2008-05-30

SSH入侵嘗試所使用的密碼蒐集記錄

經過上次 記錄到的一次SSH暴力式嘗試入侵紀錄 之後,
我簡單修改了openssh的CODE,讓他能記錄所有CLIENT端輸進的密碼寫入LOG,同時不允許任何帳號登入.把這個fake sshd 當作一個餌來看能釣到多少ssh worm.
在經過一個禮拜(5/24~5/30)紀錄後的統計結果如下:

發動入侵嘗試IP / 嘗試次數 地理位置(利用www.ip138.com查詢)
117.129.0.111 -- 116
中国移动
123.129.247.32 -- 734 中国山东省 网通
140.134.140.22 -- 16 台灣 逢甲大學
203.198.69.66 -- 392 香港
210.57.230.22 -- 24 韩国
217.167.130.37 -- 69 法国
219.139.190.249 -- 22 中国湖北省襄樊市 电信
222.122.161.12 -- 62 韩国
222.190.109.118 -- 1202 中国江苏省南京市 电信
222.35.136.30 -- 291 中国北京市 铁通
58.211.78.204 -- 6 中国江苏省苏州市 电信
58.61.149.180 -- 424 中国广东省深圳市 电信
59.125.163.62 -- 248 台灣 中華电信
59.180.240.3 -- 16 印度
60.191.123.40 -- 16 中国浙江省杭州市 电信
60.220.248.57 -- 833 中国山西省晋城市 网通
60.250.62.47 -- 9 台灣 中華电信

由目前搜集到的資料可以分析出幾個比較危險的狀態:

1.SSH未改port&不限制root登入.
2.帳號為常見英文名,且密碼相同(必死)
3.密碼過於簡單,以下是簡單歸納出的幾個已知規則
a.一般常見單辭
b.重複數字 (ex: 11111111 , 33333333)
c
.順序數字 (ex: 123 , 1234 , 987654321)
d.順序符號 (ex: !@#$% , !@#$%^&*() , )(*&^%$#@! )
e.鍵盤順序字母(ex: qwerty , asdfgh , 1qaz2wsx3edc4rfv , 3edc4rfv5tgb)
f.簡單文字符號代換(ex: r@@t , p@ssw0rd )

針對sshd的幾點安全建議:

1.可能的話把port改掉,不要用default的TCP/22
2.不要允許root登入(
PermitRootLogin no)
3.若情況允許,使用AllowUsers來設定允許SSH登入帳號的正面表列
4.直接關掉PasswordAuthentication,改用authentication key驗證

以下是由log中整理出來的詳細帳號/密碼資料,
可以嘗試搜看看自己SSH在用的密碼是不是在這份清單裡面..如果是的話..阿彌陀佛囉..

所有嘗試入侵使用的account 共有825個
1 a aaliyah aaron abby abigail absurdir_deadphp adam adi adine adm admin administrator admins admissions adrian aecpro agent ahmed aidan ajith akihisa akino akira alan albert alberto alex alexa alexander alexandra alexandru alexis alfred ali alias alice alin alka allan allen alliance allison almacen alumni alyssa amanda amavisd amber amelia ana andi andrea andreea andrei andres andrew andy angel angela angie anita ann anna anonymous anthony anton apache apple apple1 apples appowner appserver arbaiah arbgirl_phpbb1 areyes arianna armen aron arthur ashley ashlyn asia asterisk atria atsumi audio audrey austin autumn ava avery azuma baba backuppc bailey balykin bandit bane barbara bart basic bauer bear beavis beginner ben benjamin beny bernard bernd bert bessel bill billy bind bird bisson black blog bnc bob bobby bogdan boon boss brandon bret brett brian brianna brooke brooklyn bruce bryan build buster caleb cameron cap carl carlos carly carol caroline carshowguide cassie cesar cgi ch chad chandimal charlott chicago Chicago china chipmast chloe chorist chris Christ christopher cindy cjohnson claire clamav clark client clinic clinton clock closas coco cocolino connor control copier core corinna courier courtney craig cristi cvs cvsuser cyp cyrus cyrusimap dakota Dakota dan dana daniel daniela danielle dank danny dark data dave david db de dean debbie default delta demo denis der design destiny dev devilsins dexter diane dick dima dino director displays doming doodz dovecot download duckie dujoey dust dylan dyndns earl economist ed eddie edgar edward elena elisa eliza elizabeth ella ellen emil emily emma enzo eppc eric erin ernie etc ethan ethereal eugen eva export fabio fabrice factoria faith falcon faridah farrell fauzi fedora felix fester festival file files filip filippid_admin finder first flower fly france francis francois frank franklin fred freeze frei friends ftp ftp123 ftphome ftpuser gabi gabriella gabrielle gary gast gemma generalmanager genoveva george gerry gigi ginger girl godzilla grace gracie gt05 guest guest1 guest10 guest2 guest3 guest4 guest5 guest6 guest7 guest8 guest9 guinness guset gwen hack hacker hailey hallo halt hammer hannah hans harley harris harry harvey hatton hera hermes hiperg http httpd huang huercal hugues ian ident iesse im image india info informix install instrume internet invite ioana ionut iraf iresha isabella isabelle ismail it its jabber jack jackson jacob jacuna jada james japan jasmine jason jatema javi jayden jboss je jean jeff jeffrey jenna jennan jerry jesse jessica jillian jim jimmy jking jnanchito joanna joeflores joerg john johny jonathan jordan Jordan joseph josh joshua Joshua juan judith julia jun junior jupiter justin Justin kaitlyn karika karl kate katherine katie kay kayla kaylee kelly ken kendall kennedy kevin kim kjayroe klog knoppix kor kristen kristin kylie lab lahiru larry lauren laurent laurentiu ldap leah lebedev lee lemancaf_leman library lillian lily linda lindsey linux linuxtest linuxtester linuxtester2 lisa listen liz lloyd logan louise louise1 luc ludovic lyn mackenzie madeline madhuri madison magazine maggie magic mailman makayla malika mama manchester marcus maria mario marissa mark martin martinez marvin mary maryse master math matilda matt matthew maurice max may maya mckenna megan mia michael michaels michal michel michey mickey miguel mihai mike miller mirc molly mom mona monica monique moon morgan mortimer moshutzu mouse movie movies mri murray mustang myra myrhodesiaiscom mysql nadia nagios named natalie nathan neetha netadmin new newsletter newsroom nicholas nick nickelan nicole Nicole noah nokia notused nuucp o2 office oliver olivia operator oracle orange oscar paige paintball paintball1 party pascal pass password patrick paul peewee penelope pete peter petru peyton pgsql phil philip photo physics pico plant plasma poczta pop porno postgres postmaster princess production project pub public purple qtss quincy raider randi ranjith rasika reagan rebecca reboot recruit remote research resin restart retsu rexmen rfmngr richard riley rob robert Robert rock roland rolo ronald root rosa rpm rtorres russ ryan safetp sakura sales samantha samba samir sammy samuel sandra sangley_xmb1 sara sarah sasha savannah save sbear scan scorpion sean search securityagent semenov senaka seoulselection serge server service sgi sham sharon shaun shelby shell shelton shop shuri shutdown sid sierra signalhill simon sirsi skkb sky skylar sll sm sme smmsp snoopy sonny sophia sophie soporte spam spamd spider spike sponsor squid ssh staff stats stella stephanie stephen steve steven stud student students sunny superman support support123 susan sven svn swsoft sya sybase sydney sylvia system tachel tads takada tara taylor ted telnet telnetd temp temporal terry test test1 test10 test11 test12 test123 test2 test3 test4 test5 test6 test7 test8 test9 teste tester testing testuser thaiset theo thomas tigger tim tino tip tmp tokend tom tomas tomcat tomcat5 tone tony toto tracker transfer trash travel_phpb1 trinity ts tweety tyler ubuntu ueda ultra unix unknown updates user user1 user123 username users valas valentin valerie vanesa vanessa vdi venom ventas vermont vic vicky victoria video vincent viorel viper virginia virus visitor vivek vmware vnc vwalker walker wallimo_phpbb1 walter wang wanker web webadmin webcam webmaster webpop wei white wilkins will wille william williamson willie win windowserver wolfgang workshop wrestling www www1 wwwdata wwwrun xbox xgridagent xgridcontroller xtra xxx zachary zena zimbra zoe

所有登入嘗試使用過的密碼有2038組

! !@ !@# !@#$ !@#$% !@#$%^ !@#$%^" !@#$%^& !@#$%^&* !@#$%^&*( !@#$%^&*()))()(*)(*&)(*&^)(*&^%)(*&^%$)(*&^%$#)(*&^%$#@)(*&^%$#@! @#$%^& * 0 0000 00000 000000 0000000 00000000 000000000 0007 007 007007 0246 0249 030876 0727 09 098 0987 09876 098765 0987654 09876543 098765432 0987654321 0o9i8u7y 0ok9ij 0plmnko9 1 10101010 1022 10sne1 11 111 1111 11111 111111 1111111 11111111 111111111 111111111111 112233 12 121212 1225 123 123123 12321 123321 1234 12345 123456 1234567 12345678 123456789 1234567890 12345678910 123456789\303 12345x 1234qwer 123abc 123go 123listen123 123listen321 123nuucp123 123nuucp321 123qwe 123root123 123www 1313 131313 13579 14430 1701d 1928 1951 19850828 1985this1is2not3my4real5password61985 1a2b3c 1a2b3c4d 1a2s3d4f 1p2o3i 1q2w3e 1q2w3e4r 1q2w3e4r5t 1qa2ws 1qa2ws3ed 1qaz2wsx 1qaz2wsx3edc 1qaz2wsx3edc4rfv 1qw23e 1qwe23 1sanjose 1tset 1z2x3c4v 2007 2008 21 2112 21122112 2222 22222 222222 2222222 22222222 222222222222 24021988 2514953 2borNOT2b 2welcome 2wsx3edc 31337 31338 321 321tset 33 333 3333 33333 333333 3333333 33333333 369 3edc4rfv5tgb 4321 4444 444444 4444444 44444444 4runner 5252 54321 5555 555555 5555555 55555555 5683 5tgb6yhn 5tgb6yhn#P 654321 654321tset 666666 6666666 66666666 666s1czfarginn 6969 7654321 777 7777 777777 7777777 77777777 7yhn 80486 8675309; 87654321 888888 8888888 88888888 90210 911 92072 987654321 999999 9999999 99999999 a a1s2d3 aaa aaaa aaaaaa aaliyah aaron123 abby abc abc123 abcd1234 abcde abcdef abcdefg abcdefgh abcdefghi abigail abys action ad adam adam123 adept adi adi123 adidas adine adine123 adm admi admin admin01 admin02 admin1 admin123 admin12345 admin2 adminadmin administrator administrator1 administrator123 adminlinux adminroot admins admissions adrian adrian123 aecpro aecpro123 agent ahmed ahmed123 aidan airhead ajith akihisa akino akira alan alaska albert albert123 alberto alex alex123 alexa alexander alexandra alexandru alexandru123 alexis alfred alfred1 alfred123 ali ali123 alias alice alice123 alin alin123 alka alka123 allan allan123 allen alliance allison almacen almacen123 alumni alumni1 alyssa amanda amanda1 amanda123 amavisd amber amelia america america1 americaonline ana andi andi123 andrea andreea andreea123 andrei andrei123 andres andres123 andrew andrew123 andy andy123 angel angel123 angela angela123 angie angie123 anita anita123 ann ann123 anna anna123 anonymous anonymous123 anthony anthony123 antivirus anton anton123 apache apache123 apple apple1 apple123 apples apples123 appowner appserver aqswde arbaiah arbaiah123 areyes areyes123 arianna armen aron aron123 arthur arthur123 asd asdf asdfdsggsg asdfgh asdfghjkl ashley ashley1 ashley123 ashlyn asia aslpls aslpls123 atena athena atria atsumi attack audio audrey austin austin123 autumn ava avery away axgt14ie azsxdcfv azuma b baba back backdoor backup backup123 backuppc bailey balykin bandit bandit1 bandit123 bandwitch bane banner barbara barbara123 bart bart123 base bash basic basket basketball bastard bathory bauer beach bear bear123 beast beavis beavis123 beginner beginner123 beliver bella ben ben123 benjamin beny beny123 bernard bernard123 bernd bert bert123 bessel best bhunjimkolp bill bill123 billy billy123 bin bind bind123 bird bird123 birth bisson bitch black black123 blast blink2112 blog blue bnc bob bob123 bobby bobby123 bogdan bogdan123 book boon boon123 boss bosto bostoaca bostocel bounce brandon break bret bret123 brett brian brian123 brianna britney brooke brooklyn bruce bruce123 bryan bryan123 bucharest build buster buster123 buton byte c caleb cameron canada cap carl carl123 carlos carly carmen carol carol123 caroline carshowguide carshowguide123 cassie cassie123 cause cdrom cecile cesar cesar123 cesar1234 cgi ch chad chandimal changeme charlott charlott123 chicago chicago123 chick china chipmast chipmast123 chloe chorist chris chris123 christmas christopher cicciabuatta1 cindy city cjohnson claire clamav clan clark clark123 classic claudia client client1 clinic clinton clinton123 clock clock123 closas coco cocolino code coder colin collins com commander compact company compas compile computer confussion connect connection connor control control123 cool copier core corinna corinna123 counter courier courtney cover cradle craig craig123 cream cristi cristi123 crying cstrike cuba cvs cvs123 cvsuser cvsuser1 cycle cyp cyp123 cyrus cyrus123 cyrusimap d daemon dakota dakota123 dan dan123 dana dana123 dance daniel daniel123 daniela daniela123 danielle dank danny danny123 dark darwin data date dave dave123 david david123 db db123 de dean deathfromromaniansecurityteamneversleepba debbie debian debug default delta demo denis der design desire desktop destiny dev dev123 devilsins dexter dexter123 diablo diane dick dick123 dima dimension dino dino1 dinosaur dinozaur director displays document doming doming123 domino doodz door dovecot down download dream dreamer dreamfish007 dreamweaver drink drunk duckie duckie123 dujoey dujoey123 dust dust123 dylan dylan123 dyndns e E5efEHW65 eadmin earl earl123 economist ed ed123 eddie eddie123 edgar edgar123 educational edward edward123 elena elena123 elisa elise eliza elizabeth elizabeth1 ella ellen ellen123 email emil emil123 emily eminem emma england english enterprise enzo enzo123 eppc eric eric123 erin ernie etc ethan ethereal ethereal123 eugen eugen123 europe eva eva123 ever execute exotic expert exploit export f fabio fabrice factoria fagaras faith falcon faridah faridah123 farrell father fauzi fauzi123 FD6d95oE fedora feel felix felix123 fester festival fff fft_dbkbb_020103 fifa file files filip filip123 finder finish firebird firefox first fish flood floppy flower flower123 fly flyer football formula found four foxythekid france francis francis123 francois francois123 frank frank123 franklin franklin123 freak fred fred123 free freeze frei friday friends friends123 ftp ftphome ftphome123 ftpuser future fv11r01rc3@l g gabi gabi123 gabriella gabrielle game gamer games gary gary123 gast gast1 gast123 gemma gemma123 generalmanager genoveva gentelman george george123 germany gerry gforce ghost gigi ginger ginger123 girl girl123 girlfriend gjrhjd global gnats gnitset godlike godzilla godzilla123 Goethe6750 gold gotit governemnt grace gracie gt05 guest guest1 guest10 guest123 guest1234 guest2 guest2123 guest3 guest4 guest5 guest6 guest7 guest8 guest9 guestaccount guinness guinness123 gwen gwen123 h hack hack123 hackbox hacker hacker123 hacking hackteam hailey halflife half-life halflife2 hallo halloween halt hammer hammer123 hamster hankkim hannah hans hard hardcore harddisk hardrock harley harley123 harris harris123 harry harry123 harvey hatton hatton123 hell hello help helpme hera hera123 hermes hidden hill2700 hiperg hiperg123 hiphop hole home homework hood host hostname hotmail http HTTP http123 httpd httpd123 huang huercal hugues hyper i I7IVCOivaV ian ian123 id ident identd iesse123 ifeelgood iloveyou im image india infinit info info123 informix install instrume instrume123 inter internet internet123 inuxrulz invite ioana ioana123 ionut ionut123 iraf irc ircop iresha isabella isabelle isabelle123 ismail ismail123 it its iwantyou j jabber jack jack123 jackass jackson jacob jada JagGolUie-720 james james123 japan jasmine jason jatema javi jayden jboss jdhk je jean jeff jeff123 jeffrey jeffrey123 jenna jennan jerry jerry123 jesse jessica jillian jim jim123 jimmy jimmy123 jking jking123 jnanchito joanna joanna123 joeflores joeflores123 joerg joerg123 john john123 johny johny123 jonathan jordan Jordan jordan1 jordan123 joseph josh joshua joshua123 jrimla5225 juan judith julia jun junior junior1 jupiter jupiter123 justin justin123 k kaitlyn kaptain karika karika123 karl karl123 kate katherine katie kay kay123 kayla kayla123 kaylee kelly ken ken123 kendall kennedy kermit kevin kevin123 kiddie kill killer kim kim123 kitty kjayroe kjayroe123 klog knoppix koala kor kristen kristen123 kristin kristin123 kx028897chebeuname+a kyle kylie l L0f4sz l7q1smpp lab lady lahiru language larry larry123 last laura1981 lauren laurent laurentiu laurentiu123 lazarus ldap leah lebedev lee lee123 letmein level library lick lillian lily linda lindows lindsey linkinpark linrex413 linux linux123 linuxtest linuxtester linuxtester2 lisa lisa123 list listen listen0 listen01 listen02 listen1 listen10 listen12 listen123 listen1234 listen12345 listen123456 listen2 listen21 listen3 listen321 listen4 listen4321 listen5 listen54321 listen654321 listen9 listenistrator listenlisten listens liz liz1 liz123 lkjhgfdsa lloyd lloyd123 local localhost logan login logon longman lost louise louise1 lover loveyou lp lsdfjafaf luc ludovic lyn m mackenzie macos madeline madhuri madison madison123 mafutincur magazine maggie magic magic123 magician mail mail123 mailman makayla malika mama manager manchester mandrake manifest marcus maria maria123 marie mario mario123 marissa mark mark123 markus martin martin1 martin123 martinez martinez123 marvin marvin123 mary maryse maryse1 master master123 math matilda matilda123 matt matt123 matt2006 matt2007 matthew matthew123 maurice maurice123 max max123 maxim may maya mckenna media megabyte megan metal mia mia123 mice michael michael12 michael123 michaels michal michel michele michey123 mickey miguel mihai mihai123 mike mike123 mike20 miller miller123 mirc mirc123 mnbvcxz molly molly123 mom mom123 mona monica monica123 monique monique123 monitor month moon moon123 morgan mortimer mortimer123 mother mouse mouse123 movie movies mozilla mri mri123 muffin muhahaha muiemare murphy murray mustang mustang123 myra myra123 mysql mysql123 n nadia nagios nagios1 name named namenuucp nasa NASA natalie nathan nathan123 nba2005 neetha negotino negotino1 negotino2 neptune net netadmin netadmin123 netware network nevada neverland new news news123 newsletter newsroom newyork next nicholas nick nick1 nickelan nicole nicole123 nigga night nighwish nimda noah nobody nobody123 noise nokia nologin notepad notused notused123 novice nowone nuke nuklear numb nuucp nuucp0 nuucp01 nuucp02 nuucp1 nuucp10 nuucp12 nuucp123 nuucp1234 nuucp12345 nuucp123456 nuucp2 nuucp21 nuucp3 nuucp321 nuucp4 nuucp4321 nuucp5 nuucp54321 nuucp654321 nuucp9 nuucpistrator nuucpnuucp nuucps nuucpx o o2 o2123 o9q1w2e3i8u7 office olga1234 oliver olivia openssh opera operator oracle oracle1 oracle123 oracle1234 oracle9i oracleoracle orange orange123 oscar owner ozzy p pa55w0rd pa55word paige paintball paintball1 paintball123 pamela paradise park parola parolanoua party pascal pascal123 pass pass1 pass12 pass123 pass1234 passw0rd passwd password password1 password12 password123 password1234 passwordx past patricia patrick patrick123 paul paul123 pa$$word paypal peewee peewee123 penelopa penelope penelope123 people perfect personal pete pete123 peter peter123 petru petru123 peyton pgsql pgsql123 pheonix phil phil123 philip philip123 photo physics pico pink place plant plasma player playstation plutonium pm7khapd poczta poiuytrewq polamea poor pop porno porno123 postfix postgres postgres1234 postmaster power present princess princess123 production program project project1 protocol p@ssw0rd p@ssword psycho pub public pulamea punish9899 purple purple123 putty Pwnh6SJCFxn1 q q1w2e3 q1w2e3r4 q1w2e3r4t5y6 q2w3e4r5 qawsed qaz qazwsxedc qazwsxedcrfvtgbyhnum qpoeiruty qpwoeiruty qsxesz qtss quincy quincy123 qwe qwe123 qwer1234 qwert qwerty qwerty123 qwertyuiop r r00t r0ot rabbit rachel radiation radio raider randi ranjith rase rasika raul reagan rebecca reboot reborn recruit redalert reddog redhat redlight register rehash relay release reload remember remote replace replay research resin restart restore resu retea retset revenge revenger revision rexmen $rfmngr$ rich richard richard123 riley ro0t rob rob123 robby robert robert123 roberta rock rock123 roland roland123 rolo rolo123 romania ron123 ronald ronald123 rooot root root! root!@# root!@#$ root# rOOt root1 root12 root123 root1234 root12345 root123456 root1234567 root12345678 root123456789 root2000 rootabc rootadmin rootlisten rootnuucp rootpass rootroot rootrootroot rootuser rosa rosa123 rose rosemarie router rpm r@@t rtorres russ russ123 russia rustic rusty ryan s sadness safetp sakura sales samantha samba samba123 same samir samir123 sammy sammy123 samuel samuel123 sandra sandra123 sara sarah sarah123 sasha satan saturday saturn savafr3kingat savannah save save123 sbear scan scan123 scanner scar scary school scipter scorpion scorpion123 scricideea script sean sean123 search secret secure security securityagent semenov semenov123 senaka send sending seoulselection seoulselection123 serge server server1 service sexy sgi shadow sham sham123 shark sharon shaun shaun123 shelby shell shell123 shelton shop shop123 shuri shutdown sid sierra signalhill signalhill123 silver simion simon simon123 sirsi sixsixsix skkb skkb123 sky skylar slackware slayer sll sll123 slow sm sm123 sme sme123 smmsp Snake sniper snoopy snoopy1 snoopy123 sobysoricelu soft soigan soleil soniq sonny sonny123 sophia sophie soporte sorry sound spam spam123 spamd spider spider123 spiderman SpiderMan spike spike123 sponsor squid srlre+pbgf ssh ssh22 sshd sshd123 staff stage start startup starwars state states States stats status stella stephanie stephanie123 stephen stephen123 steve steve123 stevem steven steven123 stevie stop strange strech stud student students style summer summer2 sun123 sunday sunny sunos super superguy superman superman123 superroot support123 susan sven sven123 svn swdefr swsoft sya sya123 sybase sybase123 sydney sylvia sylvia123 sync sysadmin sysguest syslisten sysmail sysnuucp sysroot system system123 systest sysuser t tads tads123 tads123456 taiwan takada tara tara123 taskbar taylor team ted telnet telnetd temp temp1 temp123 temporal terminator terry test test1 test10 test11 test12 test123 test1234 test12345 test123456 test2 test3 test321 test4 test5 test6 test654321 test7 test8 test9 teste tester tester1 tester12 tester123 tester1234 testing testing1 testing12 testing123 testing1234 tests testtest testuser thaiset thaiset123 the1 thebest theo theo123 therion thomas thomas123 tigger tigger123 tim tim123 tino tino123 tip tip123 tmp tmp123 tneduts tokend tom tom123 tomas tomcat tomcat123 tomcat123456 tomcat5 tone tony tony123 toor toto tracker trambuline transfer trapper trash trash123 trinity trojan ts tset tseug tweety tweety123 tyler u ubuntu ueda ukJ33W_QoO ultra ultra123 united unix unixbitch unknown update updates uptime user user123 username userroot users uucp v valentin valentin123 valerie valerie123 vanesa123 Vanessa vdi vdi123 ven0m venom venom123 ventas ventas123 vermont vermont123 vic vicky vicky123 victoria video video1 vincent viorel viorel123 viper viper123 virginia virginia123 virus visitor vivek vmware vnc vwalker w3lc0m3 waine walker walking walter walter123 wang wang123 wanker wanker123 web web123 webadmin webcam webmaster webmaster123 webpop webpop123 wei welcome welcome1 white white123 wick wicked wilkins will will123 william williamsburg williamson willie willie123 win win123 winamp windows windowserver winrar wish witch wolfgang work workshop wrestling write wsx wsxedcrfvtgb www www1 www123 wwwdata www-data wwwdata123 wwwrun x x12345 x1x2x3 xbox xgridagent xgridcontroller xqks lej xsw xtra xtra123 xxx xxx1 xxx123 xxxx xxxxx xxxxxx xxxxxxx y yahoo yankees year yellow YgqxUVOkly you yPWM5LHGAh z zachary zaq zdxfcgvh zena zena123 zero zidane zimbra zoe zoro zsexdrcft zxcvbnm

2008-05-23

記錄到的一次SSH暴力式嘗試入侵紀錄

在2008-5-23下午突然想做個試驗,把一台虛擬機(VM)掛上public IP,然後把ssh-server的port TCP/22對外開起來,看看經過多久會有人來TRY.
(個人習慣系統裝完我會把SSH的 TCP/22改掉,改成很後面的PORT,如果有人要掃port就讓他慢慢掃)
結果不到6小時就逮到一個嘗試入侵的IP了
記錄到的LOG如下
May 23 19:52:06 __ sshd[3515]: Did not receive identification string from 59.125.163.62
19:52:06第一個封包來測試TCP/22是否開啟
May 23 20:12:36 __ sshd[3521]: User root from 59-125-163-62.hinet-ip.hinet.net not allowed because not listed in AllowUsers
May 23 20:12:36 __ sshd[3521]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59-125-163-62.hinet-ip.hinet.net user=root
May 23 20:12:38 __ sshd[3521]: Failed password for invalid user root from 59.125.163.62 port 33779 ssh2
接下來 20:12:36開始用root帳號try密碼,try了120次.
之後又用其他帳號來try了244次,一直到20:38:52才結束整個嘗試密碼的行為
整個嘗試帳號的統計如下
root 120次 lady 4次 anca 2次 dana 2次 personal 2次 radu 2次
剩下都是一次的帳號
abc ace adela adi adrian adv alex alexandru alias alina amar ambulator ancutza andrew annuaire anonymous antica arthur atb aurelia avenues awstats axente beleaua bogdan bremar bula calcul calin callhome cdvonline cerasela chimi chuck cimpeanu ciprian claudia claudiu claudius cncp contabil contat contempo corbus cosinus courier cris crisan cristi cristina cs dan daniel daniela danutza darkman dascalu david diabet dispecer dnp doina doomi dorin dorina drweb duane echopedi eddie emuleon eric erin ernest eugen eva exim fabrice farmacia felix filter fish florin fluffy folkert foobar fotograf garda gold gratiela greg guma haitac healer horia hostmaster httpd ina ionita ionut ionutz Ionutz ircd isabel iuli iulian iuly java jeffrey jeni jubar jurca juridic kent klaus laura lauren lead leu liana lili lorant loredana loverd lucia lucky mada mari maria marius mark master mckey medie medina Melk mia miha mihai moderna moised monika monique mysql nelu nick nico nicoara nicu norby notorius nucleara numis officeinn oprea oracle ovidiu palex passwd paul preist promo public quake raducu raul razvan revista richer robert rodica rodney romeo roxi ryan saito samba sanda sanderson sarolta sasha sauv save seba sebestyen secretar seongjin shadow simina sin skid slayer sly sorin spik sport squirrelmail staff statistica stefan styx sun support susan taz tehnolog telegest temp teo testguy tina tomcat toor tordai toto town trash trigger tuningar vasi victor water webadmin webmasters webrun webster whitecanyon wolf x xman yarul zako zemba

(可惜沒去修改sshd來記錄他嚐試過的密碼,哪天再來改sshd的code來玩玩好了)

用NMAP來掃了一下 59.125.163.62這台機器,
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
554/tcp open rtsp
904/tcp open unknown =>VMware Authentication Daemon
5901/tcp open vnc-1
10000/tcp open snet-sensor-mgmt =>WEBMIN =_=
看來沒作啥特別防護....=_=

# telnet 59.125.163.62 904
Trying 59.125.163.62...
Connected to 59.125.163.62.
Escape character is '^]'.
220 VMware Authentication Daemon Version 1.10: SSL Required, MKSDisplayProtocol:VNC

TELNET他的TCP/80看到

Apache/2.2.3 (Fedora) Server at www.m■■■■e.net Port 80
站點馬賽克處裡..

嘿..原來是架在Fedora上面的機器,還有提供服務啊,GOOGLE了一下看起來像是提供WAP/PDA的一些資訊服務吧.

原則上比較傾向認定那台機器也是受害者吧..

後記:剛KEY完這篇不到半小時,結果又有另兩台機器來TRY了,分別是 83.145.82.134 & 90.183.8.146,行為模式也與上面寫的相同,
看來這種亂槍打鳥掃SSH PORT的機器不少,頻率也頗高....剛開半天就來3次

結論: 機器架起來該做的防護還是要做,不該對外開的服務就盡量關掉或擋掉,ssh port能改就改..三不五時還得要關心一下機器有沒異狀..