nsusa
Jul 24 2004, 08:24 PM
I am so glad I did decide to install BFD right from the start. It kicked in the first time just a few days ago and apparently did a great job.
Chris
QUOTE
The remote system test was found to have exceeded acceptable login failures on myservername.com. As such the attacking host has been banned from further accessing this system; for the integrity of your host you should investigate this event as soon as possible.
The following are event logs for exceeded login failures from test (all time stamps are GMT -0500):
----
- Executed actions:
test was found inside a defined exclude file, or host has already been banned.
- Log events from /var/log/secure:
Jul 18 13:22:59 myservername sshd[18827]: Illegal user test from 130.120.81.14
Jul 18 13:23:02 myservername sshd[18827]: Failed password for illegal user test from 130.120.81.14 port 54450 ssh2
Jul 18 13:23:27 myservername sshd[18858]: Illegal user test from 130.120.81.14
Jul 18 13:23:29 myservername sshd[18858]: Failed password for illegal user test from 130.120.81.14 port 55264 ssh2
Jul 22 19:32:04 myservername sshd[24205]: Illegal user test from 203.255.254.206
Jul 22 19:32:04 myservername sshd[24206]: Illegal user test from 203.255.254.206
Jul 22 19:32:06 myservername sshd[24205]: Failed password for illegal user test from 203.255.254.206 port 1437 ssh2
Jul 22 19:32:07 myservername sshd[24206]: Failed password for illegal user test from 203.255.254.206 port 1438 ssh2
Jul 24 06:20:44 myservername sshd[22976]: Illegal user test from 64.8.171.6
Jul 24 06:20:44 myservername sshd[22977]: Illegal user test from 64.8.171.6
Jul 24 06:20:44 myservername sshd[22980]: Illegal user test from 64.8.171.6
Jul 24 06:20:46 myservername sshd[22976]: Failed password for illegal user test from 64.8.171.6 port 33544 ssh2
Jul 24 06:20:46 myservername sshd[22977]: Failed password for illegal user test from 64.8.171.6 port 33551 ssh2
Jul 24 06:20:46 myservername sshd[22980]: Failed password for illegal user test from 64.8.171.6 port 33583 ssh2
Jul 24 06:20:49 myservername sshd[22988]: Illegal user test from 64.8.171.6
Jul 24 06:20:51 myservername sshd[22988]: Failed password for illegal user test from 64.8.171.6 port 33727 ssh2
Jul 24 06:21:08 myservername sshd[23040]: Illegal user test from 64.8.171.6
Jul 24 06:21:08 myservername sshd[23044]: Illegal user test from 64.8.171.6
Jul 24 06:21:10 myservername sshd[23040]: Failed password for illegal user test from 64.8.171.6 port 34435 ssh2
Jul 24 06:21:11 myservername sshd[23044]: Failed password for illegal user test from 64.8.171.6 port 34446 ssh2
Jul 24 06:21:11 myservername sshd[23050]: Illegal user test from 64.8.171.6
Jul 24 06:21:14 myservername sshd[23050]: Failed password for illegal user test from 64.8.171.6 port 34548 ssh2
Jul 24 06:21:17 myservername sshd[23054]: Illegal user test from 64.8.171.6
Jul 24 06:21:19 myservername sshd[23054]: Failed password for illegal user test from 64.8.171.6 port 34685 ssh2
gordonrp
Aug 4 2004, 04:38 AM
yeah I get them daily.. mostly from asian areas..
gp
DeadEye686
Aug 4 2004, 09:27 PM
I've gotten a couple of them in the last few days, and promptly sent off reports to their ISP's
(one from US, one from Germany).
gordonrp
Aug 5 2004, 03:13 AM
yeah, not much use sending reports to ISPs i dont think, these are usually hacked boxes and/or just a worm/virus going around.
gp
alex042
Aug 5 2004, 06:01 AM
I've noticed that some I'm getting are the same ip's as a few days ago.
gordonrp
Aug 5 2004, 06:15 AM
218.49.183.17
217.88.136.31
80.137.115.153
221.232.139.18
80.14.200.4
202.54.10.78
80.11.65.5
64.8.171.6
those are mine for this week, but like i said im pretty sure theyre just worms/hack boxes.
gp
nsusa
Aug 10 2004, 08:46 PM
I had a new guy the last 3 days. Strange, BFD blocked him today - not the other days.
QUOTE
The remote system test was found to have exceeded acceptable login failures on Domain.MyServerName.com. As such the attacking host has been banned from further accessing this system; for the integrity of your host you should investigate this event as soon as possible.
The following are event logs for exceeded login failures from test (all time stamps are GMT -0500):
----
- Executed actions:
test was found inside a defined exclude file, or host has already been banned.
- Log events from /var/log/secure:
Aug 8 13:08:11 MyServerName sshd[20676]: Illegal user test from
219.153.4.62
Aug 8 13:08:12 MyServerName sshd[20680]: Illegal user test from
219.153.4.62
Aug 8 13:08:12 MyServerName sshd[20675]: Illegal user test from
219.153.4.62
Aug 8 13:08:13 MyServerName sshd[20676]: Failed password for illegal user test from 219.153.4.62 port 41531 ssh2 Aug 8 13:08:14 MyServerName sshd[20674]: Illegal user test from
219.153.4.62
Aug 8 13:08:14 MyServerName sshd[20680]: Failed password for illegal user test from 219.153.4.62 port 41562 ssh2 Aug 8 13:08:15 MyServerName sshd[20675]: Failed password for illegal user test from 219.153.4.62 port 41533 ssh2 Aug 8 13:08:16 MyServerName sshd[20674]: Failed password for illegal user test from 219.153.4.62 port 41516 ssh2 Aug 8 13:08:54 MyServerName sshd[20735]: Illegal user test from
219.153.4.62
Aug 8 13:08:55 MyServerName sshd[20738]: Illegal user test from
219.153.4.62
Aug 8 13:08:56 MyServerName sshd[20735]: Failed password for illegal user test from 219.153.4.62 port 42304 ssh2 Aug 8 13:08:58 MyServerName sshd[20738]: Failed password for illegal user test from 219.153.4.62 port 42280 ssh2 Aug 8 13:09:03 MyServerName sshd[20764]: Illegal user test from
219.153.4.62
Aug 8 13:09:05 MyServerName sshd[20764]: Failed password for illegal user test from 219.153.4.62 port 42391 ssh2 Aug 9 14:49:28 MyServerName sshd[26357]: Illegal user test from
218.21.129.105
Aug 9 14:49:28 MyServerName sshd[26358]: Illegal user test from
218.21.129.105
Aug 9 14:49:29 MyServerName sshd[26359]: Illegal user test from
218.21.129.105
Aug 9 14:49:29 MyServerName sshd[26355]: Illegal user test from
218.21.129.105
Aug 9 14:49:31 MyServerName sshd[26357]: Failed password for illegal user test from 218.21.129.105 port 47068 ssh2 Aug 9 14:49:31 MyServerName sshd[26358]: Failed password for illegal user test from 218.21.129.105 port 47069 ssh2 Aug 9 14:49:31 MyServerName sshd[26359]: Failed password for illegal user test from 218.21.129.105 port 47070 ssh2 Aug 9 14:49:32 MyServerName sshd[26355]: Failed password for illegal user test from 218.21.129.105 port 47067 ssh2 Aug 10 15:20:38 MyServerName sshd[20279]: Illegal user test from
219.153.4.62
Aug 10 15:20:38 MyServerName sshd[20281]: Illegal user test from
219.153.4.62
Aug 10 15:20:41 MyServerName sshd[20279]: Failed password for illegal user test from 219.153.4.62 port 33446 ssh2 Aug 10 15:20:41 MyServerName sshd[20284]: Illegal user test from
219.153.4.62
Aug 10 15:20:41 MyServerName sshd[20281]: Failed password for illegal user test from 219.153.4.62 port 33452 ssh2 Aug 10 15:20:41 MyServerName sshd[20278]: Illegal user test from
219.153.4.62
Aug 10 15:20:43 MyServerName sshd[20284]: Failed password for illegal user test from 219.153.4.62 port 33421 ssh2 Aug 10 15:20:43 MyServerName sshd[20278]: Failed password for illegal user test from 219.153.4.62 port 33419 ssh2 Aug 10 15:21:17 MyServerName sshd[20380]: Illegal user test from
219.153.4.62
Aug 10 15:21:19 MyServerName sshd[20380]: Failed password for illegal user test from 219.153.4.62 port 34188 ssh2 Aug 10 15:21:21 MyServerName sshd[20386]: Illegal user test from
219.153.4.62
Aug 10 15:21:23 MyServerName sshd[20386]: Failed password for illegal user test from 219.153.4.62 port 34247 ssh2 Aug 10 15:21:23 MyServerName sshd[20390]: Illegal user test from
219.153.4.62
Aug 10 15:21:26 MyServerName sshd[20390]: Failed password for illegal user test from 219.153.4.62 port 34299 ssh2 Aug 10 15:21:53 MyServerName sshd[20451]: Illegal user test from
219.153.4.62
Aug 10 15:21:55 MyServerName sshd[20451]: Failed password for illegal user test from 219.153.4.62 port 34734 ssh2
GoltharNL
Aug 11 2004, 02:13 PM
Trust me, get used to it
I find it hillarious to see so many logins for "test, admin, guest" on my system
bsykes
Aug 11 2004, 03:50 PM
Yes, this is just one of the things that happens to servers on the Internet. As long as they don't get in, then it sould be nothing to worry about.
Hogie
Aug 11 2004, 03:51 PM
On one of the dev boxes at my office that is actually on the public network, I have a test & guest accounts turned on, but they look like they are FBI Honeypot logins. I never see the same IPs reconnect after they get to those logins...
wva-usa
Aug 12 2004, 05:14 AM
One theory on this is that it's an automated script attempting to find other systems on which to exploit the (rather old) OpenSSH CRC32 remote integer overflow vulnerability.
See, for example:
http://archives.neohapsis.com/archives/ful...04-07/1152.html
and...
http://dev.gentoo.org/~krispykringle/sshnotes.txt
Dunno... using such an old exploit is rather weird in itself, since this was problem was fixed in OpenSSH a 2-3 years ago. But this same "guest/test" thing seems to be showing up in lots and lots of logs across the Net lately, esp. since mid-July.
Apparently one of the planet's customer's Linux ded-server was boarded and the script installed on that machine (since I see an IP# belonging to the planet's net-block showing up in my log, using the guest/user log-in attempts.)
This server's IP# was reported in another thread, so I won't post it here. But, I'm wondering if the SM admin's have gained any insight into this script (from viewing that system which had been "boarded") in terms of if this is an old kiddie-script or something new (and darker in nature).
nsusa
Aug 12 2004, 05:56 AM
QUOTE (bsykes)
Yes, this is just one of the things that happens to servers on the Internet. As long as they don't get in, then it sould be nothing to worry about.
I have firewalling and BFD turned on and my box is patched all the way through + all the other little things to make the box secure (no Telnet, no direct root login, etc.). RKHunter is running every day and I check all the necessary logs. I hope that will do the trick. ;-)
Christoph
gordonrp
Aug 12 2004, 06:05 AM
lol no firewall or bfd.... holey moley!
gp
codehawk
Aug 13 2004, 10:07 PM
Most of my troubles are from asia. Everything works really well I have no problems with hackers. Sure they come around and visit my server almost every day, Not a problem. Mostly schools and Univ. Servers been running very smooth well over 8 months.
This is one thing i do when i see what looks like an attack not a worm attack but a real i want to break your server attack.
I'v been around for over a decade in networking and learn it pays to publish IP addresses on forum boards and I know some real dirty ones. Sure i know it may not be right and i know that you can change your mac address on you router and get another ip address but do they?
It seems like when i spread the ip address around it makes me feel good to know that I'v give something back to the guy that wanted to break my box. ,
dropping ip numbers in a hackers forum is like a feeding the hungry.
Peace..............
Thanks Servermatrix, Real great service.
Blue|Fusion
Aug 13 2004, 11:02 PM
QUOTE (codehawk)
dropping ip numbers in a hackers forum is like a feeding the hungry.
I thought same thing
....but I've only been around in this for a few months.
gordonrp
Aug 14 2004, 03:57 AM
I have no idea where one would find a real hacker forum... I always seem to find the ones where ...
they have to go now because its dinner time...
they have to reconnect because aol is acting up...
they just got this Sw33t H@x0R pR0Gz c@113d SUB 7 ph3@r m3!!!
would be interesting if you know of any greater forums...
gp
bman
Aug 14 2004, 04:08 AM
real hackers/crackers forums are mostly hiden to the public
OCX
Aug 14 2004, 04:27 AM
if ya know how to use the internet.you can find anythingyou want
jval
Aug 15 2004, 10:00 AM
Here is a recent list for the last 7 days.
They just keep on trying
203.186.65.92
61.63.23.131
212.180.147.42
211.169.202.49
163.26.85.193
218.3.39.33
133.87.72.94
218.21.129.105
61.107.245.110
202.129.7.202
219.153.4.62
67.19.36.196
217.238.176.165
211.252.9.126
221.143.48.120
202.64.162.11
211.91.23.171
210.95.186.129
61.219.201.213
Altec
Aug 15 2004, 07:35 PM
good ol BFD, gota love it
Blue|Fusion
Aug 15 2004, 08:14 PM
Last 4 days:
QUOTE
81.220.159.13
217.238.176.165
12.36.116.107
203.186.65.92
61.63.23.131
212.180.147.42
211.169.202.49
202.78.172.20
219.153.4.62
67.19.36.196
210.82.89.32
218.3.39.33
133.87.72.94
218.21.129.105
61.107.245.110
210.177.241.201
221.143.48.120
211.91.23.171
216.185.123.222
82.53.90.172
codehawk
Aug 16 2004, 02:07 PM
we should all get together and setup a time to take these lammers out. Using the force of 10 cpu's is always better them 1 or 2. Looks like alot of them are from overseas. We should draw 5 ip # and from 6-9pm nail'em hard .
Open up a can off worms and deploy them right up there ass. thanks i'm having real fun with a few of these, , Well, i have quite an arsonal of gifts to flood, take admin rights and kill routers, ip's,firewalls with
I'll gladly share.
As if you cant tell i'm just a little pist at some of these error logs. Why mess with someones server.? O because theres nothing the law will or ip block owner will do about it.
Well I will then, I spend 3 hours a week educating myself on ip's like these posted. Great learning experience.
These and all other ip address posted here are for educational use only 
nsusa
Aug 16 2004, 02:24 PM
It seems like that my server is getting hit often lately by IPs from Australia. Are Australians that hostile against the US?
Christoph
carlaron
Aug 23 2004, 08:01 AM
I have also gotten a lot of BFD warnings about attempted logins by "guest" "test" and "admin". The problem is that when BFD tries to shut them out with APF, for some reason the username test/guest/admin gets put into the APF command instead of their IP address...
So instead of running
apf -d xxx.xxx.xxx.xxx
it runs
apf -d test
So they don't get shut out until I manually add the IP later, and my APF deny file has lines in it about hosts named test, guest, admin, which cause warnings when restarting APF.
Is there something about these attacks that is spoofing the address in a way that is confusing BFD?
I don't mind getting one BFD email about a break-in attempt, but getting 10 or 20, because the IP was not really blocked when the first warning went off is annoying.
GoltharNL
Aug 23 2004, 09:39 AM
QUOTE (codehawk)
we should all get together and setup a time to take these lammers out. Using the force of 10 cpu's is always better them 1 or 2. Looks like alot of them are from overseas. We should draw 5 ip # and from 6-9pm nail'em hard .
Open up a can off worms and deploy them right up there ass. thanks i'm having real fun with a few of these, , Well, i have quite an arsonal of gifts to flood, take admin rights and kill routers, ip's,firewalls with I'll gladly share.
Which puts us on the same level as them if we would.
I think it is more useful if we could set something up to quickly report these IP's to ServerMatrix and have them send out piles of Cease and desist letters.
A lot of traffic comes from infected windows systems controlled by people who need the re-education that updating/virusscanning is good.
The scanning and random Dossing of servers continues because nothing is really done against it.
speedcore
Aug 23 2004, 08:10 PM
QUOTE (carlaron)
I have also gotten a lot of BFD warnings about attempted logins by "guest" "test" and "admin". The problem is that when BFD tries to shut them out with APF, for some reason the username test/guest/admin gets put into the APF command instead of their IP address...
So instead of running
apf -d xxx.xxx.xxx.xxx
it runs
apf -d test
So they don't get shut out until I manually add the IP later, and my APF deny file has lines in it about hosts named test, guest, admin, which cause warnings when restarting APF.
Is there something about these attacks that is spoofing the address in a way that is confusing BFD?
I don't mind getting one BFD email about a break-in attempt, but getting 10 or 20, because the IP was not really blocked when the first warning went off is annoying.
Which version of BFD are you using? The newest version, BFD 0.4, was supposed to address this problem that occasionally occurred in 0.3.
carlaron
Aug 23 2004, 08:50 PM
QUOTE (speedcore)
Which version of BFD are you using? The newest version, BFD 0.4, was supposed to address this problem that occasionally occurred in 0.3.
Well, I was on 0.3, and this morning I upgraded to 0.4, and all h*ll broke loose. It started giving me a couple hundred BFD warnings a minute, and blocking IPs for people hitting web pages or accessing email...
I had to uninstall BFD completely and install 0.3 to get it back to normal. Then I had to manually remove all those IPs from APF's deny file.
I'd love to upgrade to 0.4, if I had any idea what had happened and how to avoid it happening again...
speedcore
Aug 23 2004, 08:57 PM
Weird... do you know which log it was hitting and how far back it was going in time?
carlaron
Aug 24 2004, 05:58 AM
QUOTE (speedcore)
Weird... do you know which log it was hitting and how far back it was going in time?
In at least some cases it was quoting bits of the apache logs:
- Log events from /usr/local/apache/logs/error_log:
[Fri Dec 19 09:52:39 2003] [error] [client xxx.xxx.xxx] File does not exist: /usr/local/apache/htdocs/404.shtml
nsusa
Aug 30 2004, 06:54 PM
Any update on version 0.4 ? Has this been fixed? Does anyone know?
Christoph
carlaron
Aug 30 2004, 07:50 PM
QUOTE (nsusa)
Any update on version 0.4 ? Has this been fixed? Does anyone know?
Christoph
I have posted questions about this on this forum and on the BFD forum, and noone has replied. I wonder if maybe noone else has this problem????
zaitsev
Sep 2 2004, 03:36 PM
i have had a bfd warning, and when i did a search on the ip it came to;
Host name: 213.67-19-***.reverse.theplanet.com
should i submit a ticket in orbit with the report that was emailed to me?
mkdi
Sep 2 2004, 03:44 PM
I'm on the latest BFD and it is adding the IP correctly to the deny list and not the username, maybe try reinstalling the new version and hopefully that will fix it.
Matt
bman
Sep 4 2004, 03:27 AM
QUOTE (zaitsev)
i have had a bfd warning, and when i did a search on the ip it came to;
Host name: 213.67-19-***.reverse.theplanet.com
should i submit a ticket in orbit with the report that was emailed to me?
yes always report ips to orbite if there from TP
last one i reported was an infected windows server and they disconected it until it can be fixed
zaitsev
Sep 5 2004, 01:42 PM
reported it and it was a infected machine that they already took offline as they had a few complaints about it
i dont think the koreans like me, espessially there students, seem to be getting attacted from uni's over there, and a girls college also
nsusa
Sep 5 2004, 04:42 PM
QUOTE (carlaron)
QUOTE (nsusa)
Any update on version 0.4 ? Has this been fixed? Does anyone know?
Christoph
I have posted questions about this on this forum and on the BFD forum, and noone has replied. I wonder if maybe noone else has this problem????
I saw your posting and that there was still no response. I wonder if it is an isolated problem?!
Christoph
speedcore
Sep 5 2004, 08:01 PM
QUOTE (zaitsev)
...and a girls college also :roll: :roll:
Well, that's not
so bad.
John D.
Sep 7 2004, 08:38 AM
Please forgive the utter newbie-ness of these questions:
1. Is APF installed by default or do you need to install manually?
2. How do you check to see if APF is running?
3. Ditto for BFD?
Thanks. We're also seeing lots of these authentication failures, and would like to know how to better protect ourselves.
Paul
Sep 7 2004, 09:02 AM
1. You need to install it
2. /path/to/apf/apf --status
3. You need to install it
John D.
Sep 7 2004, 09:04 AM
Thanks.
GoltharNL
Sep 11 2004, 04:07 PM
By the way.. if the abuse staff ever gets bored, I can redirect log digests to them
adamuk
Sep 11 2004, 04:14 PM
luckily i added my ip address to exceptions list!!!
got a problem with ssh and failed to login loads of times and bfd said it banned me, but i put my ip on the exceptions
good peice of kit glad i installed it:)
nsusa
Sep 21 2004, 07:55 PM
So, anyone jumped the gun and installed it yet?
Chris
carlaron
Sep 21 2004, 08:00 PM
QUOTE (nsusa)
So, anyone jumped the gun and installed it yet?
Chris
Nope... sounds like most other people are not having this trouble, but I have not dared upgrade it again.
speedcore
Sep 21 2004, 08:44 PM
I've had it (0.4) running since it came out on one of my servers. No problems as of yet, RHEL 3. Going to update it on another one now to see what happens...
GoltharNL
Sep 22 2004, 01:43 AM
QUOTE (nsusa)
So, anyone jumped the gun and installed it yet?
Chris
I have BFD and APF, works like a charm
patrick24601
Sep 22 2004, 09:55 AM
This may be in another thread someplace...
But has anybody considered sharing what bfd bans in a common place so then all of our systems could connect to it on an houry basis and update the ban lists. Very much to the way the dshield one works. So if you get banned from one you get banned from all ? One list to rule them all (at SM), one list to BIND them. (unintentional linux funny)
carlaron
Sep 22 2004, 11:00 AM
QUOTE (GoltharNL)
I have BFD and APF, works like a charm
Yeah, I have them installed, and they work like a charm, except for the problem that comes up with IP6 addresses being improperly processed, so that instead of banning the IP, it tries to ban the username (i.e. "test", or "admin").
I tried upgrading to BFD 0.4, which is supposed to address that bug, but when I did, it pretty much banned every IP of everyone that accessed my server in any way, and would not stop until I uninstalled 0.4 and reinstalled 0.3 and manually removed about 400 banned IPs from the deny file...
So the question is what the heck is different on my server (standard ServerMatrix setup with RH9 and cpanel) that causes this, and is there a version of BFD that doesn't do it...
GoltharNL
Sep 22 2004, 11:17 AM
Ah well, I have those usernames set to deny always (even though the accounts don't exist)
carlaron
Sep 22 2004, 11:25 AM
QUOTE (GoltharNL)
Ah well, I have those usernames set to deny always (even though the accounts don't exist)
I didn't see where I could deny by username. That would be great, if it would stop the BFD from trying to ban them. As you say, there are no accounts, so they always fail, but I get a few dozen BFD emails a day telling be about BF attempts and how it blocked "test", but then the next time some jerk tries that trick, BFD goes off again.
Plus, I'd like it if BFD really would block their IP, because even though this attempt didn't get in, who knows what they'll try next.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please
click here.