» »

Slovenski heker + čuden log na ruterju.

Slovenski heker + čuden log na ruterju.

Karlos ::

Najprej bi prosil če mi lahko nekdo malo razolmači naslednje zapise v security log-u od ruterja

00:30:33 **Smurf** 200.226.100.0, 47071->> 193.77.xxx.xx, 4672 (from PPPoE Inbound)
00:24:23 NTP Date/Time updated
23:54:24 **Smurf** 200.226.100.0, 47071->> 193.77.xxx.xx, 4672 (from PPPoE Inbound)
18:24:19 NTP Date/Time updated
15:04:36 **LAND** 193.77.xxx.xx, 80->> 193.77.xxx.xx, 33008 (from PPPoE Inbound)
15:04:35 **LAND** 193.77.xxx.xx, 80->> 193.77.xxx.xx, 32998 (from PPPoE Inbound)
15:04:35 **LAND** 193.77.xxx.xx, 80->> 193.77.xxx.xx, 32997 (from PPPoE Inbound)
15:04:33 **LAND** 193.77.xxx.xx, 80->> 193.77.xxx.xx, 32993 (from PPPoE Inbound)
15:04:31 **LAND** 193.77.xxx.xx, 80->> 193.77.xxx.xx, 32985 (from PPPoE Inbound)
15:04:29 **LAND** 193.77.xxx.xx, 80->> 193.77.xxx.xx, 32977 (from PPPoE Inbound)
14:54:09 **LAND** 193.77.xxx.xx, 80->> 193.77.xxx.xx, 52138 (from PPPoE Inbound)
14:54:05 **LAND** 193.77.xxx.xx, 80->> 193.77.xxx.xx, 52133 (from PPPoE Inbound)
14:54:04 **LAND** 193.77.xxx.xx, 80->> 193.77.xxx.xx, 52132 (from PPPoE Inbound)
14:52:49 **LAND** 193.77.xxx.xx, 80->> 193.77.xxx.xx, 52077 (from PPPoE Inbound)
14:52:48 **LAND** 193.77.xxx.xx, 80->> 193.77.xxx.xx, 52069 (from PPPoE Inbound)
14:52:45 **LAND** 193.77.xxx.xx, 80->> 193.77.xxx.xx, 52054 (from PPPoE Inbound)
14:52:44 **LAND** 193.77.xxx.xx, 80->> 193.77.xxx.xx, 52051 (from PPPoE Inbound)


skrbi me pa tudi tale izpis:
cat /var/log/messages | grep "user"


May 29 16:51:16 localhost sshd[9328]: Invalid user julija from 159.226.169.222
May 29 16:51:16 localhost sshd[9328]: Failed password for invalid user julija from 159.226.169.222 port 37371 ssh2
May 29 16:51:19 localhost sshd[9330]: Invalid user neja from 159.226.169.222
May 29 16:51:19 localhost sshd[9330]: Failed password for invalid user neja from 159.226.169.222 port 37529 ssh2
May 29 16:51:23 localhost sshd[9332]: Invalid user tia from 159.226.169.222
May 29 16:51:23 localhost sshd[9332]: Failed password for invalid user tia from 159.226.169.222 port 37718 ssh2
May 29 16:51:26 localhost sshd[9334]: Invalid user lucija from 159.226.169.222
May 29 16:51:26 localhost sshd[9334]: Failed password for invalid user lucija from 159.226.169.222 port 37889 ssh2
May 29 16:51:30 localhost sshd[9336]: Invalid user ajda from 159.226.169.222
May 29 16:51:30 localhost sshd[9336]: Failed password for invalid user ajda from 159.226.169.222 port 38072 ssh2
May 29 16:51:33 localhost sshd[9338]: Invalid user alja from 159.226.169.222
May 29 16:51:33 localhost sshd[9338]: Failed password for invalid user alja from 159.226.169.222 port 38235 ssh2
May 29 16:51:37 localhost sshd[9340]: Invalid user katja from 159.226.169.222
May 29 16:51:37 localhost sshd[9340]: Failed password for invalid user katja from 159.226.169.222 port 38420 ssh2
May 29 16:51:40 localhost sshd[9342]: Invalid user taja from 159.226.169.222
May 29 16:51:40 localhost sshd[9342]: Failed password for invalid user taja from 159.226.169.222 port 38603 ssh2
May 29 16:51:44 localhost sshd[9344]: Invalid user karin from 159.226.169.222
May 29 16:51:44 localhost sshd[9344]: Failed password for invalid user karin from 159.226.169.222 port 38752 ssh2
May 29 16:51:48 localhost sshd[9346]: Invalid user larisa from 159.226.169.222
May 29 16:51:48 localhost sshd[9346]: Failed password for invalid user larisa from 159.226.169.222 port 38979 ssh2
May 29 16:51:51 localhost sshd[9348]: Invalid user tina from 159.226.169.222
May 29 16:51:51 localhost sshd[9348]: Failed password for invalid user tina from 159.226.169.222 port 39158 ssh2
May 29 16:51:55 localhost sshd[9350]: Invalid user gaja from 159.226.169.222
May 29 16:51:55 localhost sshd[9350]: Failed password for invalid user gaja from 159.226.169.222 port 39307 ssh2
May 29 16:51:59 localhost sshd[9352]: Invalid user laura from 159.226.169.222
May 29 16:51:59 localhost sshd[9352]: Failed password for invalid user laura from 159.226.169.222 port 39480 ssh2
May 29 16:52:03 localhost sshd[9354]: Invalid user brina from 159.226.169.222
May 29 16:52:03 localhost sshd[9354]: Failed password for invalid user brina from 159.226.169.222 port 39720 ssh2
May 29 16:52:07 localhost sshd[9356]: Invalid user katarina from 159.226.169.222
May 29 16:52:07 localhost sshd[9356]: Failed password for invalid user katarina from 159.226.169.222 port 39903 ssh2
May 29 16:52:11 localhost sshd[9358]: Invalid user tinkara from 159.226.169.222
May 29 16:52:11 localhost sshd[9358]: Failed password for invalid user tinkara from 159.226.169.222 port 40120 ssh2
May 29 16:52:14 localhost sshd[9360]: Invalid user teja from 159.226.169.222
May 29 16:52:14 localhost sshd[9360]: Failed password for invalid user teja from 159.226.169.222 port 40271 ssh2
May 29 16:52:18 localhost sshd[9362]: Invalid user ela from 159.226.169.222
May 29 16:52:18 localhost sshd[9362]: Failed password for invalid user ela from 159.226.169.222 port 40461 ssh2
May 29 16:52:21 localhost sshd[9364]: Invalid user marusa from 159.226.169.222
May 29 16:52:21 localhost sshd[9364]: Failed password for invalid user marusa from 159.226.169.222 port 40641 ssh2
May 29 16:52:24 localhost sshd[9366]: Invalid user nusa from 159.226.169.222
May 29 16:52:24 localhost sshd[9366]: Failed password for invalid user nusa from 159.226.169.222 port 40795 ssh2
.
.
.



ssh imam nastavljen na portu 22
v logih je pa recimo tole
May 22 00:17:57 localhost sshd[14460]: Accepted password for karlos from 192.168.2.105 port 35153 ssh2

Začel sem pa gledat loge zato ker se mi je začel linux nenormalno sesuvat, že samo da sem pognal firefox, mi je računalnik kar zamrznil, ali pa če hočem kaj shranit v OOo.

Kakšen nasvet linux experta bi bil dobrodošel.
Sai Baba: "Dam vam to, kar hočete, da boste hoteli to, kar vam želim dati."

amigo_no1 ::

Za prvi del nebi vedel.

Za drugi del:
kitajček s preveč časa se je šel port scanning in ugibanje za up. imen & gesel (dictionary attack) (vse zahteve z istega IPja in različnih portov...)

http://www.dnsstuff.com/tools/ipall.ch?...



Up. ime "karlos" dejansko obstaja v tvojem sistemu ?
192.168.2.105 je IP iz tvojega privatnega lana



Priporočam da si ssh server nastaviš na kakšen nestandarden port , limitiraj št. zaporednih neuspešnih prijav na 3 (v OSju in na ssh server) , limitiraj IPje s katerih se lahko uporabnik prijavi na ssh server (host.allow , host.deny ) , uporabljaj dolga random gesla.

http://www.itefix.no/phpws/index.php?mo...

Iztakni mrežni kabel, naredi backup pomembnih podatkov in na novo namesti sistem.

Zgodovina sprememb…

JamesBond ::

Ne rabi menjati porta za SSH. Naj preprosto omeji IP-je iz katerih se lahko poveže gor.

krneki0001 ::

Postavi si honeypot, pa glej kaj se dogaja v živo. V sloveniji je kr nekaj mulcev, ki se bavijo z vdori, ker še ni bilo nobene dobre in visoke kazni.

'FireSTORM' ::

BruteForce Attack
Poglej na netu za sshguard.

edit:
May 22 00:17:57 localhost sshd[14460]: Accepted password for karlos from 192.168.2.105 port 35153 ssh2

To je lokalni port in ne port kjer sshd posluša. Port od mašine od kje prihaja povezava. Tu ni nič narobe.
Limit neuspešnih povezav nebo nič rešil, ker bruteforce zmeraj proba z drugim username-om. Sprememba porta tudi ne(če je pod 1000 in nekaj), ker bruteforce skenira nekaj portov kje posluša sshd.
Namesti RootKit Hunter-ja in preglej za rootkiti, če je kakšen odkrit bo lažje namestit na novo sistem.
Those penguins.... They sure aint normal....

Zgodovina sprememb…



Vredno ogleda ...

TemaSporočilaOglediZadnje sporočilo
TemaSporočilaOglediZadnje sporočilo
»

"Port scan" stanje na IPv4 omrežju (strani: 1 2 )

Oddelek: Omrežja in internet
559547 (8467) AštiriL
»

Napad na FTP server

Oddelek: Informacijska varnost
161574 (1095) amigo_no1
»

sshd - zakleni ip, po x neuspelih login-ih

Oddelek: Omrežja in internet
151439 (1162) SasoS
»

Slackware Linux (strani: 1 2 )

Oddelek: Operacijski sistemi
674463 (3380) tx-z
»

"sesuta" mreza v Win XP

Oddelek: Operacijski sistemi
81825 (1726) lopov

Več podobnih tem