Overclock.net › Forums › Software, Programming and Coding › Networking & Security › To Pursue, Or Not To Pursue?
New Posts  All Forums:Forum Nav:

To Pursue, Or Not To Pursue?

post #1 of 12
Thread Starter 
I've been running through my server logs a lot more recently, and I've found something interesting. Everyday, at 5:05AM and 6:41AM there is a flood of traffic to my server - specifically people trying to ssh into it. By the looks of the logs, they're running some tool that runs through common username and password combinations trying to connect to port 22. I use a different port to ssh into my server, so on that end I'm fine. However, I've also noticed a number of attempts through the port I use to ssh into my server. Again, some home-brew script that is running through common username/password combinations.


So, today, I ran a whois lookup against the two offending IP address (which have been the same for the last couple of days) and I find that one is commercially owned from a company based in Washington state and is a static lease. Similarly, the other is commercially owned by some place in Dallas Texas on a static lease.


So, my question to you OCN: do I pursue this with my/their ISP (or possibly further) or do I ignore it and change my SSH port and continually change my passwords as I have been doing?
    
CPUMotherboardGraphicsRAM
Core i7 970 @ 4.0 GHz 1.22 Vcore Asus Rampage II Gene GTX 260 216SP G.SKILL PI 3x2gb DDR3 1600 @ 7-8-7-24 
Hard DriveOSMonitorPower
2x 500gb Seagates RAID 0, 1x 500gb non-RAID Windows 7 Professional x64 ASUS 24'' VH242H / Spectre 24'' WS Corsair 750TX 
Case
Corsair 300R 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
Core i7 970 @ 4.0 GHz 1.22 Vcore Asus Rampage II Gene GTX 260 216SP G.SKILL PI 3x2gb DDR3 1600 @ 7-8-7-24 
Hard DriveOSMonitorPower
2x 500gb Seagates RAID 0, 1x 500gb non-RAID Windows 7 Professional x64 ASUS 24'' VH242H / Spectre 24'' WS Corsair 750TX 
Case
Corsair 300R 
  hide details  
Reply
post #2 of 12
Call your ISP. I'm sure they would be happy to blacklist those little ***'s for you.
The Butthurt Box
(21 items)
 
   
CPUMotherboardGraphicsGraphics
Intel Core i5 2500K P67 Professional AMD Radeon HD 6950 unlock NVIDIA GeForce GTX 460 2gb 
RAMRAMHard DriveHard Drive
G.Skill Ripjaws G.Skill Ripjaws Intel X25-V Seagate Barracuda 
Hard DriveOptical DriveOSMonitor
WD Goflex USB 3.0 24x DVD R/W DL Win7 Ultermate 64 Acer 20in 1600x900 
MonitorMonitorMonitorKeyboard
Compaq 20in 1600x900 17in Dell 1280x1024 19in Gateway 1280x1024 Razer Blackwidow mech w/ cherry MX blues 
PowerCaseMouseAudio
Kingwin LZ-750 HAF 932 + sound activated lights Logitech G500 Rosewill USB headset 
CPUMotherboardGraphicsRAM
Pentium 4 3.2ghz w/ HT HP Intel IGP 4gb Mushkin DDR2 
Hard DriveOSPowerCase
80gb sata WinXP Pro HP OEM HP Small form factor 
  hide details  
Reply
The Butthurt Box
(21 items)
 
   
CPUMotherboardGraphicsGraphics
Intel Core i5 2500K P67 Professional AMD Radeon HD 6950 unlock NVIDIA GeForce GTX 460 2gb 
RAMRAMHard DriveHard Drive
G.Skill Ripjaws G.Skill Ripjaws Intel X25-V Seagate Barracuda 
Hard DriveOptical DriveOSMonitor
WD Goflex USB 3.0 24x DVD R/W DL Win7 Ultermate 64 Acer 20in 1600x900 
MonitorMonitorMonitorKeyboard
Compaq 20in 1600x900 17in Dell 1280x1024 19in Gateway 1280x1024 Razer Blackwidow mech w/ cherry MX blues 
PowerCaseMouseAudio
Kingwin LZ-750 HAF 932 + sound activated lights Logitech G500 Rosewill USB headset 
CPUMotherboardGraphicsRAM
Pentium 4 3.2ghz w/ HT HP Intel IGP 4gb Mushkin DDR2 
Hard DriveOSPowerCase
80gb sata WinXP Pro HP OEM HP Small form factor 
  hide details  
Reply
post #3 of 12
Wow, interesting...

The inquisitive person in me would say to keep looking into it.

Do you think the chances of someone finding a way in are good? Also, you don't want to have to be changing your login info that frequently--might get tiring.

Or if you know anyone in either of those two cities, you could ask them to grab a baseball bat, go to the addresses, and smash a couple of kneecaps for good measure.
    
CPUMotherboardGraphicsRAM
i5-2500K Biostar TP67B+ XFX HD5750 1GB 2x4GB DDR3 Corsair 1600 
Hard DriveOSMonitorPower
60GB OCZ SSD, 2x160GB HDD RAID0, 500GB+500GB+1.5TB Windows 7 Ultimate 64-bit Samsung SyncMaster 930B Antec SmartPower 450w 
Case
Antec 900 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
i5-2500K Biostar TP67B+ XFX HD5750 1GB 2x4GB DDR3 Corsair 1600 
Hard DriveOSMonitorPower
60GB OCZ SSD, 2x160GB HDD RAID0, 500GB+500GB+1.5TB Windows 7 Ultimate 64-bit Samsung SyncMaster 930B Antec SmartPower 450w 
Case
Antec 900 
  hide details  
Reply
post #4 of 12
Thread Starter 
Quote:
Originally Posted by guyladouche;12757480 
Wow, interesting...

The inquisitive person in me would say to keep looking into it.

Do you think the chances of someone finding a way in are good? Also, you don't want to have to be changing your login info that frequently--might get tiring.

Or if you know anyone in either of those two cities, you could ask them to grab a baseball bat, go to the addresses, and smash a couple of kneecaps for good measure.

Would love the bolded personally, but the thing is I doubt the person running the script is actually at those locations. Most likely a compromised machine is running them either from a remote host or acting as a zombie.

The passwords I use for any kind of remote access are typically classified as "strong" (I.E. minimum of 8 characters, with symbols letters and numbers) so I doubt a brute force attack would yield anything in any reasonable amount of time. Beyond that, assuming they did get in, all that's on the server is backups of my music and anime (legally obtained!!) and a couple of OS .iso's I use for work.

Granted, nothing tremendously personal or anything like that, but it's the principal of the matter more than anything.

So, would it be more prudent to contact my ISP or theirs?
    
CPUMotherboardGraphicsRAM
Core i7 970 @ 4.0 GHz 1.22 Vcore Asus Rampage II Gene GTX 260 216SP G.SKILL PI 3x2gb DDR3 1600 @ 7-8-7-24 
Hard DriveOSMonitorPower
2x 500gb Seagates RAID 0, 1x 500gb non-RAID Windows 7 Professional x64 ASUS 24'' VH242H / Spectre 24'' WS Corsair 750TX 
Case
Corsair 300R 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
Core i7 970 @ 4.0 GHz 1.22 Vcore Asus Rampage II Gene GTX 260 216SP G.SKILL PI 3x2gb DDR3 1600 @ 7-8-7-24 
Hard DriveOSMonitorPower
2x 500gb Seagates RAID 0, 1x 500gb non-RAID Windows 7 Professional x64 ASUS 24'' VH242H / Spectre 24'' WS Corsair 750TX 
Case
Corsair 300R 
  hide details  
Reply
post #5 of 12
Quote:
Originally Posted by TurboTurtle;12757321 
Everything you wrote in your original post for brevity

That's exciting!

Depending on the conditions of your logs and the frequency of the brute force attempts I'd consider writing a letter to the owner of the company. I'd do a little recon work myself, call some phone numbers and attempt to get some general information about the Business. What they do, how many offices they have, administrative names to their respected positions. On more then one occasions I've done some social engineering and reconnaissance by imitating a local university business major. Companies love local PR, especially business owners. You pretty much bypass any security implementations that exist for threat management (only works in person).

Get your story strait, give the numbers a call, get some names and extensions and goto town. It's 7 - 8 minuets well worth the investment.

A business that has a local IP block that is registered by ICANN or any internet authority with dedicated IP's are going to have terms of usages for there employees. Business owners also happen to be federally liable for any damages their employees procuring illegally. That's going to the extreme, and it depends a lot on how much time you have on your hands, but if I were you I'd scare the **** out of them. Treat it as a security audit.. I could babble all day. My point is, check it out first, get some basic info about who does what, if they house an inside tech support, etc. It's entirely possible (though not probable) they have infected machines that are being used as zombies. Do it for the experience..

pardon the grammar, wife's pushing me out the door to get dinner..
My System
(13 items)
 
  
CPUMotherboardGraphicsRAM
Cisco Cisco Cisco Cisco 
  hide details  
Reply
My System
(13 items)
 
  
CPUMotherboardGraphicsRAM
Cisco Cisco Cisco Cisco 
  hide details  
Reply
post #6 of 12
When my server had SSH on port 22 I'd get at least 3-5 brute force attempts per day from China/Russia. A few of them were one offs from various stateside machines, usually an e-mail to the contact that you can pull from ICANN information will get you a 'thanks' or 'hey our crap is infected' e-mail. Might be BS but amusing nonetheless.
Waiting on X399
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom II B57 @ X4 3.9 Gigabyte 790FXTA-UD5 Sapphire Radeon 290 8 GB G.Skill 2133 
Hard DriveCoolingOSKeyboard
250 GB 840 EVO Noctua NH-D14 Windows 10 Logitech K350 
PowerCaseMouseMouse Pad
Seasonic x750 Corsair 600T Logitech G100s Razer Goliathus Speed 
Audio
Plantronics Gamecom 788 
  hide details  
Reply
Waiting on X399
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom II B57 @ X4 3.9 Gigabyte 790FXTA-UD5 Sapphire Radeon 290 8 GB G.Skill 2133 
Hard DriveCoolingOSKeyboard
250 GB 840 EVO Noctua NH-D14 Windows 10 Logitech K350 
PowerCaseMouseMouse Pad
Seasonic x750 Corsair 600T Logitech G100s Razer Goliathus Speed 
Audio
Plantronics Gamecom 788 
  hide details  
Reply
post #7 of 12
Quote:
Originally Posted by beers;12760804 
When my server had SSH on port 22 I'd get at least 3-5 brute force attempts per day from China/Russia. A few of them were one offs from various stateside machines, usually an e-mail to the contact that you can pull from ICANN information will get you a 'thanks' or 'hey our crap is infected' e-mail. Might be BS but amusing nonetheless.

Yeah, that's common. What's not is when you change your SSH service port and the same entity adapts. That insinuates active port scanning.

My question to you Mr. Turtle: Are the only two ports being actively brute force attacked with a SSH script the default ssh port and your new statically assigned port? Or does it look like every open port is being affected like a monkey banging a wrench on a tank?
My System
(13 items)
 
  
CPUMotherboardGraphicsRAM
Cisco Cisco Cisco Cisco 
  hide details  
Reply
My System
(13 items)
 
  
CPUMotherboardGraphicsRAM
Cisco Cisco Cisco Cisco 
  hide details  
Reply
post #8 of 12
Thread Starter 
Quote:
Originally Posted by beers;12760804 
When my server had SSH on port 22 I'd get at least 3-5 brute force attempts per day from China/Russia. A few of them were one offs from various stateside machines, usually an e-mail to the contact that you can pull from ICANN information will get you a 'thanks' or 'hey our crap is infected' e-mail. Might be BS but amusing nonetheless.

We're talking about 1000 ssh attempts per day from these two.

Had 5 attempts from somewhere in...Uruguay I think it was?

Side note: is there a way with either grep or diff to compare two text files, can report back any lines that match identically in both text files?

I.E. if file A has 110.110.110.100 and 111.111.111.100, and file B has 200.200.200.200 and 111.111.111.100 is there a way to report (and thus > to a new text file) the matching 111.111.111.100 lines?
    
CPUMotherboardGraphicsRAM
Core i7 970 @ 4.0 GHz 1.22 Vcore Asus Rampage II Gene GTX 260 216SP G.SKILL PI 3x2gb DDR3 1600 @ 7-8-7-24 
Hard DriveOSMonitorPower
2x 500gb Seagates RAID 0, 1x 500gb non-RAID Windows 7 Professional x64 ASUS 24'' VH242H / Spectre 24'' WS Corsair 750TX 
Case
Corsair 300R 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
Core i7 970 @ 4.0 GHz 1.22 Vcore Asus Rampage II Gene GTX 260 216SP G.SKILL PI 3x2gb DDR3 1600 @ 7-8-7-24 
Hard DriveOSMonitorPower
2x 500gb Seagates RAID 0, 1x 500gb non-RAID Windows 7 Professional x64 ASUS 24'' VH242H / Spectre 24'' WS Corsair 750TX 
Case
Corsair 300R 
  hide details  
Reply
post #9 of 12
Thread Starter 
Update: Looking into one of the two aforementioned IP address, it is currently held by a domain registered by E-Insites. However, upon visiting the site in a sandbox environment with Firefox running No-script, all it is is a redirect to another domain hosting website, Metafusion.

Hrm.

EDIT:
Quote:
Originally Posted by scottsee;12761041 
Yeah, that's common. What's not is when you change your SSH service port and the same entity adapts. That insinuates active port scanning.

My question to you Mr. Turtle: Are the only two ports being actively brute force attacked with a SSH script the default ssh port and your new statically assigned port? Or does it look like every open port is being affected like a monkey banging a wrench on a tank?

Both, actually. One day it was just the script running the username/password combinations against all possible ports. The next day, it was targeted towards port 22, the day after that it was all possible again (still the same IP) but with a high number of attempts on my static port and the default of port 22.
Edited by TurboTurtle - 3/16/11 at 7:39pm
    
CPUMotherboardGraphicsRAM
Core i7 970 @ 4.0 GHz 1.22 Vcore Asus Rampage II Gene GTX 260 216SP G.SKILL PI 3x2gb DDR3 1600 @ 7-8-7-24 
Hard DriveOSMonitorPower
2x 500gb Seagates RAID 0, 1x 500gb non-RAID Windows 7 Professional x64 ASUS 24'' VH242H / Spectre 24'' WS Corsair 750TX 
Case
Corsair 300R 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
Core i7 970 @ 4.0 GHz 1.22 Vcore Asus Rampage II Gene GTX 260 216SP G.SKILL PI 3x2gb DDR3 1600 @ 7-8-7-24 
Hard DriveOSMonitorPower
2x 500gb Seagates RAID 0, 1x 500gb non-RAID Windows 7 Professional x64 ASUS 24'' VH242H / Spectre 24'' WS Corsair 750TX 
Case
Corsair 300R 
  hide details  
Reply
post #10 of 12
Doesn't sound sophisticated - Basic smash and grab.. Do you have a router that supports access control lists?
My System
(13 items)
 
  
CPUMotherboardGraphicsRAM
Cisco Cisco Cisco Cisco 
  hide details  
Reply
My System
(13 items)
 
  
CPUMotherboardGraphicsRAM
Cisco Cisco Cisco Cisco 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › To Pursue, Or Not To Pursue?