f@#k shit attempts
sinabi sa aken ni slak me nag brute force sa sshd nya.. sabi ko naman 'natural' na yon araw araw me ganyan.. so ako tinignan ko logs ko expect ko marami yan.. post ko dito
dyan palan halatang brute force ginagawa nya..masyado marami kung i post ko lahat ng attempts ni '202.157.128.130' at hindi lang yan marami pang iba eto pa si '221.204.247.38'
Apr 29 12:22:59 spooky sshd[1876]: Invalid user admin from 202.157.128.130
Apr 29 12:22:59 spooky sshd[1876]: (pam_unix) check pass; user unknown
Apr 29 12:22:59 spooky sshd[1876]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.157.128.130
Apr 29 12:23:01 spooky sshd[1876]: Failed password for invalid user admin from 202.157.128.130 port 3634 ssh2
Apr 29 12:23:02 spooky sshd[1884]: Invalid user test from 202.157.128.130
Apr 29 12:23:02 spooky sshd[1884]: (pam_unix) check pass; user unknown
Apr 29 12:23:02 spooky sshd[1884]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.157.128.130
astig mga ssh bots ngayon tinatamad lang ako mag setup ng 'denyhosts' e pero masarap din panoorin alam nyo kung bakit?.. kasi pwede gawan ng 'revenge mode' ano ang revenge mode? hehe simple lang nmap mo yung nag-aattempt.. obviously compromised machine yun.. eto sample kay '221.204.247.38'
Apr 29 13:18:49 spooky sshd[4426]: (pam_unix) check pass; user unknown
Apr 29 13:18:49 spooky sshd[4426]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.204.247.38
Apr 29 13:18:51 spooky sshd[4426]: Failed password for invalid user active from 221.204.247.38 port 56780 ssh2
Apr 29 13:18:53 spooky sshd[4431]: Invalid user ada10 from 221.204.247.38
Apr 29 13:18:53 spooky sshd[4431]: (pam_unix) check pass; user unknown
Apr 29 13:18:53 spooky sshd[4431]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.204.247.38
Apr 29 13:18:55 spooky sshd[4431]: Failed password for invalid user ada10 from 221.204.247.38 port 57363 ssh2
Apr 29 13:18:56 spooky sshd[4436]: Invalid user adachigofukuten from 221.204.247.38
Apr 29 13:18:56 spooky sshd[4436]: (pam_unix) check pass; user unknown
Apr 29 13:18:56 spooky sshd[4436]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.204.247.38
Apr 29 13:18:59 spooky sshd[4436]: Failed password for invalid user adachigofukuten from 221.204.247.38 port 57925 ssh2
isa sa mga ports na yan me ssh1 maliban sa port 22 (ssh2) tapos yung port 5004 rtsp (video streaming) ni try ko patakbuhin yung mplayer kaso walang video lumabas hehe baka sakali porn video meron.. anyways compromised talaga yung machine na yan.. gawain ko den kasi dati yan.. pag me nalaman akong compromised na machine.. try ko pasukin tas lagyan ng sniffer.. from there mga 'katulad ko' kokonek den sa ibang machines nila so ako naman malalaman ko ano machines nila at makukuha username at passwords nila.. so lagay ulit sniffer sa 2nd machine paulit ulit hanggang dumami na yung machines mo.. simple lang walang hastle.. patience lang at pagdasal mo komonek pa sila sa ibang machines hehe
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
4891/tcp open unknown
5000/tcp open UPnP
5001/tcp open commplex-link
5004/tcp open unknown
5555/tcp open freeciv
5600/tcp open unknown
6015/tcp open unknown
8000/tcp open http-alt
8011/tcp open unknown
8012/tcp open unknown
8020/tcp open unknown
8022/tcp open unknown
9001/tcp open unknown
32775/tcp open sometimes-rpc13
para malaman mo sino me ari ng mga ip na yan.. whois lang katapat nyan..si '221.204.247.38' ay galing china at si '202.157.128.130' singapore
