Ticket #434 (closed task: fixed)

Opened 4 years ago

Last modified 4 years ago

UCD Aug 2-12, 2015

Reported by: ibaldin Owned by: ibaldin
Priority: major Milestone:
Component: External: Security Incidents Version: baseline
Keywords: Cc:

Description

From Ken Gribble:

We were also informed that,
we received two more complaints (one from Japan, one from
Canada) regarding (SSH) brute force/dictionary attacks on August 9th:

<snip>
Date: Wed, 12 Aug 2015 10:11:46 +0800
From: Kelvin <kelvin@…>
To: abuse@…
Subject: Multiple repeated ssh login attempts

Snippet from log

Aug 9 10:27:24 penguin sshd[17003]: Did not receive identification
string from 128.120.83.31
Aug 9 10:30:10 penguin sshd[17006]: Invalid user a from 128.120.83.31
Aug 9 10:30:10 penguin sshd[17006]: input_userauth_request: invalid
user a [preauth]
</snip>

<snip>
Date: Tue, 11 Aug 2015 20:30:25 -0500
From: Gilles Detillieux <grdetil@…>
To: abuse@…
Cc: postmaster@…
Subject: suspicious activity from IP address 128.120.83.31

Our systems logged the following suspicious activity from IP address
128.120.83.31 on your network. Log times are all in CDT (UTC -0500).
Please investigate, as someone on your network seems to be trying to
break into 8 of our systems, using a dictionary-based attack against TCP
port 22 (SSH). It is likely that this activity is coming from a system
that has itself been compromised.

Log entries from cliff.scrc.umanitoba.ca [140.193.42.125]:
Aug 9 18:35:25 cliff sshd[20955]: Did not receive identification string
from 128.120.83.31
Aug 9 18:35:25 cliff sshd[20956]: Did not receive identification string
from 128.120.83.31
Aug 9 18:36:27 cliff sshd[20973]: Invalid user a from 128.120.83.31
Aug 9 18:36:27 cliff sshd[20973]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=128.120.83.31 Aug 9 18:36:27 cliff sshd[20974]: Invalid user a from 128.120.83.31
Aug 9 18:36:27 cliff sshd[20974]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=128.120.83.31 Aug 9 18:36:29 cliff sshd[20973]: Failed password for invalid user a
from
128.120.83.31 port 13878 ssh2
Aug 9 18:36:29 cliff sshd[20974]: Failed password for invalid user a
from
128.120.83.31 port 13878 ssh2
Aug 9 18:36:29 cliff sshd[20975]: Connection closed by 128.120.83.31
Aug 9 18:36:29 cliff sshd[20976]: Connection closed by 128.120.83.31
Aug 9 18:36:29 cliff sshd[20977]: Invalid user applmgr from
128.120.83.31
Aug 9 18:36:29 cliff sshd[20977]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=128.120.83.31 Aug 9 18:36:29 cliff sshd[20979]: Invalid user applmgr from
128.120.83.31
Aug 9 18:36:29 cliff sshd[20979]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=128.120.83.31 Aug 9 18:36:32 cliff sshd[20977]: Failed password for invalid user
applmgr
from 128.120.83.31 port 53646 ssh2
Aug 9 18:36:32 cliff sshd[20978]: Connection closed by 128.120.83.31
Aug 9 18:36:32 cliff sshd[20979]: Failed password for invalid user
applmgr
from 128.120.83.31 port 34646 ssh2
Aug 9 18:36:32 cliff sshd[20980]: Connection closed by 128.120.83.31
Aug 9 18:36:32 cliff sshd[20981]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=128.120.83.31
user=apache
Aug 9 18:36:32 cliff sshd[20983]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=128.120.83.31
user=apache
Aug 9 18:36:33 cliff sshd[20981]: Failed password for apache from
128.120.83.31 port 42181 ssh2
.
.
.
</snip>

Change History

Changed 4 years ago by ibaldin

128.120.83.31 fc87692e-faa3-474c-ab1f-b836f9dc0848 (exo-sm)

fc87692e-faa3-474c-ab1f-b836f9dc0848 exo-sm

1 ucdvmsite.vm [ active, nascent]
Notices: Reservation fc87692e-faa3-474c-ab1f-b836f9dc0848 (Slice urn:publicid:IDN+ch.geni.net:witestlab+slice+mapReduceInPython3) is in state [Active,None]
Start: Mon Jul 27 15:27:38 EDT 2015 End: Mon Aug 17 12:39:02 EDT 2015 Requested end: Mon Aug 17 12:39:02 EDT 2015

Owner: urn:publicid:IDN+ch.geni.net+user+km1851
Slice URN: urn:publicid:IDN+ch.geni.net:witestlab+slice+mapReduceInPython3

config.ssh.user1.urn = urn:publicid:IDN+ch.geni.net+user+ffund01

config.ssh.user2.urn = urn:publicid:IDN+ch.geni.net+user+km1851
unit.url = http://geni-orca.renci.org/owl/1c4758f0-524e-4a07-8ff4-5f60b3d1dd8e#hadoop-worker-1
config.ssh.user3.sudo = yes
config.ssh.user2.login = km1851
config.ssh.user4.login = korakis
config.ssh.user1.login = ffund01
config.ssh.user3.login = vasileio

config.image.url = http://geni-images.renci.org/images/standard/hadoop/hadoop_debian6.v1.0/hadoop_debian6.v1.0.xml

xmlrpc.user.dn = [km1851@…, urn:publicid:IDN+ch.geni.net+user+km1851, urn:uuid:fa9e84ba-3d08-43e4-a6d0-0e1427ac18de]

Changed 4 years ago by ibaldin

  • status changed from new to closed
  • resolution set to fixed

Slice terminated Aug. 12, 2015

Changed 4 years ago by ibaldin

  • summary changed from UCD Aug 9, 2015 to UCD Aug 2-12, 2015

Changed 4 years ago by ibaldin

Note: See TracTickets for help on using tickets.