作者GTO8C (鬼扯英吉 夜露死苦)
看板NetSecurity
标题[问题] 最近狂被密码攻击,有人有同样的情况嘛?
时间Wed Sep 29 01:49:44 2004
我的 linux 架在固定的 ADSL 网路上
最近查阅 log 档发现主机 SSH daemon 常被暴力密码尝试攻击
但是奇怪的是"并非"都来自相同的 IP 位址
我查看了一下对方的 IP 有的甚至是韩国网站,我想会是跳板嘛?
但是奇怪的是,我的固定 ADSL 频宽非常小,入侵我的主机能有多大作用?
因为所有的 IP 都不相同,这些远端主机有可能被植入病毒而不自知嘛?
我想应该是同一只暴力登入程式,不过顺序有点小差异
如果是利用病毒方式传播这些暴力登入程式,功能将非常强大
将有可能在短短时间内获得多数密码设定简单的主机主控权
进而成为另一台攻击跳板
从七月开始,他的攻击次数都相当短暂
由一开始三次增加为五次
因为 IP 都不相同,一般人很难发现异状
至於我会发现,是在这次中秋节对方发狂似的尝试了半小时之多
想必这不只是程式病毒,这机八人在得到特定的资讯後
对特定的主机展开特定的攻击
以下是记录档,这些主机应该都已经被植入这只程式
请问有人有相同的情形嘛?
Jul 20 14:01:41 daemon sshd[5732]: Illegal user test from 83.103.27.66
Jul 20 14:01:41 daemon sshd[5732]: error: Could not get shadow information for
NOUSER
Jul 20 14:01:41 daemon sshd[5732]: Failed password for illegal user test from 8
3.103.27.66 port 35396 ssh2
Jul 20 14:01:45 daemon sshd[5734]: Illegal user guest from 83.103.27.66
Jul 20 14:01:45 daemon sshd[5734]: error: Could not get shadow information for
NOUSER
Jul 20 14:01:45 daemon sshd[5734]: Failed password for illegal user guest from
83.103.27.66 port 35434 ssh2
Jul 20 21:06:40 daemon sshd[5736]: Illegal user test from 131.234.157.10
Jul 20 21:06:40 daemon sshd[5736]: error: Could not get shadow information for
NOUSER
Jul 20 21:06:40 daemon sshd[5736]: Failed password for illegal user test from 1
31.234.157.10 port 48337 ssh2
Jul 20 21:06:45 daemon sshd[5738]: Illegal user guest from 131.234.157.10
Jul 20 21:06:45 daemon sshd[5738]: error: Could not get shadow information for
NOUSER
Jul 20 21:06:45 daemon sshd[5738]: Failed password for illegal user guest from
131.234.157.10 port 48433 ssh2
Jul 20 21:06:50 daemon sshd[5740]: Illegal user admin from 131.234.157.10
Jul 20 21:06:50 daemon sshd[5740]: error: Could not get shadow information for
NOUSER
Jul 20 21:06:50 daemon sshd[5740]: Failed password for illegal user admin from
131.234.157.10 port 48538 ssh2
Jul 20 21:06:55 daemon sshd[5742]: Illegal user admin from 131.234.157.10
Jul 20 21:06:55 daemon sshd[5742]: error: Could not get shadow information for
NOUSER
Jul 20 21:06:55 daemon sshd[5742]: Failed password for illegal user admin from
131.234.157.10 port 48623 ssh2
Jul 20 21:07:00 daemon sshd[5744]: Illegal user user from 131.234.157.10
Jul 20 21:07:00 daemon sshd[5744]: error: Could not get shadow information for
NOUSER
Jul 20 21:07:00 daemon sshd[5744]: Failed password for illegal user user from 1
31.234.157.10 port 48719 ssh2
Jul 20 21:07:00 daemon sshd[5744]: error: Could not get shadow information for
NOUSER
Jul 20 21:07:00 daemon sshd[5744]: Failed password for illegal user user from 1
31.234.157.10 port 48719 ssh2
Jul 20 21:07:05 daemon sshd[5746]: Failed password for root from 131.234.157.10
port 48818 ssh2
Jul 20 21:07:09 daemon sshd[5748]: Failed password for root from 131.234.157.10
port 48918 ssh2
Jul 20 21:07:13 daemon sshd[5750]: Failed password for root from 131.234.157.10
port 49003 ssh2
Jul 20 21:07:17 daemon sshd[5752]: Illegal user test from 131.234.157.10
Jul 20 21:07:17 daemon sshd[5752]: error: Could not get shadow information for
NOUSER
Jul 20 21:07:17 daemon sshd[5752]: Failed password for illegal user test from 1
31.234.157.10 port 49092 ssh2
Jul 24 04:27:27 daemon sshd[5834]: Failed password for root from 130.251.7.2 po
rt 59483 ssh2
Jul 27 12:56:16 daemon sshd[5871]: Failed password for root from 66.63.160.36 p
ort 38887 ssh2
Jul 27 12:56:16 daemon sshd[5872]: warning: /etc/hosts.allow, line 6: can't ver
ify hostname: gethostbyname(36.oc3networks.co\
m) failed
全部都会先以以上所示测试这些帐号,以下纪录为攻击的点
Aug 5 08:18:54 daemon sshd[6019]: Failed password for root from 163.32.151.3 p
ort 40388 ssh2
Aug 7 15:55:51 daemon sshd[6094]: Failed password for root from 210.205.6.157
port 57248 ssh2
Aug 7 20:59:53 daemon sshd[6112]: Failed password for root from 218.15.207.40
port 54459 ssh2
Aug 7 22:18:23 daemon sshd[6130]: Failed password for root from 134.208.10.158
port 52941 ssh2
Aug 10 10:46:31 daemon sshd[6178]: Failed password for root from 202.78.172.20
port 2285 ssh2
Aug 11 02:20:20 daemon sshd[6206]: Failed password for root from 202.102.242.17
8 port 42193 ssh2
Aug 12 00:56:10 daemon sshd[6241]: Failed password for root from 210.204.129.11
port 46918 ssh2
Aug 12 10:40:26 daemon sshd[6259]: Failed password for root from 210.95.186.129
port 55288 ssh2
Aug 12 18:47:41 daemon sshd[6281]: Failed password for root from 61.40.11.45 po
rt 37766 ssh2
Aug 12 18:48:37 daemon sshd[6299]: Failed password for root from 61.40.11.45 po
rt 40366 ssh2
Aug 14 09:06:57 daemon sshd[6331]: Failed password for root from 212.152.171.10
2 port 49563 ssh2
Aug 15 06:21:43 daemon sshd[6471]: Failed password for root from 202.100.222.12
3 port 35632 ssh2
Aug 15 11:53:47 daemon sshd[6489]: Failed password for root from 212.71.131.226
port 4197 ssh2
Aug 15 11:54:16 daemon sshd[6503]: Failed password for root from 212.71.131.226
port 4904 ssh2
Aug 15 11:56:35 daemon sshd[6571]: Failed password for root from 212.71.131.226
port 4332 ssh2
11:54 为开始攻击时间,11:56为结束攻击时间,连续
Aug 18 04:10:46 daemon sshd[6730]: Failed password for root from 203.196.231.2
port 54084 ssh2
Aug 20 13:51:02 daemon sshd[6802]: Failed password for root from 222.38.28.107
port 41406 ssh2
Aug 21 19:30:00 daemon sshd[6838]: Failed password for root from 220.70.7.225 p
ort 47204 ssh2
Aug 23 12:56:16 daemon sshd[6888]: Failed password for root from 80.204.43.237
port 55792 ssh2
Aug 27 12:28:54 daemon sshd[551]: Failed password for root from 163.25.65.3 por
t 40217 ssh2
Aug 28 01:26:06 daemon sshd[590]: Failed password for root from 220.130.156.130
port 1395 ssh2
Aug 28 04:32:03 daemon sshd[608]: Failed password for root from 221.166.169.102
port 39723 ssh2
Aug 28 12:16:09 daemon sshd[626]: Failed password for root from 61.150.43.123 p
ort 47214 ssh2
Aug 30 19:20:15 daemon sshd[646]: Failed password for root from 140.128.102.115
port 1830 ssh2
Sep 1 10:23:12 daemon sshd[796]: Failed password for root from 61.36.184.166 p
ort 39995 ssh2
Sep 1 10:38:36 daemon sshd[814]: Failed password for root from 221.3.131.80 po
rt 34775 ssh2
Sep 2 22:46:05 daemon sshd[840]: Failed password for root from 220.64.223.183
port 49850 ssh2
Sep 4 22:43:11 daemon sshd[879]: Failed password for root from 218.235.97.206
port 35705 ssh2
Sep 5 04:12:47 daemon sshd[897]: Failed password for root from 62.50.74.178 po
rt 51847 ssh2
Sep 5 09:00:37 daemon sshd[929]: Failed password for root from 61.129.45.97 po
rt 35165 ssh2
Sep 5 09:10:29 daemon sshd[1397]: Failed password for root from 61.129.45.97 p
ort 51084 ssh2
09:00 为开始攻击时间,09:10为结束攻击时间,连续
Sep 6 07:45:46 daemon sshd[1412]: Failed password for root from 61.38.92.160 p
ort 51669 ssh2
Sep 7 23:38:08 daemon sshd[1432]: Failed password for root from 221.166.169.10
2 port 35369 ssh2
Sep 8 19:55:42 daemon sshd[1495]: Failed password for root from 221.207.59.129
port 58874 ssh2
Sep 12 03:00:11 daemon sshd[1534]: Failed password for root from 211.248.173.2
port 3195 ssh2
Sep 13 07:56:28 daemon sshd[1574]: Failed password for root from 218.84.126.17
port 41568 ssh2
Sep 13 09:27:02 daemon sshd[1592]: Failed password for root from 210.76.125.14
port 51846 ssh2
Sep 16 02:24:35 daemon sshd[1611]: Failed password for root from 195.16.96.218
port 56303 ssh2
Sep 16 02:31:38 daemon sshd[1815]: Failed password for root from 195.16.96.218
port 34595 ssh2
02:24 为开始攻击时间,02:31为结束攻击时间,连续
Sep 17 17:20:59 daemon sshd[1834]: Failed password for root from 219.153.4.62 p
ort 54853 ssh2
Sep 17 17:24:20 daemon sshd[1966]: Failed password for root from 219.153.4.62 p
ort 59549 ssh2
17:20 为开始攻击时间,17:24为结束攻击时间,连续
Sep 23 01:12:43 daemon sshd[1985]: Failed password for root from 218.6.145.91 p
ort 51763 ssh2
Sep 25 06:40:34 daemon sshd[2009]: Failed password for root from 202.90.159.243
port 59794 ssh2
Sep 26 06:23:04 daemon sshd[2027]: Failed password for root from 221.5.251.160
port 36665 ssh2
Sep 28 14:50:20 daemon sshd[2047]: Failed password for root from 210.205.6.157
port 52187 ssh2
Sep 28 15:21:17 daemon sshd[3397]: Failed password for root from 210.205.6.157
port 55668 ssh2
14:50 为开始攻击时间,15:21为结束攻击时间,连续
这次才发现异状,攻击最久
--
※ 发信站: 批踢踢实业坊(ptt.cc)
◆ From: 218.34.129.2