Re: [gentoo-security] new ssh worm? - gentoo-security

From:	Chris Ripp <chris@××××.net>
To:	gentoo-security@l.g.o
Subject:	Re: [gentoo-security] new ssh worm?
Date:	Wed, 28 Jul 2004 03:39:14
Message-Id:	`1090985933.31787.39.camel@vulcan.ripp.lan`
In Reply to:	Re: [gentoo-security] new ssh worm? by Brian Downey

1

Check your mail servers' logs too... not sure if its related, but there

2

were entries (not included) from an attempt at user 'guest'.  The 'asdf'

3

seems to be new, suppose they're somehow connected? (The ssh attacks

4

lead to a compromised mail relay?) Or is this just a common attempt at

5

finding an already open/compromised relay?

6

7

>From auth.log

8

9

Jul 27 09:27:18 <machine> saslauthd[13176]: do_auth         : auth

10

failure: [user=asdf] [service=smtp] [realm=] [mech=pam] [reason=PAM auth

11

error]

12

Jul 27 09:27:23 <machine> saslauthd[13177]: do_auth         : auth

13

failure: [user=asdf] [service=smtp] [realm=] [mech=pam] [reason=PAM auth

14

error]

15

Jul 27 09:27:28 <machine> saslauthd[13173]: do_auth         : auth

16

failure: [user=asdf] [service=smtp] [realm=] [mech=pam] [reason=PAM auth

17

error]

18

.

19

.

20

.

21

Jul 27 09:28:44 <machine> smtp(pam_unix)[13174]: check pass; user

22

unknown

23

Jul 27 09:28:44 <machine> smtp(pam_unix)[13174]: authentication failure;

24

logname= uid=0 euid=0 tty= ruser= rhost=

25

Jul 27 09:28:47 <machine> saslauthd[13174]: DEBUG: auth_pam:

26

pam_authenticate failed: Authentication failure

27

Jul 27 09:28:47 <machine> saslauthd[13174]: do_auth         : auth

28

failure: [user=asdf] [service=smtp] [realm=] [mech=pam] [reason=PAM auth

29

error]

30

Jul 27 09:28:52 <machine> smtp(pam_unix)[13176]: check pass; user

31

unknown

32

.

33

.

34

.

35

36

The corresponding entries in mail.log:

37

38

Jul 27 09:27:23 <machine> postfix/smtpd[7547]: warning:

39

unknown[222.183.141.122]: SASL LOGIN authentication failed

40

Jul 27 09:27:28 <machine> postfix/smtpd[7547]: warning:

41

unknown[222.183.141.122]: SASL LOGIN authentication failed

42

.

43

.

44

.

45

Jul 27 09:27:30 <machine> postfix/smtpd[7547]: warning: 

46

unknown[222.183.141.122]: SASL LOGIN authentication failed

47

Jul 27 09:28:55 <machine> postfix/smtpd[7547]: warning:

48

unknown[222.183.141.122]: SASL LOGIN authentication failed

>From a whois on the IP: (surprise, surprise)

53

54

inetnum:      222.176.0.0 - 222.183.255.255

55

netname:      CHINANET-CQ

56

descr:        CHINANET Chongqing  province network

57

descr:        China Telecom

58

descr:        A12,Xin-Jie-Kou-Wai Street

59

descr:        Beijing 100088

60

country:      CN

61

admin-c:      CH93-AP

62

tech-c:       CQ235-AP

63

mnt-by:       APNIC-HM

64

mnt-lower:    MAINT-CHINANET-CQ

65

mnt-routes:   MAINT-CHINANET-CQ

66

changed:      hm-changed@×××××.net 20040203

67

remarks:      This object can only be changed by APNIC Hostmaster

68

status:       ALLOCATED PORTABLE

69

source:       APNIC

70

71

role:         CHINANET CQ

72

address:      The mainstreet 3 daping ,chongqing data communication

73

bureau

74

country:      CN

75

phone:        +862368614888

76

fax-no:       +862368602314

77

e-mail:       abuse@××××××.cn

78

trouble:      send spam reports to abuse@××××××.cn

79

trouble:      and abuse reports to abuse@××××××.cn

80

admin-c:      ZL235-AP

81

tech-c:       ZL235-AP

82

nic-hdl:      CQ235-AP

83

remarks:      http://www.cta.cq.cn

84

notify:       abuse@××××××.cn

85

mnt-by:       MAINT-CHINANET-CQ

86

changed:      abuse@××××××.cn 20030917

87

source:       APNIC

88

89

person:       Chinanet Hostmaster

90

address:      No.31 ,jingrong street,beijing

91

address:      100032

92

country:      CN

93

phone:        +86-10-66027112

94

fax-no:       +86-10-58501144

95

e-mail:       hostmaster@××××××××××××××.net

96

e-mail:       anti-spam@××××××××××××××.net

97

nic-hdl:      CH93-AP

98

mnt-by:       MAINT-CHINANET

99

changed:      hostmaster@××××××××××××××.net 20021016

100

101

>From a whois on the IP:

102

remarks:      hostmaster is not for spam complaint,please send spam

103

complaint to anti-spam@××××××××××××××.net

104

source:       APNIC

105

106

107

--

108

===================================

109

Chris Ripp <chris@××××××××.com>

110

Ripp Technical Services

111

Web Design and Hosting

112

http://ripptech.com/

--

117

gentoo-security@g.o mailing list

1	Check your mail servers' logs too... not sure if its related, but there
2	were entries (not included) from an attempt at user 'guest'. The 'asdf'
3	seems to be new, suppose they're somehow connected? (The ssh attacks
4	lead to a compromised mail relay?) Or is this just a common attempt at
5	finding an already open/compromised relay?
6
7	>From auth.log
8
9	Jul 27 09:27:18 <machine> saslauthd[13176]: do_auth : auth
10	failure: [user=asdf] [service=smtp] [realm=] [mech=pam] [reason=PAM auth
11	error]
12	Jul 27 09:27:23 <machine> saslauthd[13177]: do_auth : auth
13	failure: [user=asdf] [service=smtp] [realm=] [mech=pam] [reason=PAM auth
14	error]
15	Jul 27 09:27:28 <machine> saslauthd[13173]: do_auth : auth
16	failure: [user=asdf] [service=smtp] [realm=] [mech=pam] [reason=PAM auth
17	error]
18	.
19	.
20	.
21	Jul 27 09:28:44 <machine> smtp(pam_unix)[13174]: check pass; user
22	unknown
23	Jul 27 09:28:44 <machine> smtp(pam_unix)[13174]: authentication failure;
24	logname= uid=0 euid=0 tty= ruser= rhost=
25	Jul 27 09:28:47 <machine> saslauthd[13174]: DEBUG: auth_pam:
26	pam_authenticate failed: Authentication failure
27	Jul 27 09:28:47 <machine> saslauthd[13174]: do_auth : auth
28	failure: [user=asdf] [service=smtp] [realm=] [mech=pam] [reason=PAM auth
29	error]
30	Jul 27 09:28:52 <machine> smtp(pam_unix)[13176]: check pass; user
31	unknown
32	.
33	.
34	.
35
36	The corresponding entries in mail.log:
37
38	Jul 27 09:27:23 <machine> postfix/smtpd[7547]: warning:
39	unknown[222.183.141.122]: SASL LOGIN authentication failed
40	Jul 27 09:27:28 <machine> postfix/smtpd[7547]: warning:
41	unknown[222.183.141.122]: SASL LOGIN authentication failed
42	.
43	.
44	.
45	Jul 27 09:27:30 <machine> postfix/smtpd[7547]: warning:
46	unknown[222.183.141.122]: SASL LOGIN authentication failed
47	Jul 27 09:28:55 <machine> postfix/smtpd[7547]: warning:
48	unknown[222.183.141.122]: SASL LOGIN authentication failed
49
50
51
52	>From a whois on the IP: (surprise, surprise)
53
54	inetnum: 222.176.0.0 - 222.183.255.255
55	netname: CHINANET-CQ
56	descr: CHINANET Chongqing province network
57	descr: China Telecom
58	descr: A12,Xin-Jie-Kou-Wai Street
59	descr: Beijing 100088
60	country: CN
61	admin-c: CH93-AP
62	tech-c: CQ235-AP
63	mnt-by: APNIC-HM
64	mnt-lower: MAINT-CHINANET-CQ
65	mnt-routes: MAINT-CHINANET-CQ
66	changed: hm-changed@×××××.net 20040203
67	remarks: This object can only be changed by APNIC Hostmaster
68	status: ALLOCATED PORTABLE
69	source: APNIC
70
71	role: CHINANET CQ
72	address: The mainstreet 3 daping ,chongqing data communication
73	bureau
74	country: CN
75	phone: +862368614888
76	fax-no: +862368602314
77	e-mail: abuse@××××××.cn
78	trouble: send spam reports to abuse@××××××.cn
79	trouble: and abuse reports to abuse@××××××.cn
80	admin-c: ZL235-AP
81	tech-c: ZL235-AP
82	nic-hdl: CQ235-AP
83	remarks: http://www.cta.cq.cn
84	notify: abuse@××××××.cn
85	mnt-by: MAINT-CHINANET-CQ
86	changed: abuse@××××××.cn 20030917
87	source: APNIC
88
89	person: Chinanet Hostmaster
90	address: No.31 ,jingrong street,beijing
91	address: 100032
92	country: CN
93	phone: +86-10-66027112
94	fax-no: +86-10-58501144
95	e-mail: hostmaster@××××××××××××××.net
96	e-mail: anti-spam@××××××××××××××.net
97	nic-hdl: CH93-AP
98	mnt-by: MAINT-CHINANET
99	changed: hostmaster@××××××××××××××.net 20021016
100
101	>From a whois on the IP:
102	remarks: hostmaster is not for spam complaint,please send spam
103	complaint to anti-spam@××××××××××××××.net
104	source: APNIC
105
106
107	--
108	===================================
109	Chris Ripp <chris@××××××××.com>
110	Ripp Technical Services
111	Web Design and Hosting
112	http://ripptech.com/
113
114
115
116	--
117	gentoo-security@g.o mailing list

Gentoo Archives: gentoo-security