[Tecnica] attacco bruteforce

Freeze NorthPole freeze a siena.linux.it
Gio 11 Ott 2012 09:45:38 BST 

ehmm come dire, ho appena scoperto che l'ip (78.46.229.107) è il MIO,
ora lo spengo prima che mi massacrino da mezzo mondo
e poi con il vostro aiuto ripulisco il tutto


On Thu, Oct 11, 2012 at 10:38 AM, Freeze NorthPole
<freeze a siena.linux.it> wrote:
> beh allora per il momento l'hanno blackilistato per cui per alcune ore ho "pace"
> io cambio subito pwd di Root così da renderla più "strong"
> ma sugli altri passi operativi mi affido a voi e al buon google :)
>
> On Thu, Oct 11, 2012 at 10:35 AM, Marcello Semboli <dinogen a gmail.com> wrote:
>> Sta provando a indovinare la pwd di root e di altri utenti via ssh.
>> Fa un tentativo ogni tre secondi, si può aumentare il tempo che
>> intercorre tra un tentativo di accesso andato male e l'altro.
>>
>> Però (ammetto la mia ignoranza), non capisco tutte quelle porte.
>> Un servizio non ascolta su una sola porta?
>> Qui pare che gli risponda su tutte le porte che prova...
>>
>>
>> 2012/10/11 Freeze NorthPole <freeze782 a gmail.com>:
>>> scusami hai ragione,
>>> io non mi sono accorto di nulla, ho solo avuto questa mail:
>>>
>>>
>>> ---mail ---
>>> You are receiving this email as our automated intrusion detection has
>>> picked up information below that leads us to believe an IP address in
>>> your netblock is attempting to infiltrate our server. Its IP is:
>>> 86.109.160.33.
>>>
>>>  Due to this behaviour we have automatically put an IP block in place
>>> prohibiting all traffic from that address. If you feel this is in
>>> error then please reply to this email and we will look into it in due
>>> course.
>>>
>>> Regards,
>>>
>>> TusProfesionales Support
>>>
>>> The current machine timezone is recorded as CET +1
>>>
>>>
>>> Oct 10 20:55:10 correo sshd[1520]: Failed password for root from
>>> 78.46.229.107 port 59234 ssh2
>>> Oct 10 20:55:13 correo sshd[1817]: Failed password for root from
>>> 78.46.229.107 port 59581 ssh2
>>> Oct 10 20:55:15 correo sshd[2179]: Failed password for root from
>>> 78.46.229.107 port 59921 ssh2
>>> Oct 10 20:55:18 correo sshd[2362]: Failed password for root from
>>> 78.46.229.107 port 60266 ssh2
>>> Oct 10 20:55:21 correo sshd[2422]: Failed password for root from
>>> 78.46.229.107 port 60588 ssh2
>>> Oct 10 20:55:23 correo sshd[2480]: Failed password for root from
>>> 78.46.229.107 port 60902 ssh2
>>> Oct 10 20:55:26 correo sshd[2562]: Failed password for root from
>>> 78.46.229.107 port 32975 ssh2
>>> Oct 10 20:55:29 correo sshd[2608]: Failed password for root from
>>> 78.46.229.107 port 33281 ssh2
>>> Oct 10 20:55:32 correo sshd[2632]: Failed password for root from
>>> 78.46.229.107 port 33605 ssh2
>>> Oct 10 20:55:35 correo sshd[2636]: Failed password for root from
>>> 78.46.229.107 port 33913 ssh2
>>> Oct 10 20:55:38 correo sshd[2638]: Failed password for root from
>>> 78.46.229.107 port 34369 ssh2
>>> Oct 10 20:55:41 correo sshd[2640]: Failed password for root from
>>> 78.46.229.107 port 34670 ssh2
>>> Oct 10 20:55:44 correo sshd[2644]: Failed password for root from
>>> 78.46.229.107 port 34984 ssh2
>>> Oct 10 20:55:44 correo sshd[2651]: Invalid user oracle from 78.46.229.107
>>> Oct 10 20:55:46 correo sshd[2651]: Failed password for invalid user
>>> oracle from 78.46.229.107 port 35305 ssh2
>>> Oct 10 20:55:47 correo sshd[2659]: Invalid user test from 78.46.229.107
>>> Oct 10 20:55:49 correo sshd[2659]: Failed password for invalid user
>>> test from 78.46.229.107 port 35637 ssh2
>>> Oct 10 20:55:52 correo sshd[2668]: Failed password for root from
>>> 78.46.229.107 port 35943 ssh2
>>> Oct 10 20:55:54 correo sshd[2689]: Failed password for root from
>>> 78.46.229.107 port 36265 ssh2
>>> Oct 10 20:55:57 correo sshd[2697]: Failed password for root from
>>> 78.46.229.107 port 36583 ssh2
>>> Oct 10 20:56:00 correo sshd[2700]: Failed password for root from
>>> 78.46.229.107 port 36892 ssh2
>>> Oct 10 20:56:03 correo sshd[2702]: Failed password for root from
>>> 78.46.229.107 port 37204 ssh2
>>> Oct 10 20:56:05 correo sshd[2704]: Failed password for root from
>>> 78.46.229.107 port 37500 ssh2
>>> Oct 10 20:56:06 correo sshd[2706]: Invalid user teamspeak from 78.46.229.107
>>> Oct 10 20:56:08 correo sshd[2706]: Failed password for invalid user
>>> teamspeak from 78.46.229.107 port 37800 ssh2
>>> Oct 10 20:56:08 correo sshd[2709]: Invalid user teamspeak from 78.46.229.107
>>> Oct 10 20:56:11 correo sshd[2709]: Failed password for invalid user
>>> teamspeak from 78.46.229.107 port 38113 ssh2
>>> Oct 10 20:56:11 correo sshd[2712]: Invalid user nagios from 78.46.229.107
>>> Oct 10 20:56:13 correo sshd[2712]: Failed password for invalid user
>>> nagios from 78.46.229.107 port 38414 ssh2
>>> Oct 10 20:56:14 correo sshd[2715]: Invalid user postgres from 78.46.229.107
>>> Oct 10 20:56:16 correo sshd[2715]: Failed password for invalid user
>>> postgres from 78.46.229.107 port 38713 ssh2
>>> Oct 10 20:56:19 correo sshd[2717]: Failed password for root from
>>> 78.46.229.107 port 39030 ssh2
>>> Oct 10 20:56:22 correo sshd[2719]: Failed password for root from
>>> 78.46.229.107 port 39342 ssh2
>>> Oct 10 20:56:24 correo sshd[2721]: Failed password for root from
>>> 78.46.229.107 port 39647 ssh2
>>> Oct 10 20:56:27 correo sshd[2723]: Failed password for root from
>>> 78.46.229.107 port 39962 ssh2
>>> Oct 10 20:56:30 correo sshd[2727]: Failed password for root from
>>> 78.46.229.107 port 40261 ssh2
>>> Oct 10 20:56:32 correo sshd[2729]: Failed password for root from
>>> 78.46.229.107 port 40567 ssh2
>>> Oct 10 20:56:35 correo sshd[2731]: Failed password for root from
>>> 78.46.229.107 port 40868 ssh2
>>> Oct 10 20:56:39 correo sshd[2734]: Failed password for root from
>>> 78.46.229.107 port 41180 ssh2
>>> Oct 10 20:56:42 correo sshd[2736]: Failed password for root from
>>> 78.46.229.107 port 41596 ssh2
>>> Oct 10 20:56:44 correo sshd[2740]: Failed password for root from
>>> 78.46.229.107 port 41902 ssh2
>>> Oct 10 20:56:47 correo sshd[2742]: Failed password for root from
>>> 78.46.229.107 port 42205 ssh2
>>> Oct 10 20:56:50 correo sshd[2744]: Failed password for root from
>>> 78.46.229.107 port 42523 ssh2
>>> Oct 10 20:56:52 correo sshd[2746]: Failed password for root from
>>> 78.46.229.107 port 42840 ssh2
>>> Oct 10 20:56:55 correo sshd[2748]: Failed password for root from
>>> 78.46.229.107 port 43137 ssh2
>>> Oct 10 20:56:58 correo sshd[2750]: Failed password for root from
>>> 78.46.229.107 port 43454 ssh2
>>> Oct 10 20:57:01 correo sshd[2753]: Failed password for root from
>>> 78.46.229.107 port 43762 ssh2
>>> Oct 10 20:57:03 correo sshd[2755]: Failed password for root from
>>> 78.46.229.107 port 44064 ssh2
>>> Oct 10 20:57:06 correo sshd[2757]: Failed password for root from
>>> 78.46.229.107 port 44363 ssh2
>>> Oct 10 20:57:09 correo sshd[2759]: Failed password for root from
>>> 78.46.229.107 port 44684 ssh2
>>> Oct 10 20:57:11 correo sshd[2761]: Failed password for root from
>>> 78.46.229.107 port 45015 ssh2
>>> Oct 10 20:57:16 correo sshd[2763]: Failed password for root from
>>> 78.46.229.107 port 45345 ssh2
>>> Oct 10 20:57:19 correo sshd[2766]: Failed password for root from
>>> 78.46.229.107 port 45932 ssh2
>>> Oct 10 20:57:22 correo sshd[2768]: Failed password for root from
>>> 78.46.229.107 port 46258 ssh2
>>> Oct 10 20:57:25 correo sshd[2770]: Failed password for root from
>>> 78.46.229.107 port 46581 ssh2
>>> Oct 10 20:57:27 correo sshd[2772]: Failed password for root from
>>> 78.46.229.107 port 46907 ssh2
>>> Oct 10 20:57:30 correo sshd[2776]: Failed password for root from
>>> 78.46.229.107 port 47253 ssh2
>>> Oct 10 20:57:33 correo sshd[2779]: Failed password for root from
>>> 78.46.229.107 port 47587 ssh2
>>> Oct 10 20:57:36 correo sshd[2781]: Failed password for root from
>>> 78.46.229.107 port 47946 ssh2
>>> Oct 10 20:57:38 correo sshd[2783]: Failed password for root from
>>> 78.46.229.107 port 48260 ssh2
>>> Oct 10 20:57:41 correo sshd[2785]: Failed password for root from
>>> 78.46.229.107 port 48587 ssh2
>>> Oct 10 20:57:44 correo sshd[2787]: Failed password for root from
>>> 78.46.229.107 port 48928 ssh2
>>> Oct 10 20:57:47 correo sshd[2791]: Failed password for root from
>>> 78.46.229.107 port 49270 ssh2
>>> Oct 10 20:57:49 correo sshd[2793]: Failed password for root from
>>> 78.46.229.107 port 49600 ssh2
>>>
>>> 2012/10/11 Paolo Sammicheli <xdatap1 a siena.linux.it>:
>>>> Il 11/10/2012 09:58, Freeze NorthPole ha scritto:
>>>>
>>>>> Ciao a tutti,
>>>>> giusto qualche gg fa vi chiedevo come proteggere il server e oggi mi
>>>>> comunicano un tentato attacco di bruteforce e il provider mi chiede:
>>>>> - come è potuto succedere
>>>>> - quali provvedimenti adottare per evitare che si ripeta,
>>>>
>>>>
>>>> Qualche informazione in più, magari. Su quale porta/protocollo? Cosa è
>>>> successo, sono entrati? Quali problemi hai riscontrato? È avvenuto un DOS?
>>>>
>>>> Ciao
>>>> --
>>>> Paolo Sammicheli
>>>> Email: xdatap1(at)siena.linux.it
>>>> Slug - Siena Linux User Group | http://www.siena.linux.it
>>>> - Do what you like. Like what you do -
>>>> _______________________________________________
>>>> Tecnica mailing list
>>>> Tecnica a liste.siena.linux.it
>>>> http://liste.siena.linux.it/cgi-bin/mailman/listinfo/tecnica
>>> _______________________________________________
>>> Tecnica mailing list
>>> Tecnica a liste.siena.linux.it
>>> http://liste.siena.linux.it/cgi-bin/mailman/listinfo/tecnica
>>
>>
>>
>> --
>> ____________________________
>> Marcello Semboli
>> http://dinogen.hacknight.org/
>>
>> "Io non doppioclicco." (Davide Bianchi)

Maggiori informazioni sulla lista Tecnica