Vladimir Kolesnikov Меня зовут Владимир, я программист-фрилансер (PHP, Node.js, C/C++, Qt). Ещё занимаюсь администрированием серверов и техническим переводом. Крестиком вышивать не умею.
Авг 052011
 

Не к добру…

Сегодня с утра наблюдается какая-то повышенная активность хакеров с корейскими IP-адресами.

Были замечены попытки подбора паролей на со следующих IP-адресов:

14.36.36.243 14.32.0.0/11
14.42.239.118
59.2.171.221 59.0.0.0/11
59.2.184.48
59.17.15.76
59.29.157.41
61.76.108.200 61.72.0.0/14
119.195.195.78 119.192.0.0/11
119.199.168.176
121.131.45.67 121.128.0.0/11
121.146.29.82
121.159.193.229
121.165.92.190 121.160.0.0/11
121.169.48.28
121.187.210.87
175.209.131.3 175.192.0.0/12
220.73.5.10 220.72.0.0/12
220.82.171.129
221.153.60.141 221.144.0.0/12
222.97.10.66 222.96.0.0/12

[-]
View Code Text
Aug  5 02:33:49 sjinks sshd[14588]: Did not receive identification string from 220.73.5.10
Aug  5 02:33:49 sjinks sshd[14587]: Did not receive identification string from 220.73.5.10
Aug  5 02:33:49 sjinks sshd[14589]: Did not receive identification string from 220.73.5.10
Aug  5 02:33:49 sjinks sshd[14590]: Did not receive identification string from 220.73.5.10
Aug  5 02:33:49 sjinks sshd[14591]: Did not receive identification string from 220.73.5.10
Aug  5 02:33:57 sjinks sshd[14592]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.73.5.10  user=root
Aug  5 02:33:57 sjinks sshd[14597]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.73.5.10  user=root

Aug  5 03:18:40 sjinks sshd[25082]: Did not receive identification string from 59.29.157.41
Aug  5 03:18:40 sjinks sshd[25083]: Did not receive identification string from 59.29.157.41
Aug  5 03:18:41 sjinks sshd[25084]: Did not receive identification string from 59.29.157.41
Aug  5 03:18:41 sjinks sshd[25085]: Did not receive identification string from 59.29.157.41
Aug  5 03:18:41 sjinks sshd[25086]: Did not receive identification string from 59.29.157.41
Aug  5 03:18:49 sjinks sshd[25094]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.29.157.41  user=root
Aug  5 03:18:49 sjinks sshd[25091]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.29.157.41  user=root

Aug  5 03:18:56 sjinks sshd[25111]: Did not receive identification string from 221.153.60.141
Aug  5 03:18:56 sjinks sshd[25112]: Did not receive identification string from 221.153.60.141
Aug  5 03:18:56 sjinks sshd[25113]: Did not receive identification string from 221.153.60.141
Aug  5 03:18:56 sjinks sshd[25114]: Did not receive identification string from 221.153.60.141
Aug  5 03:18:56 sjinks sshd[25115]: Did not receive identification string from 221.153.60.141
Aug  5 03:19:04 sjinks sshd[25145]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.153.60.141  user=root
Aug  5 03:19:04 sjinks sshd[25147]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.153.60.141  user=root

Aug  5 03:19:49 sjinks sshd[25248]: Did not receive identification string from 121.169.48.28
Aug  5 03:19:49 sjinks sshd[25249]: Did not receive identification string from 121.169.48.28
Aug  5 03:19:49 sjinks sshd[25250]: Did not receive identification string from 121.169.48.28
Aug  5 03:19:49 sjinks sshd[25251]: Did not receive identification string from 121.169.48.28
Aug  5 03:19:49 sjinks sshd[25252]: Did not receive identification string from 121.169.48.28
Aug  5 03:19:57 sjinks sshd[25266]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=121.169.48.28  user=root
Aug  5 03:19:57 sjinks sshd[25271]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=121.169.48.28  user=root

Aug  5 03:21:58 sjinks sshd[26375]: Did not receive identification string from 61.76.108.200
Aug  5 03:21:58 sjinks sshd[26377]: Did not receive identification string from 61.76.108.200
Aug  5 03:21:58 sjinks sshd[26378]: Did not receive identification string from 61.76.108.200
Aug  5 03:21:58 sjinks sshd[26379]: Did not receive identification string from 61.76.108.200
Aug  5 03:22:06 sjinks sshd[26390]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.76.108.200  user=root
Aug  5 03:22:06 sjinks sshd[26393]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.76.108.200  user=root

Aug  5 03:22:01 sjinks sshd[26380]: Did not receive identification string from 220.82.171.129
Aug  5 03:22:01 sjinks sshd[26381]: Did not receive identification string from 220.82.171.129
Aug  5 03:22:01 sjinks sshd[26382]: Did not receive identification string from 220.82.171.129
Aug  5 03:22:01 sjinks sshd[26383]: Did not receive identification string from 220.82.171.129
Aug  5 03:22:01 sjinks sshd[26384]: Did not receive identification string from 220.82.171.129
Aug  5 03:22:09 sjinks sshd[26408]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.82.171.129  user=root
Aug  5 03:22:09 sjinks sshd[26425]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.82.171.129  user=root

Aug  5 03:32:59 sjinks sshd[28817]: Did not receive identification string from 59.17.15.76
Aug  5 03:32:59 sjinks sshd[28818]: Did not receive identification string from 59.17.15.76
Aug  5 03:32:59 sjinks sshd[28819]: Did not receive identification string from 59.17.15.76
Aug  5 03:32:59 sjinks sshd[28820]: Did not receive identification string from 59.17.15.76
Aug  5 03:32:59 sjinks sshd[28821]: Did not receive identification string from 59.17.15.76
Aug  5 03:33:07 sjinks sshd[28826]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.17.15.76  user=root
Aug  5 03:33:07 sjinks sshd[28828]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.17.15.76  user=root

Всем, кто не пользуется средствами типа Fail2Ban или , самое время задуматься: отсутствие защиты и слабые пароли — короткий путь к участию в ботнете.

Если вы не ожидаете гостей из Кореи, очень рекомендую заблокировать эти адреса либо firewall’ом, либо через /etc/hosts.deny.

Блокирование при помощи :

[-]
View Code Bash
for i in 14.36.36.243 14.42.239.118 59.2.171.221 59.2.184.48 59.17.15.76 \
         59.29.157.41 61.76.108.200 119.195.195.78 119.199.168.176 121.131.45.67 \
         121.146.29.82 121.159.193.229 121.165.92.190 121.169.48.28 121.187.210.87 \
         175.209.131.3 220.73.5.10 220.82.171.129 221.153.60.141 222.97.10.66; do \
    iptables -A INPUT -s $i -j DROP; \
done

Агрессивное блокирование:

[-]
View Code Bash
for i in 14.32.0.0/11 59.0.0.0/11 61.72.0.0/14 119.192.0.0/11 121.128.0.0/11 \
         121.160.0.0/11 175.192.0.0/12 220.72.0.0/12 221.144.0.0/12 222.96.0.0/12; do \
    iptables -A INPUT -s $i -j DROP; \
done

Если iptables поддерживает цель TARPIT, можно использовать её вместо DROP.

Блокирование с использованием tcpwrappers: нужно добавить такие строки в /etc/hosts.deny:

[-]
View Code Text
sshd: 14.36.36.243 14.42.239.118 59.2.171.221 59.2.184.48 59.17.15.76
sshd: 59.29.157.41 61.76.108.200 119.195.195.78 119.199.168.176 121.131.45.67
sshd: 121.146.29.82 121.159.193.229 121.165.92.190 121.169.48.28 121.187.210.87
sshd: 175.209.131.3 220.73.5.10 220.82.171.129 221.153.60.141 222.97.10.66

Коллеги, будьте бдительны!

  5 Ответов в “Корейцы разбушевались…”

Comments (5)
  1. Обновил список IP-адресов

  2. Список обновлён в очередной раз

  3. KIS 2011 достаточная защита в таком случае?

    • Не знаю, у меня Linux стоит. Но думаю, что Касперский не зря свой хлеб есть :-)

      А корейцы реально достали — весь день долбятся :-(

  4. Судя по всему, киберучения закончились, можно спать спокойно.

Извините, форма комментирования закрыта в данный момент.