Subject: Re: sshd password guessing attacks on the rise
To: None <tech-security@netbsd.org>
From: Wolfgang S. Rupprecht <wolfgang+gnus20041007T084355@dailyplanet.dontspam.wsrcc.com>
List: tech-security
Date: 10/07/2004 10:38:21
mcr@sandelman.ottawa.on.ca (Michael Richardson) writes:

> Do you have a script which parses log files and warns of the attack?

Here is a quick hack I cobbled up.

        http://www.wsrcc.com/wolfgang/ftp/sshsum.txt

"sshsum -a" looks at all the authlog files.  Without the "-a" it only
looks at the most recent one.  The output of the program is a set of
pfctl lines with annotations.

Here is what the output looks like when run here.

    # Run at Thu Oct  7 10:35:34 2004
    # timespan 4.4 days
    # cuttoff 1 hits

    # users attacked/botched:
    #     9005 root
    #       42 test
    #       18 admin
    #       15 user
    #        9 guest
    #        6 patrick
    #        4 adm
    #        4 irc
    #        4 web
    #        3 cyrus
    #        3 horde
    #        3 iceuser
    #        3 nobody
    #        3 rolo
    #        2 account
    #        2 adam
    #        2 alan
    #        2 apache
    #        2 backup
    #        2 cip51
    #        2 cip52
    #        2 cosmin
    #        2 data
    #        2 frank
    #        2 george
    #        2 henry
    #        2 jane
    #        2 john
    #        2 master
    #        2 matt
    #        2 mysql
    #        2 noc
    #        2 operator
    #        2 oracle
    #        2 pamela
    #        2 server
    #        2 sybase
    #        2 webmaster
    #        2 www
    #        2 www-data
    #        2 wwwrun


    # first users attacked/botched:
    # test 195.85.182.10
    # test 203.250.133.238
    # test 218.18.107.38
    # nobody 66.203.163.250


    # count first users attacked/botched:
    #        3 test
    #        1 nobody

    pfctl -t spam -T add 218.18.107.38 # 8469
    pfctl -t spam -T add 195.85.182.10 # 454
    pfctl -t spam -T add 66.203.163.250 # 226
    pfctl -t spam -T add 203.250.133.238 # 27

The count after the pfctl is the number of hits from that machine.

One interesting thing is that most of the attacks seem to be coming
from the same program which tries user "test" first before switching
to a fairly intensive beating for the root account.  The load average
on this amd64 box noticeably shoots up when root is being flogged.

-wolfgang