Re: Have I been hacked?
Am Donnerstag, 8. Januar 2015, 14:20:27 schrieb Jerry Stuckle:
> As for the attacks - I've seen a big uptake in the attacks over the last
> couple of weeks. The worst I've seen is > 100 IP's locked out in one 24
> hour period. They are coming from all over the world, although since
> there are a lot of proxies (many of them from trojans/viruses installed
> on unsuspecting machines), there's no easy way to tell what the real
> origins are.
I don´t see much going on, but this one from auth.log is amusing:
Jan 8 04:44:17 mondschein sshd[28806]: Bad protocol version identification
'GET http://s1.bdstatic.com/r/www/cache[…; no spam on this list …] HTTP/1.1'
from 125.64.35.67
Jan 8 04:44:48 mondschein sshd[28808]: Set /proc/self/oom_score_adj to 0
Jan 8 04:44:48 mondschein sshd[28808]: Connection from 125.64.35.67 port
40044
Jan 8 04:44:48 mondschein sshd[28808]: Bad protocol version identification
This one is coming from China:
martin@merkaba:~> geoiplookup 125.64.35.67
GeoIP Country Edition: CN, China
And of course not in DNS properly:
martin@merkaba:~> host 125.64.35.67
Host 67.35.64.125.in-addr.arpa. not found: 3(NXDOMAIN)
>From network of a chinese telecommunication company:
martin@merkaba:~#1> whois 125.64.35.67
% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
% Information related to '125.64.0.0 - 125.71.255.255'
inetnum: 125.64.0.0 - 125.71.255.255
netname: CHINANET-SC
descr: CHINANET Sichuan province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN
admin-c: CH93-AP
tech-c: CS408-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-CHINANET-SC
mnt-routes: MAINT-CHINANET-SC
status: ALLOCATED PORTABLE
[…]
Ah, nice:
remarks: send abuse reports to scip[…]
But whether its worth the time? I am not sure, whether this is really an
attacked, could be some quite confused software application. They are doing
this repeatedly.
Just as an example on how you can try to have someone go after the attacker.
I have SSH running on a different port and it seems still that most attackers
do not seem to afford port scans. And no, I don´t rely on it for security. But
for now, it still keeps my logs clean.
Ah, and I have some attempts to login into Dovecot:
mondschein:~> egrep -v "(postfix|lda|martin|some|more|known|usernames)"
/var/log/mail.log
[…]
Jan 7 10:18:29 mondschein dovecot: pop3-login: Disconnected (tried to use
disallowed plaintext auth): user=<>, rip=185.49.12.120, lip=[…]
Jan 7 22:06:49 mondschein dovecot: pop3-login: Disconnected (tried to use
disallowed plaintext auth): user=<>, rip=185.49.12.120, lip=[…]
Jan 8 09:56:19 mondschein dovecot: pop3-login: Disconnected (tried to use
disallowed plaintext auth): user=<>, rip=185.49.12.120, lip=[…]
Jan 8 21:43:45 mondschein dovecot: pop3-login: Disconnected (tried to use
disallowed plaintext auth): user=<>, rip=185.49.12.120, lip=[…]
Okay, this one is from Poland.
martin@merkaba:~> host 185.49.12.120
120.12.49.185.in-addr.arpa domain name pointer 185a49b12c120.greendata.pl.
martin@merkaba:~> geoiplookup 185.49.12.120
GeoIP Country Edition: PL, Poland
martin@merkaba:~> host 185.49.12.120
120.12.49.185.in-addr.arpa domain name pointer 185a49b12c120.greendata.pl.
martin@merkaba:~> whois 185.49.12.120
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '185.49.12.0 - 185.49.12.255'
% Abuse contact for '185.49.12.0 - 185.49.12.255' is '[…]
inetnum: 185.49.12.0 - 185.49.12.255
netname: WITRYNA-PL-NET-1
descr: Hosting services
remarks: INFRA-AW
geoloc: 52.40831540563876 16.934303481487177
country: PL
admin-c: WRAD1-RIPE
[…]
abuse-mailbox: abuse@[…]
Now I would also need to check apache logs as well for a complete picture, and
well that one is the one with the highest likelyhood of a successful attack as
I have some PHP stuff installed.
> Just ensure you're using good security practices - don't allow root
> login, use long, random passwords, etc. I also use a random character
> strings for the login ids, as well as passwords - just one more thing
> for the hackers to have to figure out how to get around.
Only allow SSH key based logins. Of course, only after you copied a public key
onto the machine with ssh-copy-id.
And have SSH keys with *strong* passphrases, to protect against someone
stealing your key. Use ssh-agent wisely only on trusted machines.
Ciao,
--
Martin 'Helios' Steigerwald - http://www.Lichtvoll.de
GPG: 03B0 0D6C 0040 0710 4AFA B82F 991B EAAC A599 84C7
Reply to: