[Intrusions] SSH brute forcers

Michael Bernstein mb_jobs at yahoo.com
Thu Jun 2 23:48:09 GMT 2005 

Donald is the man! 

Mike Bernstein
GCIA 717 (GOLD)

--- "Smith, Donald" <Donald.Smith at qwest.com> wrote:

> Thanks!
> 
> donald.smith at qwest.com giac 
> 
> > -----Original Message-----
> > From: intrusions-bounces at lists.sans.org 
> > [mailto:intrusions-bounces at lists.sans.org] On
> Behalf Of C.J. Steele
> > Sent: Wednesday, June 01, 2005 5:47 PM
> > To: Intrusions List (GCIA Practicals)
> > Subject: Re: [Intrusions] SSH brute forcers
> > 
> > 
> > I did make one small change to the script to
> include the offending IP
> > address in the subject of the e-mail whereupon in
> the sshbfmsg file I
> > direct the recipient of the e-mail to follow-up
> based on the 
> > ip address
> > of the 'attacker'.
> > 
> > Anywho, I'll probably make a few more additions to
> the script this
> > evening (incorporating Donald's suggestion(s)) and
> I'll re-post it to
> > the list.  
> > 
> > Ciao,
> > -C
> > 
> > --- Joel Esler <eslerj at gmail.com> wrote:
> > 
> > > Also..  whats ur sshbfmsg say?
> > > 
> > > J
> > > 
> > > 
> > > On Jun 1, 2005, at 3:26 PM, Smith, Donald wrote:
> > > 
> > > > CJ good work.
> > > > I would add a specific PATH statement to
> prevent tainting 
> > and maybe
> > > 
> > > > some
> > > > vars for the log location.
> > > >
> > > >
> > > > donald.smith at qwest.com giac
> > > >
> > > >> -----Original Message-----
> > > >> From: intrusions-bounces at lists.sans.org
> > > >> [mailto:intrusions-bounces at lists.sans.org] On
> Behalf Of C.J.
> > > Steele
> > > >> Sent: Tuesday, May 31, 2005 8:24 PM
> > > >> To: Intrusions List (GCIA Practicals)
> > > >> Subject: RE: [Intrusions] SSH brute forcers
> > > >>
> > > >>
> > > >> Spot-on Donald!  Inspired by your
> admonishment, I've hacked
> > > together a
> > > >> quick shell script to automatically do this
> for me... see below. 
> > > If
> > > >> anyone has any questions, do feel free to
> e-mail me.
> > > >>
> > > >> Please bare in mind that this isn't going to
> be 
> > comprehensive, but
> > > it
> > > >> is a fair start.  If anyone would like to
> collaborate on a more
> > > >> comprehensive solution, again, do feel free
> to e-mail me.
> > > >>
> > > >> Cheers!
> > > >> -C
> > > >>
> > > >>
> > > >> #!/bin/sh
> > > >> # rptbdgys by C.J. Steele, CISSP
> <coreyjsteele at yahoo.com>
> > > >> #
> > > >> # this quick script goes through
> /var/log/messages and pulls
> > > >> out hosts
> > > >> # that have been trying to brute-force attack
> my box and
> > > >> automatically
> > > >> # e-mails the persons responsible for their
> whois zones.
> > > >> #
> > > >> # your mileage may vary, depending on your
> log configuration and
> > > >> # execution environment...make sure you have
> standard tools
> > > >> like grep,
> > > >> # awk, sed, whois, and mail in the $PATH of
> whatever is
> > > >> executing this.
> > > >> #
> > > >> # NOTE: populate /tmp/sshbfmsg with whatever
> nasty-gram you want
> > > to
> > > >> # send to the responsible parties...
> > > >> #
> > > > # I would add a path statement to address
> trojaned path/binaries
> > > local
> > > > exploit issues
> > > > #perhaps a few variables for things like log
> directory
> > > > LOGDIR=/var/log
> > > > LOGNAME=messages
> > > > PATH=/sbin:/bin:/usr/sbin:/usr/bin
> > > >> offenders=`grep sshd $LOGDIR\$LOGNAME | grep
> rhost | awk
> > > >> {'print $13'}
> > > >> | sed -e s/rhost\=// | sort | uniq`
> > > >>
> > > >> for host in $offenders; do
> > > >>
> > > >>   offip=`host $host | awk {'print $4'}`
> > > >>   if [ "$offip" != "" ]; then
> > > >>     for email in `whois $offip | grep
> "e-mail" | awk {'print
> > > $2'}`; do
> > > >>       if [ "$email" != "" ]; then
> > > >>         mail -s "sshd brute-force attack"
> $email < /tmp/sshbfmsg
> > > >>       else
> > > >>         echo no e-mail available for $offip
> ($host)
> > > >>       fi
> > > >>     done
> > > >>   else
> > > >>     echo no dns for $host
> > > >>   fi
> > > >>
> > > >> done
> > > >>
> > > >>
> > > >>
> > > >> --- "Smith, Donald" <Donald.Smith at qwest.com>
> wrote:
> > > >>> I must echo Scott's question and make a
> comment.
> > > >>> How many of the bruteforce ssh IPs do you
> report to the ISPs?
> > > >>>
> > > >>> My comment is we as a community are FAILING!
> > > >>> Every bruteforce password guessing sshd
> attempt I have
> > > tracked/seen
> > > >>> went
> > > >>> to a host that was compromised via
> bruteforce password guessing.
> > > I
> > > >>> think
> > > >>> this continues to grow because we don't
> report them soon enough.
> > > If
> > > >>> you
> > > >>> get a host attempting brute force sshd you
> should 
> > report it asap.
> > > It
> > > >>> is
> > > >>> not spoofed. If we report enough of them
> eventually we 
> > should run
> > > >>> into
> > > >>> the first hop system. From that system the
> actual 
> > hacker could be
> > > >>> traced.
> > > >>>
> > > >>> We as a community should be able to quickly
> report and 
> > respond to
> > > >>> these
> > > >>> if we did we would be winning rather then
> loosing this battle.
> > > >>>
> > > >>> I know there are lots of ways to
> automatically turn these away
> > > with
> > > >>> syslog to ipfilters and other similar "ips"
> like tools. 
> > Perhaps a
> > > >>> good
> > > >>> autoreporting tool could assist us in this
> effort.
> > > >>>
> > > >>>
> > > >>> donald.smith at qwest.com giac
> > > >>>
> 
=== message truncated ===



		
__________________________________ 
Discover Yahoo! 
Find restaurants, movies, travel and more fun for the weekend. Check it out! 
http://discover.yahoo.com/weekend.html

More information about the Intrusions mailing list