[Intrusions] SSH brute forcers
C.J. Steele, CISSP
coreyjsteele at yahoo.com
Fri Jun 3 19:34:21 GMT 2005
Thanks! I'm just itching my own scratch here. ;-)
Kelly Hamlin pointed out one bug in which an e-mail address of "@" was
returned... I believe I've fixed that bug. The updated version is
available from http://sodaphish.com/files/tattle
If anyone finds this thing useful, I'd love to hear about it (off-list
unless you really want to inflate me.) Also, if anyone has any ideas
for enhancements or finds any bugs, let me know.
Ciao,
-C
--- "Smith, Donald" <Donald.Smith at qwest.com> wrote:
> Thanks, but CJ did all the work. I just made a suggestion or two.
>
> CJ your perl script looks good to me but I am not a perl expert.
> I am passing it around to some friends.
> Some of them have much better perl abilities then I so you may
> receive a
> few comments from them.
> Thanks for the tool.
>
> donald.smith at qwest.com giac
>
> > -----Original Message-----
> > From: intrusions-bounces at lists.sans.org
> > [mailto:intrusions-bounces at lists.sans.org] On Behalf Of
> > Michael Bernstein
> > Sent: Thursday, June 02, 2005 5:48 PM
> > To: Intrusions List (GCIA Practicals)
> > Subject: RE: [Intrusions] SSH brute forcers
> >
> >
> > Donald is the man!
> >
> > Mike Bernstein
> > GCIA 717 (GOLD)
> >
> > --- "Smith, Donald" <Donald.Smith at qwest.com> wrote:
> >
> > > Thanks!
> > >
> > > donald.smith at qwest.com giac
> > >
> > > > -----Original Message-----
> > > > From: intrusions-bounces at lists.sans.org
> > > > [mailto:intrusions-bounces at lists.sans.org] On
> > > Behalf Of C.J. Steele
> > > > Sent: Wednesday, June 01, 2005 5:47 PM
> > > > To: Intrusions List (GCIA Practicals)
> > > > Subject: Re: [Intrusions] SSH brute forcers
> > > >
> > > >
> > > > I did make one small change to the script to
> > > include the offending IP
> > > > address in the subject of the e-mail whereupon in
> > > the sshbfmsg file I
> > > > direct the recipient of the e-mail to follow-up
> > > based on the
> > > > ip address
> > > > of the 'attacker'.
> > > >
> > > > Anywho, I'll probably make a few more additions to
> > > the script this
> > > > evening (incorporating Donald's suggestion(s)) and
> > > I'll re-post it to
> > > > the list.
> > > >
> > > > Ciao,
> > > > -C
> > > >
> > > > --- Joel Esler <eslerj at gmail.com> wrote:
> > > >
> > > > > Also.. whats ur sshbfmsg say?
> > > > >
> > > > > J
> > > > >
> > > > >
> > > > > On Jun 1, 2005, at 3:26 PM, Smith, Donald wrote:
> > > > >
> > > > > > CJ good work.
> > > > > > I would add a specific PATH statement to
> > > prevent tainting
> > > > and maybe
> > > > >
> > > > > > some
> > > > > > vars for the log location.
> > > > > >
> > > > > >
> > > > > > donald.smith at qwest.com giac
> > > > > >
> > > > > >> -----Original Message-----
> > > > > >> From: intrusions-bounces at lists.sans.org
> > > > > >> [mailto:intrusions-bounces at lists.sans.org] On
> > > Behalf Of C.J.
> > > > > Steele
> > > > > >> Sent: Tuesday, May 31, 2005 8:24 PM
> > > > > >> To: Intrusions List (GCIA Practicals)
> > > > > >> Subject: RE: [Intrusions] SSH brute forcers
> > > > > >>
> > > > > >>
> > > > > >> Spot-on Donald! Inspired by your
> > > admonishment, I've hacked
> > > > > together a
> > > > > >> quick shell script to automatically do this
> > > for me... see below.
> > > > > If
> > > > > >> anyone has any questions, do feel free to
> > > e-mail me.
> > > > > >>
> > > > > >> Please bare in mind that this isn't going to
> > > be
> > > > comprehensive, but
> > > > > it
> > > > > >> is a fair start. If anyone would like to
> > > collaborate on a more
> > > > > >> comprehensive solution, again, do feel free
> > > to e-mail me.
> > > > > >>
> > > > > >> Cheers!
> > > > > >> -C
> > > > > >>
> > > > > >>
> > > > > >> #!/bin/sh
> > > > > >> # rptbdgys by C.J. Steele, CISSP
> > > <coreyjsteele at yahoo.com>
> > > > > >> #
> > > > > >> # this quick script goes through
> > > /var/log/messages and pulls
> > > > > >> out hosts
> > > > > >> # that have been trying to brute-force attack
> > > my box and
> > > > > >> automatically
> > > > > >> # e-mails the persons responsible for their
> > > whois zones.
> > > > > >> #
> > > > > >> # your mileage may vary, depending on your
> > > log configuration and
> > > > > >> # execution environment...make sure you have
> > > standard tools
> > > > > >> like grep,
> > > > > >> # awk, sed, whois, and mail in the $PATH of
> > > whatever is
> > > > > >> executing this.
> > > > > >> #
> > > > > >> # NOTE: populate /tmp/sshbfmsg with whatever
> > > nasty-gram you want
> > > > > to
> > > > > >> # send to the responsible parties...
> > > > > >> #
> > > > > > # I would add a path statement to address
> > > trojaned path/binaries
> > > > > local
> > > > > > exploit issues
> > > > > > #perhaps a few variables for things like log
> > > directory
> > > > > > LOGDIR=/var/log
> > > > > > LOGNAME=messages
> > > > > > PATH=/sbin:/bin:/usr/sbin:/usr/bin
> > > > > >> offenders=`grep sshd $LOGDIR\$LOGNAME | grep
> > > rhost | awk
> > > > > >> {'print $13'}
> > > > > >> | sed -e s/rhost\=// | sort | uniq`
> > > > > >>
> > > > > >> for host in $offenders; do
> > > > > >>
> > > > > >> offip=`host $host | awk {'print $4'}`
> > > > > >> if [ "$offip" != "" ]; then
> > > > > >> for email in `whois $offip | grep
> > > "e-mail" | awk {'print
> > > > > $2'}`; do
> > > > > >> if [ "$email" != "" ]; then
> > > > > >> mail -s "sshd brute-force attack"
> > > $email < /tmp/sshbfmsg
> > > > > >> else
> > > > > >> echo no e-mail available for $offip
> > > ($host)
> > > > > >> fi
> > > > > >> done
> > > > > >> else
> > > > > >> echo no dns for $host
> > > > > >> fi
> > > > > >>
> > > > > >> done
> > > > > >>
> > > > > >>
> > > > > >>
> > > > > >> --- "Smith, Donald" <Donald.Smith at qwest.com>
> > > wrote:
> > > > > >>> I must echo Scott's question and make a
> > > comment.
> > > > > >>> How many of the bruteforce ssh IPs do you
> > > report to the ISPs?
> > > > > >>>
> > > > > >>> My comment is we as a community are FAILING!
> > > > > >>> Every bruteforce password guessing sshd
> > > attempt I have
> > > > > tracked/seen
> > > > > >>> went
> > > > > >>> to a host that was compromised via
> > > bruteforce password guessing.
> > > > > I
> > > > > >>> think
> > > > > >>> this continues to grow because we don't
> > > report them soon enough.
> > > > > If
> > > > > >>> you
> > > > > >>> get a host attempting brute force sshd you
> > > should
> > > > report it asap.
> > > > > It
> > > > > >>> is
> > > > > >>> not spoofed. If we report enough of them
> > > eventually we
> > > > should run
> > > > > >>> into
> > > > > >>> the first hop system. From that system the
> > > actual
> > > > hacker could be
> > > > > >>> traced.
> > > > > >>>
> > > > > >>> We as a community should be able to quickly
> > > report and
> > > > respond to
> > > > > >>> these
> > > > > >>> if we did we would be winning rather then
> > > loosing this battle.
> > > > > >>>
> > > > > >>> I know there are lots of ways to
> > > automatically turn these away
> > > > > with
> > > > > >>> syslog to ipfilters and other similar "ips"
> > > like tools.
> > > > Perhaps a
> > > > > >>> good
> > > > > >>> autoreporting tool could assist us in this
> > > effort.
> > > > > >>>
> > > > > >>>
> > > > > >>> donald.smith at qwest.com giac
> > > > > >>>
> > >
> > === message truncated ===
> >
> >
> >
> >
> > __________________________________
> > Discover Yahoo!
> > Find restaurants, movies, travel and more fun for the
> > weekend. Check it out!
> > http://discover.yahoo.com/weekend.html
> >
> > _______________________________________________
> > Intrusions mailing list
> > Intrusions at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/intrusions
> >
>
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
--
C.J. Steele, CISSP <coreyjsteele at yahoo.com>
More information about the Intrusions
mailing list