damn_registrars's Journal: The end of the distributed hack attempt?

In an earlier journal entry I mentioned a distributed hack attempt that was directed at my home web server. I also mentioned it's continuation later. This attack involves anywhere from 100-300 or more unique IP addresses that are trying to access my system using a very long list of names (excluding root).

Well, I think I have finally seen the end of this hack attempt. It has now been over 24 hours and not a single attempt. These attempts were all (attempting to) come in through ssh, and I can still ssh in myself from anywhere in the world. And being as I have not changed any rules on my system, I would say it seems that somehow the plug was pulled from the other end.

The final attempts, for those who are interested:

Dec 30 04:11:49 nfsbox sshd[30952]: error: PAM: authentication error for illegal user sonja from 201.161.28.9
Dec 30 04:19:45 nfsbox sshd[30961]: error: PAM: authentication error for illegal user sonnagh from coloc82-044.singnet.com.sg
Dec 30 04:23:59 nfsbox sshd[30980]: error: PAM: authentication error for illegal user sonnagh from 221.8.255.134
Dec 30 04:27:44 nfsbox sshd[30988]: error: PAM: authentication error for illegal user sonnagh from 217.96.70.66
Dec 30 04:32:00 nfsbox sshd[30997]: error: PAM: authentication error for illegal user sonny from 89-96-172-100.ip13.fastwebnet.it
Dec 30 04:35:52 nfsbox sshd[31018]: error: PAM: authentication error for illegal user sonny from 200.118.119.48
Dec 30 04:39:47 nfsbox sshd[31021]: error: PAM: authentication error for illegal user sonny from coloc82-044.singnet.com.sg
Dec 30 04:43:52 nfsbox sshd[31028]: error: PAM: authentication error for illegal user sonora from 201.249.112.138
Dec 30 04:51:56 nfsbox sshd[31052]: error: PAM: authentication error for illegal user sonora from customer-200-79-25-39.uninet.net.mx
Dec 30 04:55:59 nfsbox sshd[31073]: error: PAM: authentication error for illegal user sonya from 62.61.141.93.generic-hostname.arrownet.dk

Interesting that the last attempted name (sonya) was attempted only once. The general MO of this attempt was to try every name 2 or 3 times.

Also interesting is that when they went through the ro* part of the alphabet, root was excluded entirely this time. I see the entries going directly from ronnie to rory.

Interesting

[Jeremiah Cornelius]

Thanks for your continuing details on this attempt.

Have you written anything about this for the Full Disclosure or Pen Test lists?

Re:

[damn_registrars]

Have you written anything about this for the Full Disclosure or Pen Test lists?

I'm not familiar with those lists myself. Years ago I was more involved with computer security as a profession, but I have moved into other fields since and I just deal with this on small scale as needed.

I can't seem to find it, but there was an article here on slashdot regarding someone else who was subjected to the same type of distributed attack.

I wouldn't be complacent yet

[tqft]

You said in a post above you used to work in computer security - any old enemies? Sometimes you can't be too paranoid.

The reason it may have stopped is they suceeded - perhaps another door in?

Checked the machine for root kits, monitored network traffic and whatever now they have stopped?

Re:

[damn_registrars]

Well, I won't be arrogant enough to claim that my box is hacker-proof, as I know that no box on the internet truly is.

However, I can tell you that this technique did not work on my box. The names that were attempted were varied but none existed on this system. They skipped root attempts in this method which was actually a wise choice as I of course have root access disabled with regards to remote ssh.

There is no current sign of any nefarious traffic originating from my box. I will keep an eye out for