Saturday, October 20, 2012

looks like someone's tool is a little broken

So got a bunch of emails today, via deny hosts. Lots of traffic at my ssh server. Running failed (there is an old version on the blog, I'll add the latest version below), I saw the typical automated attack mess. But one thing caught my eye. In the invalid user section.

Oct 20 18:56:52 from root
Oct 20 19:23:57 from root

Hmm... those don't conform to my normal search for that section.

Now all failed does, is goes through and parses my auth / secure log for matched failed instances. And here is what was in the log file.

Oct 20 18:56:52 $SERVER_NAME sshd[11347]: Failed password for invalid user root b0#pdl!PP from $ATTACK_IP port 55778 ssh2

Oct 20 19:23:57 $SERVER_NAME sshd[31205]: Failed password for invalid user root c from $ATTACK_IP port 42388 ssh2

From the lines in the logs. It looks like they sent the password as part of the user name. that or my system was being slow and their's faster.

The shell script "failed"

#! /bin/sh
# checks for /var/log/auth.log for login failures.
# version 0.2

# prints failed invalid users
echo "Failed Invalid User Attempts"
grep "Failed" /var/log/auth.log | grep -i 'invalid' | awk '{print $1,$2,$3,$13,$11}' | sort -u

echo ' '
#prints failed vailid users, except for me.
echo "Failed Valid User Attempts"
grep "Failed" /var/log/auth.log | grep -vi 'invalid' |  awk '{print $1,$2,$3,$11,$9}' | sort -u
echo ' '