damn_registrars's Journal: The distributed hack continues...

Ever since I posted my car for sale on Craig's list - with a link to a FAQ page on my webserver in the ad - my webserver has been under a deluge of hack attempts. Generally on the order of 200-400 unique addresses attempting to get in via ssh every day, each trying 1-4 different login names before giving up

I wrote a really basic Perl script to read the file /var/log/messages twice a day (called up in my crontab, of course). Here's a snippet of the activity for the past week:

Mon Nov 24 09:34:00 2008 44 unique addresses 1.18181818181818 average attempts per address
Mon Nov 24 21:34:00 2008 216 unique addresses 2.11574074074074 average attempts per address
Tue Nov 25 09:34:00 2008 257 unique addresses 3.27237354085603 average attempts per address
Tue Nov 25 21:34:00 2008 166 unique addresses 1.98795180722892 average attempts per address
Wed Nov 26 09:34:01 2008 201 unique addresses 3.10945273631841 average attempts per address
Wed Nov 26 21:34:00 2008 45 unique addresses 1.15555555555556 average attempts per address
Thu Nov 27 09:34:00 2008 146 unique addresses 2.02054794520548 average attempts per address
Thu Nov 27 21:34:00 2008 174 unique addresses 3.09770114942529 average attempts per address
Fri Nov 28 09:34:00 2008 186 unique addresses 4.11827956989247 average attempts per address
Fri Nov 28 21:34:00 2008 80 unique addresses 1.65 average attempts per address
Sat Nov 29 09:34:00 2008 180 unique addresses 2.12777777777778 average attempts per address
Sat Nov 29 21:34:00 2008 299 unique addresses 2.52508361204013 average attempts per address
Sun Nov 30 09:34:00 2008 159 unique addresses 1.44654088050314 average attempts per address
Sun Nov 30 21:34:00 2008 227 unique addresses 2.33039647577093 average attempts per address
Mon Dec 1 09:34:00 2008 261 unique addresses 3.01532567049808 average attempts per address

Obviously my next step if I want to continue to use this as a programming exercise for my own sake, is to start putting this data into a mysql database of some sort. Though for now, these numbers are interesting in their own right. It is also useful to see just how often my messages log files turn over:

> ls -ltd /var/log/me*
-rw-r--r-- 1 root wheel 101366 Dec 1 11:32 /var/log/messages
-rw-r--r-- 1 root wheel 12382 Nov 30 01:00 /var/log/messages.0.bz2
-rw-r--r-- 1 root wheel 11251 Nov 28 14:00 /var/log/messages.1.bz2
-rw-r--r-- 1 root wheel 11227 Nov 26 19:00 /var/log/messages.2.bz2
-rw-r--r-- 1 root wheel 11599 Nov 25 10:00 /var/log/messages.3.bz2
-rw-r--r-- 1 root wheel 12160 Nov 24 08:00 /var/log/messages.4.bz2
-rw-r--r-- 1 root wheel 12274 Nov 23 10:00 /var/log/messages.5.bz2

So lately, the files have gone around 1.5 days before exceeding the size limit and being compressed. Earlier days in this most recent attack have turned over the log files at least twice that rate.

So for now, the take home message of this is as follows:
We already know that spammers love to hit craigslist for addresses to spam. Now it appears that hackers are trolling craigslist to look for systems to compromise as well. I do not at the moment know if the systems trying to get into my webserver are part of any particular botnet, though their behavior seems to mirror that of botnet activity.

Furthermore, the systems in question are not attempting to login as root. We've all seen script kiddies try their dictionary attacks on root, but this is not an instance of that. These systems instead seem to be trying dictionaries of log in names.