Attack from above

12.05.2011 21:00

Recently I've seen what looked like a scan of the secure shell service on one of my servers. That in itself wouldn't be interesting enough to deserve a blog post - automated scans and brute force attacks on SSH originating from compromised hosts are common these days - except my SSH is listening on a random high port, not the default 22.

That made me curios. How did the attacker get the port right? It might be I was seen connecting to this port on some network. I do SSH from all sorts of weird connections and I wouldn't be surprised if one of them was through a compromised router.

A bit less paranoid option is that the service was found through a port scan. My firewall logging setup would alert me of any straightforward attempt of running Nmap against my host. However, a low intensity scan from different IPs would probably be indistinguishable from internet's background radiation of lost packets. I did check the logs and less than 0.5 % of TCP port space ever received a packed in the last month. So if scans are happening, they are seriously low profile.

There is the third option, and that is that someone just guessed the port. I didn't use a random generator so it stands to reason that I'm not the first one to pick that particular number.

By the way, the attack wasn't very exhaustive. All together 55 user name and password combinations were tried out. After that nothing was heard from that IP ever since. Here is the list of account that were tried and the number of passwords tried for each. Interestingly, the IP maps to a Russian provider, the server is in Slovenia, while the laboratorio and seguridad sound Spanish to me.

      1 adm
      1 admin2
      1 adrian
      1 apache
      1 clamav
      1 cyrus
      1 fax
      2 info
      1 info1
      1 ivan
      1 java
      2 jboss
      2 laboratorio
      2 linux
      2 media
      1 mysql
      1 nagios
      1 oracle
      1 personal
      1 postfix
      1 seguridad
      1 software
      1 sysadmin
      1 temp
      2 tempuser
      2 test
      2 test1
      1 test2
      1 test3
      1 test4
      1 testuser
      1 tomcat
      1 unix
      3 user
      3 user1
      1 user2
      1 user3
      2 webmaster
      4 www

Needless to say, I don't even have password authentication enabled on this public-facing service, so these simple attacks failed to do any damage. However it can serve as a reminder that security through obscurity doesn't work.

Posted by Tomaž | Categories: Code

Add a new comment

(No HTML tags allowed. Separate paragraphs with a blank line.)