damn_registrars's Journal: End of another distributed hack attempt...

I've mentioned a few times before that my system has been subjected to distributed attempts to hack into it. Why on earth someone would find my system to be worthwhile is beyond me; it has little data of any value that isn't shared through its web server. Getting into it wouldn't even get you to the systems on our network that do have worthwhile data as they aren't left on anyways. And on top of all that, it runs FreeBSD, so most "hackers" are too pathetic to know what to do with it even if they did manage to get in.

With that said, the two most recent attempts seem to have both subsided. I haven't gone back far enough through my logs yet to figure out exactly when each one ended.

• The first one that started was the "James" attempt. Hundreds of systems per day trying to log in to my system under the name James. Too bad no such user exists on my system. In one 24 hour period I logged over 800 attempts from over 200 unique addresses. This attempt seems to have ended sooner, as well; though I'm not sure exactly when.
• The usual "phone book" attempt. I've mentioned this before, where a botnet (or something similar to it) will go through a long list of common login names, from a to z. As usual the attempt gave up well before it made it all the way through the alphabet; this time the last user I saw attempted was "chanton". Again over 100 systems involved in rapid succession; I will have to go back through old log files to figure out the rate.

One of these days I'll work on my security scripts (especially now that I finally got around to setting up a database backend to store the data) and mine this data. Each line in my messages file looks something like this:

Apr 19 18:22:16 our-freebsd-box sshd[40810]: error: PAM: authentication error for illegal user chanton from 202.64.189.170

And from that there are of course several useful bits of information:

• Date
• Time
• Attempted username
• IP address

Which could be thought of as the "raw data".

I figure once I parse through a large number of lines I could derive some additional information on the nature of the attempt(s):

• Attempts per hour (or minute or day)
• Attempts per name
• Attempts per IP address
• Attempts per IP range or network

Which would reasonably be called the "meta-data".

From this I could mine a little further and get some additional bits of useful information:

• Frequency per name
• Frequency per address
• Frequency per network

Which could presumably be the "meta-meta-data".

And here I thought I almost managed to escape having to learn SQL.

Obviously a useful output from all this (aside from the data described) would be to automatically write an email to the administrators of the relevant networks, with the information on what systems from their network attempted to access my system, when, and how often. This would be slightly more difficult to mine for, thanks to the arbitrary hogde-podge that we call WHOIS data.

Of course one thing that none of this will clearly tell me is why this is happening to my poor little web server. I had previously proposed that it could have been related to craigslist, as one round of attempts came shortly after I posted an ad to craigslist that included a link to my web server. However I have no such ads there currently so it seems unlikely that it is connected to someone trolling craigslist for web servers (unless they retain their lists). I suppose it may also be likely that someone is trolling address ranges for ssh servers and trying to get into them any way they can. I should check my sshd syntax to see if it is possible to get ssh to log the name of the system they tried to access (not sure how possible that would be); as I could get quite a bit of information out of knowing whether they tried to access my system by its name versus its IP address.

wish I could remember the details...

[zogger]

..forgive me if I don't get this exactly right, it is something I remember reading here perhaps as long as three years ago or so. Some guy had a way where he would direct such attempts to a honeypot machine that would let them in, then slow them down to a crawl. It's like the bot could get in just one place, then once there, never exit. IIRC it would let them access data at like one byte per second or something, just enough to keep them there but not enough to get anywhere and what they were accessing was r

Re:

[damn_registrars]

That is a fantastic idea. I wonder if I could come up with a clever way to do that on my existing machine (I'm not particularly inclined to setup another computer at home, and my wife would probably rather I not anyways). Although I may need to figure out what exactly they want to access as a user... I guess my first guess would be not that they actually wanted to access any data on there anyways, but rather to try to find a mail relay to push spam through.

I'll have to look around for that and see if I

Re:

[cmacb]

I remember reading about it too. Doing some Google searches to try and refresh my memory I found this (not what I originally read I don't think, but it fills the bill):

http://www.securityfocus.com/infocus/1723 [securityfocus.com]

Also this:

http://www.citi.umich.edu/u/provos/honeyd/ [umich.edu]

Re:

[damn_registrars]

Thanks for the links. The second link

http://www.citi.umich.edu/u/provos/honeyd/

Has an interesting little factoid (admittedly I haven't looked at the basis of it) claiming that 43% of spam is sent by Linux machines.

If that is true, then that could indicate that my earlier speculation that the bots are looking for the mail command could be reasonable. Though it sounds like the "tarpit" method should well be able to capture them anyways.

Thanks to both of you!

Teergrube

[wowbagger]

http://www.google.com/search?hl=en&ei=0AP2SZL0BJWqMqL43KkP&sa=X&oi=spell&resnum=1&ct=result&cd=1&q=teergrube&spell=1 [google.com]

Teergrube - "tar baby": A honeypot that allows an attacker to gain access to a controlled server, then slows the connection to a crawl, in order to tie up the attacker.

----------

Likely your server is being attacked because it can be found. It doesn't matter if you have any good data on your server (though that is a bonus) - your server could be doing something u

Re:

[damn_registrars]

Likely your server is being attacked because it can be found

I have been generally gravitating towards that hypothesis.

Although it leaves open the question whether it was first found as a web server, or an ssh server.

your server could be doing something useful, like serving Spamvertised web pages

That would be a bit of a feat; my webserver configuration is pretty bare-bones (and its not Linux or windows) so they'd likely have to compile from source any additional apache modules in order to launch their fancy spamvertised web pages.

Unless, of course, they just used it as a redirect; they could put the address of my poor little web server in

Two Ideas

[OctaneZ]

I personally swear by DenyHosts [sourceforge.net] but there is also Fail2Ban [fail2ban.org]. It is at least a place to start.

A Reason

[fm6]

They want to hack into your system so they can delete all your content and replace it with a page that says "You've been pwned", possibly supplemented by scatalogical graphics and/or gay porn. Not exactly a compelling activity, but some people find it passes the time.

Re:

[damn_registrars]

They want to hack into your system so they can delete all your content and replace it with a page that says "You've been pwned", possibly supplemented by scatalogical graphics and/or gay porn. Not exactly a compelling activity, but some people find it passes the time.

That is always a possible explanation. Though these are truly desperate hackers if they are trying that hard to get into my system. And even if they did pull it off, almost nobody would ever see it, anyways. My poor little webserver sees a couple dozen hits tops on a really busy day.

Re:

[fm6]

It's not desperation. It's love of a challenge!

And you would see it. And be pissed off. Pissing off even one person is adequate reward for a prank.