最近狂被密碼攻擊,有人有同樣的情況嘛? - 資安
By Emily
at 2004-09-29T01:49
at 2004-09-29T01:49
Table of Contents
我的 linux 架在固定的 ADSL 網路上
最近查閱 log 檔發現主機 SSH daemon 常被暴力密碼嘗試攻擊
但是奇怪的是"並非"都來自相同的 IP 位址
我查看了一下對方的 IP 有的甚至是韓國網站,我想會是跳板嘛?
但是奇怪的是,我的固定 ADSL 頻寬非常小,入侵我的主機能有多大作用?
因為所有的 IP 都不相同,這些遠端主機有可能被植入病毒而不自知嘛?
我想應該是同一隻暴力登入程式,不過順序有點小差異
如果是利用病毒方式傳播這些暴力登入程式,功能將非常強大
將有可能在短短時間內獲得多數密碼設定簡單的主機主控權
進而成為另一台攻擊跳板
從七月開始,他的攻擊次數都相當短暫
由一開始三次增加為五次
因為 IP 都不相同,一般人很難發現異狀
至於我會發現,是在這次中秋節對方發狂似的嘗試了半小時之多
想必這不只是程式病毒,這機八人在得到特定的資訊後
對特定的主機展開特定的攻擊
以下是記錄檔,這些主機應該都已經被植入這隻程式
請問有人有相同的情形嘛?
Jul 20 14:01:41 daemon sshd[5732]: Illegal user test from 83.103.27.66
Jul 20 14:01:41 daemon sshd[5732]: error: Could not get shadow information for
NOUSER
Jul 20 14:01:41 daemon sshd[5732]: Failed password for illegal user test from 8
3.103.27.66 port 35396 ssh2
Jul 20 14:01:45 daemon sshd[5734]: Illegal user guest from 83.103.27.66
Jul 20 14:01:45 daemon sshd[5734]: error: Could not get shadow information for
NOUSER
Jul 20 14:01:45 daemon sshd[5734]: Failed password for illegal user guest from
83.103.27.66 port 35434 ssh2
Jul 20 21:06:40 daemon sshd[5736]: Illegal user test from 131.234.157.10
Jul 20 21:06:40 daemon sshd[5736]: error: Could not get shadow information for
NOUSER
Jul 20 21:06:40 daemon sshd[5736]: Failed password for illegal user test from 1
31.234.157.10 port 48337 ssh2
Jul 20 21:06:45 daemon sshd[5738]: Illegal user guest from 131.234.157.10
Jul 20 21:06:45 daemon sshd[5738]: error: Could not get shadow information for
NOUSER
Jul 20 21:06:45 daemon sshd[5738]: Failed password for illegal user guest from
131.234.157.10 port 48433 ssh2
Jul 20 21:06:50 daemon sshd[5740]: Illegal user admin from 131.234.157.10
Jul 20 21:06:50 daemon sshd[5740]: error: Could not get shadow information for
NOUSER
Jul 20 21:06:50 daemon sshd[5740]: Failed password for illegal user admin from
131.234.157.10 port 48538 ssh2
Jul 20 21:06:55 daemon sshd[5742]: Illegal user admin from 131.234.157.10
Jul 20 21:06:55 daemon sshd[5742]: error: Could not get shadow information for
NOUSER
Jul 20 21:06:55 daemon sshd[5742]: Failed password for illegal user admin from
131.234.157.10 port 48623 ssh2
Jul 20 21:07:00 daemon sshd[5744]: Illegal user user from 131.234.157.10
Jul 20 21:07:00 daemon sshd[5744]: error: Could not get shadow information for
NOUSER
Jul 20 21:07:00 daemon sshd[5744]: Failed password for illegal user user from 1
31.234.157.10 port 48719 ssh2
Jul 20 21:07:00 daemon sshd[5744]: error: Could not get shadow information for
NOUSER
Jul 20 21:07:00 daemon sshd[5744]: Failed password for illegal user user from 1
31.234.157.10 port 48719 ssh2
Jul 20 21:07:05 daemon sshd[5746]: Failed password for root from 131.234.157.10
port 48818 ssh2
Jul 20 21:07:09 daemon sshd[5748]: Failed password for root from 131.234.157.10
port 48918 ssh2
Jul 20 21:07:13 daemon sshd[5750]: Failed password for root from 131.234.157.10
port 49003 ssh2
Jul 20 21:07:17 daemon sshd[5752]: Illegal user test from 131.234.157.10
Jul 20 21:07:17 daemon sshd[5752]: error: Could not get shadow information for
NOUSER
Jul 20 21:07:17 daemon sshd[5752]: Failed password for illegal user test from 1
31.234.157.10 port 49092 ssh2
Jul 24 04:27:27 daemon sshd[5834]: Failed password for root from 130.251.7.2 po
rt 59483 ssh2
Jul 27 12:56:16 daemon sshd[5871]: Failed password for root from 66.63.160.36 p
ort 38887 ssh2
Jul 27 12:56:16 daemon sshd[5872]: warning: /etc/hosts.allow, line 6: can't ver
ify hostname: gethostbyname(36.oc3networks.co\
m) failed
全部都會先以以上所示測試這些帳號,以下紀錄為攻擊的點
Aug 5 08:18:54 daemon sshd[6019]: Failed password for root from 163.32.151.3 p
ort 40388 ssh2
Aug 7 15:55:51 daemon sshd[6094]: Failed password for root from 210.205.6.157
port 57248 ssh2
Aug 7 20:59:53 daemon sshd[6112]: Failed password for root from 218.15.207.40
port 54459 ssh2
Aug 7 22:18:23 daemon sshd[6130]: Failed password for root from 134.208.10.158
port 52941 ssh2
Aug 10 10:46:31 daemon sshd[6178]: Failed password for root from 202.78.172.20
port 2285 ssh2
Aug 11 02:20:20 daemon sshd[6206]: Failed password for root from 202.102.242.17
8 port 42193 ssh2
Aug 12 00:56:10 daemon sshd[6241]: Failed password for root from 210.204.129.11
port 46918 ssh2
Aug 12 10:40:26 daemon sshd[6259]: Failed password for root from 210.95.186.129
port 55288 ssh2
Aug 12 18:47:41 daemon sshd[6281]: Failed password for root from 61.40.11.45 po
rt 37766 ssh2
Aug 12 18:48:37 daemon sshd[6299]: Failed password for root from 61.40.11.45 po
rt 40366 ssh2
Aug 14 09:06:57 daemon sshd[6331]: Failed password for root from 212.152.171.10
2 port 49563 ssh2
Aug 15 06:21:43 daemon sshd[6471]: Failed password for root from 202.100.222.12
3 port 35632 ssh2
Aug 15 11:53:47 daemon sshd[6489]: Failed password for root from 212.71.131.226
port 4197 ssh2
Aug 15 11:54:16 daemon sshd[6503]: Failed password for root from 212.71.131.226
port 4904 ssh2
Aug 15 11:56:35 daemon sshd[6571]: Failed password for root from 212.71.131.226
port 4332 ssh2
11:54 為開始攻擊時間,11:56為結束攻擊時間,連續
Aug 18 04:10:46 daemon sshd[6730]: Failed password for root from 203.196.231.2
port 54084 ssh2
Aug 20 13:51:02 daemon sshd[6802]: Failed password for root from 222.38.28.107
port 41406 ssh2
Aug 21 19:30:00 daemon sshd[6838]: Failed password for root from 220.70.7.225 p
ort 47204 ssh2
Aug 23 12:56:16 daemon sshd[6888]: Failed password for root from 80.204.43.237
port 55792 ssh2
Aug 27 12:28:54 daemon sshd[551]: Failed password for root from 163.25.65.3 por
t 40217 ssh2
Aug 28 01:26:06 daemon sshd[590]: Failed password for root from 220.130.156.130
port 1395 ssh2
Aug 28 04:32:03 daemon sshd[608]: Failed password for root from 221.166.169.102
port 39723 ssh2
Aug 28 12:16:09 daemon sshd[626]: Failed password for root from 61.150.43.123 p
ort 47214 ssh2
Aug 30 19:20:15 daemon sshd[646]: Failed password for root from 140.128.102.115
port 1830 ssh2
Sep 1 10:23:12 daemon sshd[796]: Failed password for root from 61.36.184.166 p
ort 39995 ssh2
Sep 1 10:38:36 daemon sshd[814]: Failed password for root from 221.3.131.80 po
rt 34775 ssh2
Sep 2 22:46:05 daemon sshd[840]: Failed password for root from 220.64.223.183
port 49850 ssh2
Sep 4 22:43:11 daemon sshd[879]: Failed password for root from 218.235.97.206
port 35705 ssh2
Sep 5 04:12:47 daemon sshd[897]: Failed password for root from 62.50.74.178 po
rt 51847 ssh2
Sep 5 09:00:37 daemon sshd[929]: Failed password for root from 61.129.45.97 po
rt 35165 ssh2
Sep 5 09:10:29 daemon sshd[1397]: Failed password for root from 61.129.45.97 p
ort 51084 ssh2
09:00 為開始攻擊時間,09:10為結束攻擊時間,連續
Sep 6 07:45:46 daemon sshd[1412]: Failed password for root from 61.38.92.160 p
ort 51669 ssh2
Sep 7 23:38:08 daemon sshd[1432]: Failed password for root from 221.166.169.10
2 port 35369 ssh2
Sep 8 19:55:42 daemon sshd[1495]: Failed password for root from 221.207.59.129
port 58874 ssh2
Sep 12 03:00:11 daemon sshd[1534]: Failed password for root from 211.248.173.2
port 3195 ssh2
Sep 13 07:56:28 daemon sshd[1574]: Failed password for root from 218.84.126.17
port 41568 ssh2
Sep 13 09:27:02 daemon sshd[1592]: Failed password for root from 210.76.125.14
port 51846 ssh2
Sep 16 02:24:35 daemon sshd[1611]: Failed password for root from 195.16.96.218
port 56303 ssh2
Sep 16 02:31:38 daemon sshd[1815]: Failed password for root from 195.16.96.218
port 34595 ssh2
02:24 為開始攻擊時間,02:31為結束攻擊時間,連續
Sep 17 17:20:59 daemon sshd[1834]: Failed password for root from 219.153.4.62 p
ort 54853 ssh2
Sep 17 17:24:20 daemon sshd[1966]: Failed password for root from 219.153.4.62 p
ort 59549 ssh2
17:20 為開始攻擊時間,17:24為結束攻擊時間,連續
Sep 23 01:12:43 daemon sshd[1985]: Failed password for root from 218.6.145.91 p
ort 51763 ssh2
Sep 25 06:40:34 daemon sshd[2009]: Failed password for root from 202.90.159.243
port 59794 ssh2
Sep 26 06:23:04 daemon sshd[2027]: Failed password for root from 221.5.251.160
port 36665 ssh2
Sep 28 14:50:20 daemon sshd[2047]: Failed password for root from 210.205.6.157
port 52187 ssh2
Sep 28 15:21:17 daemon sshd[3397]: Failed password for root from 210.205.6.157
port 55668 ssh2
14:50 為開始攻擊時間,15:21為結束攻擊時間,連續
這次才發現異狀,攻擊最久
--
最近查閱 log 檔發現主機 SSH daemon 常被暴力密碼嘗試攻擊
但是奇怪的是"並非"都來自相同的 IP 位址
我查看了一下對方的 IP 有的甚至是韓國網站,我想會是跳板嘛?
但是奇怪的是,我的固定 ADSL 頻寬非常小,入侵我的主機能有多大作用?
因為所有的 IP 都不相同,這些遠端主機有可能被植入病毒而不自知嘛?
我想應該是同一隻暴力登入程式,不過順序有點小差異
如果是利用病毒方式傳播這些暴力登入程式,功能將非常強大
將有可能在短短時間內獲得多數密碼設定簡單的主機主控權
進而成為另一台攻擊跳板
從七月開始,他的攻擊次數都相當短暫
由一開始三次增加為五次
因為 IP 都不相同,一般人很難發現異狀
至於我會發現,是在這次中秋節對方發狂似的嘗試了半小時之多
想必這不只是程式病毒,這機八人在得到特定的資訊後
對特定的主機展開特定的攻擊
以下是記錄檔,這些主機應該都已經被植入這隻程式
請問有人有相同的情形嘛?
Jul 20 14:01:41 daemon sshd[5732]: Illegal user test from 83.103.27.66
Jul 20 14:01:41 daemon sshd[5732]: error: Could not get shadow information for
NOUSER
Jul 20 14:01:41 daemon sshd[5732]: Failed password for illegal user test from 8
3.103.27.66 port 35396 ssh2
Jul 20 14:01:45 daemon sshd[5734]: Illegal user guest from 83.103.27.66
Jul 20 14:01:45 daemon sshd[5734]: error: Could not get shadow information for
NOUSER
Jul 20 14:01:45 daemon sshd[5734]: Failed password for illegal user guest from
83.103.27.66 port 35434 ssh2
Jul 20 21:06:40 daemon sshd[5736]: Illegal user test from 131.234.157.10
Jul 20 21:06:40 daemon sshd[5736]: error: Could not get shadow information for
NOUSER
Jul 20 21:06:40 daemon sshd[5736]: Failed password for illegal user test from 1
31.234.157.10 port 48337 ssh2
Jul 20 21:06:45 daemon sshd[5738]: Illegal user guest from 131.234.157.10
Jul 20 21:06:45 daemon sshd[5738]: error: Could not get shadow information for
NOUSER
Jul 20 21:06:45 daemon sshd[5738]: Failed password for illegal user guest from
131.234.157.10 port 48433 ssh2
Jul 20 21:06:50 daemon sshd[5740]: Illegal user admin from 131.234.157.10
Jul 20 21:06:50 daemon sshd[5740]: error: Could not get shadow information for
NOUSER
Jul 20 21:06:50 daemon sshd[5740]: Failed password for illegal user admin from
131.234.157.10 port 48538 ssh2
Jul 20 21:06:55 daemon sshd[5742]: Illegal user admin from 131.234.157.10
Jul 20 21:06:55 daemon sshd[5742]: error: Could not get shadow information for
NOUSER
Jul 20 21:06:55 daemon sshd[5742]: Failed password for illegal user admin from
131.234.157.10 port 48623 ssh2
Jul 20 21:07:00 daemon sshd[5744]: Illegal user user from 131.234.157.10
Jul 20 21:07:00 daemon sshd[5744]: error: Could not get shadow information for
NOUSER
Jul 20 21:07:00 daemon sshd[5744]: Failed password for illegal user user from 1
31.234.157.10 port 48719 ssh2
Jul 20 21:07:00 daemon sshd[5744]: error: Could not get shadow information for
NOUSER
Jul 20 21:07:00 daemon sshd[5744]: Failed password for illegal user user from 1
31.234.157.10 port 48719 ssh2
Jul 20 21:07:05 daemon sshd[5746]: Failed password for root from 131.234.157.10
port 48818 ssh2
Jul 20 21:07:09 daemon sshd[5748]: Failed password for root from 131.234.157.10
port 48918 ssh2
Jul 20 21:07:13 daemon sshd[5750]: Failed password for root from 131.234.157.10
port 49003 ssh2
Jul 20 21:07:17 daemon sshd[5752]: Illegal user test from 131.234.157.10
Jul 20 21:07:17 daemon sshd[5752]: error: Could not get shadow information for
NOUSER
Jul 20 21:07:17 daemon sshd[5752]: Failed password for illegal user test from 1
31.234.157.10 port 49092 ssh2
Jul 24 04:27:27 daemon sshd[5834]: Failed password for root from 130.251.7.2 po
rt 59483 ssh2
Jul 27 12:56:16 daemon sshd[5871]: Failed password for root from 66.63.160.36 p
ort 38887 ssh2
Jul 27 12:56:16 daemon sshd[5872]: warning: /etc/hosts.allow, line 6: can't ver
ify hostname: gethostbyname(36.oc3networks.co\
m) failed
全部都會先以以上所示測試這些帳號,以下紀錄為攻擊的點
Aug 5 08:18:54 daemon sshd[6019]: Failed password for root from 163.32.151.3 p
ort 40388 ssh2
Aug 7 15:55:51 daemon sshd[6094]: Failed password for root from 210.205.6.157
port 57248 ssh2
Aug 7 20:59:53 daemon sshd[6112]: Failed password for root from 218.15.207.40
port 54459 ssh2
Aug 7 22:18:23 daemon sshd[6130]: Failed password for root from 134.208.10.158
port 52941 ssh2
Aug 10 10:46:31 daemon sshd[6178]: Failed password for root from 202.78.172.20
port 2285 ssh2
Aug 11 02:20:20 daemon sshd[6206]: Failed password for root from 202.102.242.17
8 port 42193 ssh2
Aug 12 00:56:10 daemon sshd[6241]: Failed password for root from 210.204.129.11
port 46918 ssh2
Aug 12 10:40:26 daemon sshd[6259]: Failed password for root from 210.95.186.129
port 55288 ssh2
Aug 12 18:47:41 daemon sshd[6281]: Failed password for root from 61.40.11.45 po
rt 37766 ssh2
Aug 12 18:48:37 daemon sshd[6299]: Failed password for root from 61.40.11.45 po
rt 40366 ssh2
Aug 14 09:06:57 daemon sshd[6331]: Failed password for root from 212.152.171.10
2 port 49563 ssh2
Aug 15 06:21:43 daemon sshd[6471]: Failed password for root from 202.100.222.12
3 port 35632 ssh2
Aug 15 11:53:47 daemon sshd[6489]: Failed password for root from 212.71.131.226
port 4197 ssh2
Aug 15 11:54:16 daemon sshd[6503]: Failed password for root from 212.71.131.226
port 4904 ssh2
Aug 15 11:56:35 daemon sshd[6571]: Failed password for root from 212.71.131.226
port 4332 ssh2
11:54 為開始攻擊時間,11:56為結束攻擊時間,連續
Aug 18 04:10:46 daemon sshd[6730]: Failed password for root from 203.196.231.2
port 54084 ssh2
Aug 20 13:51:02 daemon sshd[6802]: Failed password for root from 222.38.28.107
port 41406 ssh2
Aug 21 19:30:00 daemon sshd[6838]: Failed password for root from 220.70.7.225 p
ort 47204 ssh2
Aug 23 12:56:16 daemon sshd[6888]: Failed password for root from 80.204.43.237
port 55792 ssh2
Aug 27 12:28:54 daemon sshd[551]: Failed password for root from 163.25.65.3 por
t 40217 ssh2
Aug 28 01:26:06 daemon sshd[590]: Failed password for root from 220.130.156.130
port 1395 ssh2
Aug 28 04:32:03 daemon sshd[608]: Failed password for root from 221.166.169.102
port 39723 ssh2
Aug 28 12:16:09 daemon sshd[626]: Failed password for root from 61.150.43.123 p
ort 47214 ssh2
Aug 30 19:20:15 daemon sshd[646]: Failed password for root from 140.128.102.115
port 1830 ssh2
Sep 1 10:23:12 daemon sshd[796]: Failed password for root from 61.36.184.166 p
ort 39995 ssh2
Sep 1 10:38:36 daemon sshd[814]: Failed password for root from 221.3.131.80 po
rt 34775 ssh2
Sep 2 22:46:05 daemon sshd[840]: Failed password for root from 220.64.223.183
port 49850 ssh2
Sep 4 22:43:11 daemon sshd[879]: Failed password for root from 218.235.97.206
port 35705 ssh2
Sep 5 04:12:47 daemon sshd[897]: Failed password for root from 62.50.74.178 po
rt 51847 ssh2
Sep 5 09:00:37 daemon sshd[929]: Failed password for root from 61.129.45.97 po
rt 35165 ssh2
Sep 5 09:10:29 daemon sshd[1397]: Failed password for root from 61.129.45.97 p
ort 51084 ssh2
09:00 為開始攻擊時間,09:10為結束攻擊時間,連續
Sep 6 07:45:46 daemon sshd[1412]: Failed password for root from 61.38.92.160 p
ort 51669 ssh2
Sep 7 23:38:08 daemon sshd[1432]: Failed password for root from 221.166.169.10
2 port 35369 ssh2
Sep 8 19:55:42 daemon sshd[1495]: Failed password for root from 221.207.59.129
port 58874 ssh2
Sep 12 03:00:11 daemon sshd[1534]: Failed password for root from 211.248.173.2
port 3195 ssh2
Sep 13 07:56:28 daemon sshd[1574]: Failed password for root from 218.84.126.17
port 41568 ssh2
Sep 13 09:27:02 daemon sshd[1592]: Failed password for root from 210.76.125.14
port 51846 ssh2
Sep 16 02:24:35 daemon sshd[1611]: Failed password for root from 195.16.96.218
port 56303 ssh2
Sep 16 02:31:38 daemon sshd[1815]: Failed password for root from 195.16.96.218
port 34595 ssh2
02:24 為開始攻擊時間,02:31為結束攻擊時間,連續
Sep 17 17:20:59 daemon sshd[1834]: Failed password for root from 219.153.4.62 p
ort 54853 ssh2
Sep 17 17:24:20 daemon sshd[1966]: Failed password for root from 219.153.4.62 p
ort 59549 ssh2
17:20 為開始攻擊時間,17:24為結束攻擊時間,連續
Sep 23 01:12:43 daemon sshd[1985]: Failed password for root from 218.6.145.91 p
ort 51763 ssh2
Sep 25 06:40:34 daemon sshd[2009]: Failed password for root from 202.90.159.243
port 59794 ssh2
Sep 26 06:23:04 daemon sshd[2027]: Failed password for root from 221.5.251.160
port 36665 ssh2
Sep 28 14:50:20 daemon sshd[2047]: Failed password for root from 210.205.6.157
port 52187 ssh2
Sep 28 15:21:17 daemon sshd[3397]: Failed password for root from 210.205.6.157
port 55668 ssh2
14:50 為開始攻擊時間,15:21為結束攻擊時間,連續
這次才發現異狀,攻擊最久
--
Tags:
資安
All Comments
Related Posts
請問bs3.dll檔
By Hardy
at 2004-09-29T01:07
at 2004-09-29T01:07
中了PWSteal.Lemir.Gen?
By Ivy
at 2004-09-28T23:46
at 2004-09-28T23:46
WINDNSD
By Michael
at 2004-09-28T08:16
at 2004-09-28T08:16
儲存網頁時
By Gary
at 2004-09-27T22:25
at 2004-09-27T22:25
我的網頁都開不出來~~><"" 幫幫我!
By Ula
at 2004-09-25T22:40
at 2004-09-25T22:40