tnet.admin - 管理人室

T-Netへの意見、苦情、問題、相談などなど、受け付けます。

#160: クラック状況
Date: 2002/01/01 23:20:32 Tue Author: 沢渡 みかげ (subop)
Child Article: #161: クラック状況 #162: クラック状況

実家から戻ってきたので調べました.sshdの穴をつかれたっぽいです.

Dec 30 21:37:51 ns sshd[13389]: log: Connection from 210.143.101.37 port 31847
Dec 30 21:37:51 ns sshd[13390]: log: Connection from 210.143.101.37 port 31849
Dec 30 21:37:51 ns sshd[13391]: log: Connection from 210.143.101.37 port 31850
Dec 30 21:37:52 ns sshd[13391]: fatal: Local: Corrupted check bytes on input.
Dec 30 21:37:52 ns sshd[13392]: log: Connection from 210.143.101.37 port 31851
Dec 30 21:37:52 ns sshd[13393]: log: Connection from 210.143.101.37 port 31852
Dec 30 21:37:53 ns sshd[13393]: fatal: Local: Corrupted check bytes on input.
Dec 30 21:37:53 ns sshd[13394]: log: Connection from 210.143.101.37 port 31905
Dec 30 21:37:53 ns sshd[13395]: log: Connection from 210.143.101.37 port 31908
Dec 30 21:37:53 ns sshd[13396]: log: Connection from 210.143.101.37 port 31961
Dec 30 21:37:53 ns sshd[13397]: log: Connection from 210.143.101.37 port 31962
Dec 30 21:37:54 ns sshd[13398]: log: Connection from 210.143.101.37 port 31963
Dec 30 21:37:54 ns sshd[13397]: fatal: Local: Corrupted check bytes on input.
Dec 30 21:37:54 ns sshd[13399]: log: Connection from 210.143.101.37 port 31964
Dec 30 21:37:55 ns sshd[13399]: fatal: Local: Corrupted check bytes on input.
Dec 30 21:37:55 ns sshd[13400]: log: Connection from 210.143.101.37 port 31965
Dec 30 21:37:55 ns sshd[13400]: fatal: Local: Corrupted check bytes on input.
Dec 30 21:37:55 ns sshd[13401]: log: Connection from 210.143.101.37 port 31966
Dec 30 21:37:56 ns sshd[13402]: log: Connection from 210.143.101.37 port 31967
Dec 30 21:37:56 ns sshd[13401]: fatal: Local: Corrupted check bytes on input.
Dec 30 21:37:56 ns sshd[13403]: log: Connection from 210.143.101.37 port 31971
Dec 30 21:37:56 ns sshd[13402]: fatal: Local: Corrupted check bytes on input.
Dec 30 21:37:57 ns sshd[13403]: fatal: Local: Corrupted check bytes on input.
Dec 30 21:37:57 ns sshd[13404]: log: Connection from 210.143.101.37 port 31972
Dec 30 21:37:57 ns sshd[13405]: log: Connection from 210.143.101.37 port 32039
Dec 30 21:37:58 ns sshd[13405]: fatal: Local: Corrupted check bytes on input.
Dec 30 21:37:58 ns sshd[13406]: log: Connection from 210.143.101.37 port 32040
Dec 30 21:37:58 ns sshd[13407]: log: Connection from 210.143.101.37 port 32041
Dec 30 21:37:58 ns sshd[13408]: log: Connection from 210.143.101.37 port 32043
Dec 30 21:37:59 ns sshd[13409]: log: Connection from 210.143.101.37 port 32098
Dec 30 21:37:59 ns sshd[13410]: log: Connection from 210.143.101.37 port 32161
Dec 30 21:37:59 ns sshd[13411]: log: Connection from 210.143.101.37 port 32166
Dec 30 21:38:00 ns sshd[13412]: log: Connection from 210.143.101.37 port 32219
Dec 30 21:38:00 ns sshd[13413]: log: Connection from 210.143.101.37 port 32220
Dec 30 21:38:00 ns sshd[13417]: log: Connection from 210.143.101.37 port 32221
Dec 30 21:38:01 ns sshd[13418]: log: Connection from 210.143.101.37 port 32222
Dec 30 21:38:01 ns sshd[13419]: log: Connection from 210.143.101.37 port 32223
Dec 30 21:38:01 ns sshd[13420]: log: Connection from 210.143.101.37 port 32230
Dec 30 21:38:02 ns sshd[13421]: log: Connection from 210.143.101.37 port 32284
Dec 30 21:38:02 ns sshd[13422]: log: Connection from 210.143.101.37 port 32285
Dec 30 21:38:02 ns sshd[13423]: log: Connection from 210.143.101.37 port 32286
Dec 30 21:38:03 ns sshd[13424]: log: Connection from 210.143.101.37 port 32287
Dec 30 21:38:03 ns sshd[13424]: fatal: Local: crc32 compensation attack: network
 attack detected
Dec 30 21:38:03 ns sshd[13425]: log: Connection from 210.143.101.37 port 32289
Dec 30 21:38:05 ns sshd[13426]: log: Connection from 210.143.101.37 port 32348
Dec 30 21:38:08 ns sshd[13427]: log: Connection from 210.143.101.37 port 32349
Dec 30 21:38:10 ns sshd[13428]: log: Connection from 210.143.101.37 port 32350
Dec 30 21:38:12 ns sshd[13429]: log: Connection from 210.143.101.37 port 32351
Dec 30 21:38:14 ns sshd[13429]: fatal: Local: crc32 compensation attack: network
 attack detected
Dec 30 21:38:14 ns sshd[13430]: log: Connection from 210.143.101.37 port 32353
Dec 30 21:38:17 ns sshd[13431]: log: Connection from 210.143.101.37 port 32413
Dec 30 21:38:19 ns sshd[13431]: fatal: Local: crc32 compensation attack: network
 attack detected
Dec 30 21:38:19 ns sshd[13432]: log: Connection from 210.143.101.37 port 32414
Dec 30 21:38:21 ns sshd[13433]: log: Connection from 210.143.101.37 port 32415
Dec 30 21:38:24 ns sshd[13434]: log: Connection from 210.143.101.37 port 32416
Dec 30 21:38:26 ns sshd[13435]: log: Connection from 210.143.101.37 port 32480
Dec 30 21:38:28 ns sshd[13435]: fatal: Local: crc32 compensation attack: network
 attack detected
Dec 30 21:38:28 ns sshd[13436]: log: Connection from 210.143.101.37 port 32547
Dec 30 21:38:30 ns sshd[13437]: log: Connection from 210.143.101.37 port 32548
Dec 30 21:38:33 ns sshd[13438]: log: Connection from 210.143.101.37 port 32611
Dec 30 21:38:35 ns sshd[13439]: log: Connection from 210.143.101.37 port 32612
Dec 30 21:38:37 ns sshd[13440]: log: Connection from 210.143.101.37 port 32674
Dec 30 21:38:38 ns sshd[13441]: log: Connection from 210.143.101.37 port 32735
Dec 30 21:38:38 ns sshd[13442]: log: Connection from 210.143.101.37 port 32801
Dec 30 21:38:53 ns PAM_pwdb[13446]: password for (www/15) changed by ((null)/0)

www ユーザーでとりあえず侵入したようです.
その後,1度はいっている模様.

Dec 31 01:02:00 ns PAM_pwdb[15115]: (su) session opened for user nobody by (uid=99)
Dec 31 01:02:30 ns PAM_pwdb[15115]: (su) session closed for user nobody


更に後に,ftpへのアクセスが‥‥‥

Dec 31 07:08:36 ns ftpd[16383]: getpeername (in.ftpd): Transport endpoint is not connected
Dec 31 09:10:39 ns ftpd[16829]: FTP session closed

途中こんなのが...ってこれはtotちゃんかな.

Dec 31 18:44:47 ns PAM_pwdb[19585]: 1 authentication failure; (uid=0) -> tnet for ftp service
Dec 31 18:44:47 ns syslog: failed login from tn-av98.ppp.ttcn.ne.jp [61.114.33.98], tnet

次ぎに,sshdで入られました.

Dec 31 19:12:35 ns sshd[19772]: log: Connection from 210.143.101.37 port 1022
Dec 31 19:12:45 ns sshd[19772]: log: Password authentication for www accepted.

ftpdユーザーになりすまして・・・

Dec 31 19:14:18 ns PAM_pwdb[19797]: (su) session opened for user ftpd by www(uid=0)
Dec 31 19:16:35 ns PAM_pwdb[19797]: (su) session closed for user ftpd
Dec 31 19:33:01 ns sshd[19772]: fatal: Connection closed by remote host.

telnetd にもアタック仕掛けてる?
Dec 31 23:28:30 ns telnetd[21272]: ttloop:  peer died: Unknown error

また侵入.
Jan  1 01:02:01 ns PAM_pwdb[21610]: (su) session opened for user nobody by (uid=99)
Jan  1 01:02:29 ns PAM_pwdb[21610]: (su) session closed for user nobody

Jan  1 09:44:23 ns PAM_pwdb[23318]: (login) session opened for user tnet by (uid=0)

これは何だろう?
Jan  1 09:51:33 ns sshd[23443]: log: Connection from 64.159.78.2 port 2451
Jan  1 09:51:38 ns sshd[23443]: fatal: Local: Your ssh version is too old and is no longer supported.  Please install a newer version.


というわけで,最初の方のIPみると,同じPROXなんですね.
そこを踏み台にしてこっちにきた可能性が高そうです.

とりあえず,これからsshdアップデートします(^^;
むぅ.

■ この記事のコメントを書く

■ この書き込みを削除/復活します(投稿者のみ可)
■ この書き込み近辺の一覧表示へ

【最新20記事 [一覧] [ツリー] [一括] 】 【最新の記事は 174 番です.】
【前の10記事 [一覧] [ツリー] [一括] 【次の20記事 [一覧] [ツリー] [一括]
番から 番までの記事を
管理人室 に新しい記事を

T-Net ■ メインページ