:58 -0400, Justin Pryzby wrote: > On Fri, Jun 17, 2005 at 01:13:14PM -0400, pryzbyj wrote: > > On Fri, Jun 17, 2005 at 09:59:45AM -0700, Greg Webster wrote: > > > On Fri, 2005-06-17 at 12:51 -0400, Justin Pryzby wrote: > > > > On Fri, Jun 17, 2005 at 09:14:04AM -0700, Greg Webster wrote: > > > > > Package: ssh > > > > > Version: 1:3.8.1p1-8.sarge.4 > > > > > Severity: critical > > > > > File: /usr/sbin/sshd > > > > > Tags: security > > > > > Justification: root security hole > > > > > > This attack is already in the wild, as shown in logs: > > > > This doesn't seem to indicate any particular attack. I don't know if > > > > there's any evidence that its doing anything other than sshing to > > > > $user:[EMAIL PROTECTED] (Though there is no evidence to support my > > > > claim, either. It would be interesting to force the use of password > > > > authentication, rather than challenge-response, to see what password > > > > is being used. Takers?). > > > > > > Definitely would be a good test...I'd like to see someone validate what > > > I've been seeing. > > I see lots of the same logfile entries; but I have doubts that it is > > looking for a valid account, and not just looking for an *opened* > > account. > The included patch records any "cleartext" passwords (which are > normally only cleartext in the sense that they can be recorded by the > remote machine, and are normally sent encrypted over the network). > > You probably shouldn't use it on a multiuser machine. But, if you do, > then you should ensure that the created file is root:root 0700. (And > tell all your users what you're up to). > > Some mods to /etc/ssh/sshd_config are necessary to force clients to > use password authentication. > > (NOTE: that this is deliberately discouraged by the authors of SSH. > Normally, a challenge-response authentication is used, and the > effective "password" [call it what you like] is never transmitted. > "Password" authentication is usually the last resort. I always > recommend using RSA authentication; it can even be left enabled while > doing this test.) > > Anyway, > > ChallengeResponseAuthentication no > kbdinteractiveauthentication no > > (The latter one isn't highlighed by vim, and doesn't seem to have any > effect. The first one was necessary, though. I suspect that keyboard > interactive, in practice, uses a challenge/response authentication.) > > When that's changed, you must /etc/init.d/ssh reload. Then test the > configuration with ssh -v [EMAIL PROTECTED], which should end with: > > debug1: Next authentication method: password > [EMAIL PROTECTED]'s password: > > demonstrating that password authentication is the only one used. > (Well, not really, since I still have public-key enabled; but, it is > the first interactive one.). > > I'll leave this up for a little while and see what happens. Please > let me know of your own results, should you decide to do similar > investigations. > > Justin -- Greg Webster - System Administrator ------------------------------------- intouch.ca gastips.com epredictor.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
