Shell Person Help me keep the shell people alive.

10Apr/1042

Hacked – SSH Bruteforce

This isn't much of a surprise, as the box had an incredibly simple root password. Here's some info:

This was a brute force ssh attack. ssh root login was not disabled. Here are some of early attempts before success:

cat /var/log/auth.log.1 | grep "Invalid user" | cut -d ':' -f 4 | sort | uniq | tail -n 25
Invalid user wilson from 64.124.102.44
Invalid user windows from 64.124.102.44
Invalid user worthy from 122.201.70.12
Invalid user www123 from 64.124.102.44
Invalid user www from 64.124.102.44
Invalid user www from 66.235.201.39
Invalid user www from 75.126.69.5
Invalid user wwwrun from 64.124.102.44
Invalid user xam from 64.124.102.44
Invalid user xbitchx from 64.124.102.44
Invalid user xchat from 64.124.102.44
Invalid user xfs123 from 64.124.102.44
Invalid user xfs from 64.124.102.44
Invalid user ydnah from 64.124.102.44
Invalid user yoshida123 from 64.124.102.44
Invalid user yoshida321 from 64.124.102.44
Invalid user yoshida from 64.124.102.44
Invalid user yssor from 64.124.102.44
Invalid user z1x2c3 from 64.124.102.44
Invalid user zabbix from 75.126.69.5
Invalid user zachary from 64.124.102.44
Invalid user zoe from 64.124.102.44
Invalid user zuperman from 64.124.102.44
Invalid user zxcvb from 64.124.102.44
Invalid user zxcvbn from 64.124.102.44

The full list is at the bottom of the post.

29Apr/091

ssh Shortcuts in Bash

Good and Evil by Abbie F (C) via Flickr

(The above photo is "Good and Evil", by Abbie F (C) via Flickr).

This is the bash script I use to ssh into my fileserver (without having to type the whole IP address, etc).  It works for simply logging in with ssh, or for sending a command only.  If you want to send a series of commands, you'll need to separate each command with \; or else it (a lone semi-colon) will be interpreted as an instruction to run the command on the local machine after the first command is sent via ssh (you're 'escaping' the semi-colon, so it gets sent through ssh as a regular character, instead of its typical role of separating commands).  This method works for me, but I'd love to learn a better way if there is one.

I name the script something short and put it in my path.  I also use it in conjunction with password-less login.  I know it's not such a big deal to write out:
ssh user@ipaddress "command -arguments"
but it saves time if you're constantly ssh'ing to that machine.

Here it is in a more-legible format, that shouldn't be copied and pasted (because of the way WordPress changes quotation marks):

#!/bin/bash
SSH_ARGUMENTS=`while (($#)) ; do echo -n "$1 " ; shift ; done ; echo`
ssh administrator@192.168.0.202 "$SSH_ARGUMENTS"

And here it is in a way that's easier to copy and paste (but harder to read, in my opinion):

#!/bin/bash
SSH_ARGUMENTS=`while (($#)) ; do echo -n "$1 " ; shift ; done ; echo`
ssh administrator@192.168.0.202 "$SSH_ARGUMENTS"

Also, here's a slight variation that's useful if you have multiple machines with a sequential naming scheme, where you can specify the machine number:

#!/bin/bash
## for example:  comp 4 shutdown -r now
## note: in my setup, the username correlates with the computer's number
WORKSTATION_NUMBER=$1
shift
SSH_ARGUMENTS=`while (($#)) ; do echo -n "$1 " ; shift ; done ; echo`
ssh $WORKSTATION_NUMBER@192.168.0.10$WORKSTATION_NUMBER "$SSH_ARGUMENTS"

Edit:  I suppose anyone who knows anything about BASH would know that the entire SSH_ARGUMENTS line could be removed and the variable $SSH_ARGUMENTS replaced with $*

...every day learning a little bit more.

Tagged as: , , , 1 Comment