Strange scanning on my server?

Submitted by gwolf on Jue, 10/01/2009 - 18:04

Humm... Has anybody else seen a pattern like this?

I am getting a flurry of root login attempts at my main server at the University since yesterday 7:30AM (GMT-5). Now, from the machines I run in the 132.248.0.0/16 network (UNAM), only two listen to the world with ssh at port 22 — And yes, it is a very large network, but I am only getting this pattern on one of them (they are on different subnets, quite far apart). They are all attempting to log in as root, with a frequency that varies wildly, but is consistently over three times a minute right now. This is a sample of what I get in my logs:

[update] Logs omitted from blog post, as it is too wide and breaks displays for most users. You can download the log file instead.

Anyway… This comes from all over the world, and all the attempts are made as root (no attempts from unprivileged users). Of course, I have PermitRootLogin to no in /etc/ssh/sshd_config, but… I want to understand this as much as possible.

Initially it struck me that most of the attempts appeared to come from Europe (quite atypical for the usual botnet distribution), so I passed my logs through:

#!/usr/bin/perl
use Geo::IP;
use IO::File;
use strict;
my ($geoip, $fh, %by_ip, %by_ctry);
 
$fh = IO::File->new('/tmp/sshd_log');
$geoip=Geo::IP->new(GEOIP_STANDARD); 
while (my $lin = $fh>) { next unless $lin =~ /rhost=(\S+)/; $by_ip{$1}++}; 
 
print "        Incidence by IP:\n", "Num  Ctry   IP\n", ('='x60),"\n";
 
for my $ip ( sort {$by_ip{$a} => $by_ip{$b}} keys %by_ip) {
    my $ctry = ($ip =~ /^[\d\.]+$/) ? 
	$geoip->country_code_by_addr($ip) : 
	$geoip->country_code_by_name($ip);
 
    $by_ctry{$ctry}++;
    printf "%3d  %3s  %s\n", $by_ip{$ip}, $ctry, $ip;
} 
 
print "        Incidence by country:\n", "Num  Country\n", "============\n";
map {printf "%3d  %s\n", $by_ctry{$_}, $_}
    sort {$by_ctry{$b} => $by_ctry{$a}} 
    keys(%by_ctry);

The top countries (where the number of attempts ≥ 5) are:

104  CN
 78  US
 58  BR
 49  DE
 43  PL
 20  ES
 20  IN
 19  RU
 17  CO
 17  UA
 16  IT
 13  AR
 12  ZA
 10  CA
 10  CH
  8  GB
  8  AT
  8  JP
  8  FR
  7  KR
  7  HK
  7  PE
  7  ID
  6  PT
  5  CZ
  5  AU
  5  BE
  5  SE
  5  RO
  5  MX

I am attaching to this post the relevant log (filtering out all the information I could regarding legitimate users) as well as the full output. In case somebody has seen this kind of wormish botnetish behaviour lately… please comment.

[Update] I have tried getting some data regarding the attacking machines, running a simple nmap -O -vv against a random sample (five machines, I hope I am not being too agressive in anybody's eyes). They all seem to be running some flavor of Linux (according to the OS fingerprinting), but the list of open ports varies wildly — I have seen the following:

Not shown: 979 closed ports
PORT      STATE    SERVICE
21/tcp    open     ftp
22/tcp    open     ssh
23/tcp    open     telnet
111/tcp   open     rpcbind
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds
593/tcp   filtered http-rpc-epmap
992/tcp   open     telnets
1025/tcp  filtered NFS-or-IIS
1080/tcp  filtered socks
1433/tcp  filtered ms-sql-s
1434/tcp  filtered ms-sql-m
2049/tcp  open     nfs
4242/tcp  filtered unknown
4444/tcp  filtered krb524
6346/tcp  filtered gnutella
6881/tcp  filtered bittorrent-tracker
8888/tcp  filtered sun-answerbook
10000/tcp open     snet-sensor-mgmt
45100/tcp filtered unknown
Device type: general purpose|WAP|PBX
Running (JUST GUESSING) : Linux 2.6.X|2.4.X (96%), (…)
 
 
Not shown: 993 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
25/tcp   open   smtp
80/tcp   open   http
443/tcp  open   https
444/tcp  open   snpp
3389/tcp open   ms-term-serv
4125/tcp closed rww
Device type: general purpose|phone|WAP|router
Running (JUST GUESSING) : Linux 2.6.X (91%), (…)
 
Not shown: 994 filtered ports
PORT    STATE  SERVICE
22/tcp  open   ssh
25/tcp  closed smtp
53/tcp  closed domain
80/tcp  open   http
113/tcp closed auth
443/tcp closed https
Device type: general purpose
Running (JUST GUESSING) : Linux 2.6.X (90%)
OS fingerprint not ideal because: Didn't receive UDP response. Please try again with -sSU
Aggressive OS guesses: Linux 2.6.15 - 2.6.26 (90%), Linux 2.6.23 (89%), (…)
 
Not shown: 982 closed ports
PORT      STATE    SERVICE
21/tcp    open     ftp
22/tcp    open     ssh
37/tcp    open     time
80/tcp    open     http
113/tcp   open     auth
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds
1025/tcp  filtered NFS-or-IIS
1080/tcp  filtered socks
1433/tcp  filtered ms-sql-s
1434/tcp  filtered ms-sql-m
4242/tcp  filtered unknown
4444/tcp  filtered krb524
6346/tcp  filtered gnutella
6881/tcp  filtered bittorrent-tracker
8888/tcp  filtered sun-answerbook
45100/tcp filtered unknown
Device type: general purpose|WAP|broadband router
Running (JUST GUESSING) : Linux 2.6.X|2.4.X (95%), (…)
 
Not shown: 994 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
110/tcp  open  pop3
3389/tcp open  ms-term-serv
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: firewall|general purpose
Running: Linux 2.6.X
OS details: Smoothwall firewall (Linux 2.6.16.53), Linux 2.6.13 - 2.6.24, Linux 2.6.16

Of course, it strikes me that several among said machines seem to be Linuxes, but (appear to) run Microsoft services. Oh, and they also have P2P clients.

Attachment	Size
Results of parsing the logs	21.58 KB
Relevant portion of the logs	1.05 MB

Bitácora de gwolf
Log in or register to post comments

You are here

Strange scanning on my server?