[Intrusions] SSH brute forcers

Smith, Donald Donald.Smith at qwest.com
Fri Jun 3 17:00:39 GMT 2005 

Thanks, but CJ did all the work. I just made a suggestion or two.

CJ your perl script looks good to me but I am not a perl expert.
I am passing it around to some friends.
Some of them have much better perl abilities then I so you may receive a
few comments from them.
Thanks for the tool.

donald.smith at qwest.com giac 

> -----Original Message-----
> From: intrusions-bounces at lists.sans.org 
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of 
> Michael Bernstein
> Sent: Thursday, June 02, 2005 5:48 PM
> To: Intrusions List (GCIA Practicals)
> Subject: RE: [Intrusions] SSH brute forcers
> 
> 
> Donald is the man! 
> 
> Mike Bernstein
> GCIA 717 (GOLD)
> 
> --- "Smith, Donald" <Donald.Smith at qwest.com> wrote:
> 
> > Thanks!
> > 
> > donald.smith at qwest.com giac 
> > 
> > > -----Original Message-----
> > > From: intrusions-bounces at lists.sans.org 
> > > [mailto:intrusions-bounces at lists.sans.org] On
> > Behalf Of C.J. Steele
> > > Sent: Wednesday, June 01, 2005 5:47 PM
> > > To: Intrusions List (GCIA Practicals)
> > > Subject: Re: [Intrusions] SSH brute forcers
> > > 
> > > 
> > > I did make one small change to the script to
> > include the offending IP
> > > address in the subject of the e-mail whereupon in
> > the sshbfmsg file I
> > > direct the recipient of the e-mail to follow-up
> > based on the 
> > > ip address
> > > of the 'attacker'.
> > > 
> > > Anywho, I'll probably make a few more additions to
> > the script this
> > > evening (incorporating Donald's suggestion(s)) and
> > I'll re-post it to
> > > the list.  
> > > 
> > > Ciao,
> > > -C
> > > 
> > > --- Joel Esler <eslerj at gmail.com> wrote:
> > > 
> > > > Also..  whats ur sshbfmsg say?
> > > > 
> > > > J
> > > > 
> > > > 
> > > > On Jun 1, 2005, at 3:26 PM, Smith, Donald wrote:
> > > > 
> > > > > CJ good work.
> > > > > I would add a specific PATH statement to
> > prevent tainting 
> > > and maybe
> > > > 
> > > > > some
> > > > > vars for the log location.
> > > > >
> > > > >
> > > > > donald.smith at qwest.com giac
> > > > >
> > > > >> -----Original Message-----
> > > > >> From: intrusions-bounces at lists.sans.org
> > > > >> [mailto:intrusions-bounces at lists.sans.org] On
> > Behalf Of C.J.
> > > > Steele
> > > > >> Sent: Tuesday, May 31, 2005 8:24 PM
> > > > >> To: Intrusions List (GCIA Practicals)
> > > > >> Subject: RE: [Intrusions] SSH brute forcers
> > > > >>
> > > > >>
> > > > >> Spot-on Donald!  Inspired by your
> > admonishment, I've hacked
> > > > together a
> > > > >> quick shell script to automatically do this
> > for me... see below. 
> > > > If
> > > > >> anyone has any questions, do feel free to
> > e-mail me.
> > > > >>
> > > > >> Please bare in mind that this isn't going to
> > be 
> > > comprehensive, but
> > > > it
> > > > >> is a fair start.  If anyone would like to
> > collaborate on a more
> > > > >> comprehensive solution, again, do feel free
> > to e-mail me.
> > > > >>
> > > > >> Cheers!
> > > > >> -C
> > > > >>
> > > > >>
> > > > >> #!/bin/sh
> > > > >> # rptbdgys by C.J. Steele, CISSP
> > <coreyjsteele at yahoo.com>
> > > > >> #
> > > > >> # this quick script goes through
> > /var/log/messages and pulls
> > > > >> out hosts
> > > > >> # that have been trying to brute-force attack
> > my box and
> > > > >> automatically
> > > > >> # e-mails the persons responsible for their
> > whois zones.
> > > > >> #
> > > > >> # your mileage may vary, depending on your
> > log configuration and
> > > > >> # execution environment...make sure you have
> > standard tools
> > > > >> like grep,
> > > > >> # awk, sed, whois, and mail in the $PATH of
> > whatever is
> > > > >> executing this.
> > > > >> #
> > > > >> # NOTE: populate /tmp/sshbfmsg with whatever
> > nasty-gram you want
> > > > to
> > > > >> # send to the responsible parties...
> > > > >> #
> > > > > # I would add a path statement to address
> > trojaned path/binaries
> > > > local
> > > > > exploit issues
> > > > > #perhaps a few variables for things like log
> > directory
> > > > > LOGDIR=/var/log
> > > > > LOGNAME=messages
> > > > > PATH=/sbin:/bin:/usr/sbin:/usr/bin
> > > > >> offenders=`grep sshd $LOGDIR\$LOGNAME | grep
> > rhost | awk
> > > > >> {'print $13'}
> > > > >> | sed -e s/rhost\=// | sort | uniq`
> > > > >>
> > > > >> for host in $offenders; do
> > > > >>
> > > > >>   offip=`host $host | awk {'print $4'}`
> > > > >>   if [ "$offip" != "" ]; then
> > > > >>     for email in `whois $offip | grep
> > "e-mail" | awk {'print
> > > > $2'}`; do
> > > > >>       if [ "$email" != "" ]; then
> > > > >>         mail -s "sshd brute-force attack"
> > $email < /tmp/sshbfmsg
> > > > >>       else
> > > > >>         echo no e-mail available for $offip
> > ($host)
> > > > >>       fi
> > > > >>     done
> > > > >>   else
> > > > >>     echo no dns for $host
> > > > >>   fi
> > > > >>
> > > > >> done
> > > > >>
> > > > >>
> > > > >>
> > > > >> --- "Smith, Donald" <Donald.Smith at qwest.com>
> > wrote:
> > > > >>> I must echo Scott's question and make a
> > comment.
> > > > >>> How many of the bruteforce ssh IPs do you
> > report to the ISPs?
> > > > >>>
> > > > >>> My comment is we as a community are FAILING!
> > > > >>> Every bruteforce password guessing sshd
> > attempt I have
> > > > tracked/seen
> > > > >>> went
> > > > >>> to a host that was compromised via
> > bruteforce password guessing.
> > > > I
> > > > >>> think
> > > > >>> this continues to grow because we don't
> > report them soon enough.
> > > > If
> > > > >>> you
> > > > >>> get a host attempting brute force sshd you
> > should 
> > > report it asap.
> > > > It
> > > > >>> is
> > > > >>> not spoofed. If we report enough of them
> > eventually we 
> > > should run
> > > > >>> into
> > > > >>> the first hop system. From that system the
> > actual 
> > > hacker could be
> > > > >>> traced.
> > > > >>>
> > > > >>> We as a community should be able to quickly
> > report and 
> > > respond to
> > > > >>> these
> > > > >>> if we did we would be winning rather then
> > loosing this battle.
> > > > >>>
> > > > >>> I know there are lots of ways to
> > automatically turn these away
> > > > with
> > > > >>> syslog to ipfilters and other similar "ips"
> > like tools. 
> > > Perhaps a
> > > > >>> good
> > > > >>> autoreporting tool could assist us in this
> > effort.
> > > > >>>
> > > > >>>
> > > > >>> donald.smith at qwest.com giac
> > > > >>>
> > 
> === message truncated ===
> 
> 
> 
> 		
> __________________________________ 
> Discover Yahoo! 
> Find restaurants, movies, travel and more fun for the 
> weekend. Check it out! 
> http://discover.yahoo.com/weekend.html 
> 
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>

More information about the Intrusions mailing list