The Glider

SSH brute force attempts seem to be on the rise again, at the SANS Internet Storm Center we have received a number of reports that a number of networks are seeing them. The source IP addresses vary with each new attempted username in the wordlist, which would indicate that the attempts are distributed through botnet(s). It only takes a single user with a weak password for a breach to occur, then with that foothold escalation and further attacks are likely next. This is certainly not a new phenomenon, however I think it is a good time to raise awareness about it once again.



Reader xemaps wrote in with this log snippet:



Whole day my server has been targeted by a botnet, attacker also changed ip each new dictionary user.



Jun 17 23:02:03 pro sshd[17444]: Invalid user mailer from 217.37.x.x

Jun 17 23:03:24 pro sshd[17460]: Invalid user mailer from 87.66.x.x

Jun 17 23:05:27 pro sshd[17617]: Invalid user mailman from 89.97.x.x

Jun 17 23:09:30 pro sshd[17639]: Invalid user mailtest from 62.2.x.x

Jun 17 23:15:44 pro sshd[17894]: Invalid user maker from 83.236.x.x

Jun 17 23:16:47 pro sshd[17925]: Invalid user mama from 84.73.x.x



Reader Ingvar wrote in with a similar pattern:



On my home system I have seen these login attempts that start with user aaa and goes on alphabetically from over 1000 different hosts around the world (judging from the DenyHosts reports). Normally I only see single-digit attempts per day.



Jun 17 02:14:56 MyHost sshd[808]: error: PAM: authentication error for illegal user aaa from 151.100.x.x

Jun 17 02:23:11 MyHost sshd[870]: error: PAM: authentication error for illegal user aabakken from 150.254.x.x

Jun 17 02:24:57 MyHost sshd[875]: error: PAM: authentication error for illegal user aapo from 173.33.x.x

Jun 17 02:35:23 MyHost sshd[885]: error: PAM: authentication error for illegal user abakus from 121.160.x.x

Jun 17 02:37:32 MyHost sshd[895]: error: PAM: authentication error for illegal user abas from 190.200.x.x

Jun 17 02:38:18 MyHost sshd[900]: error: PAM: authentication error for illegal user abc from 193.251.x.x



Last year ISC Handler Rick wrote up a diary for Cyber Security Awareness Month - Day 17 - Port 22/SSH about SSH brute force attempts and some safeguards that can be implemented. Here is a brief summary:

Deploy the SSH server on a port other than 22/TCP
Deploy one of the SSH brute force prevention tools
Disallow remote root logins
Set PasswordAuthentication to no and use keys
If you must use passwords, ensure that they are all complex
Use AllowGroups to limit access to a specific group of users
Use as a chroot jail for SSH if possible
Limit the IP ranges that can connect to SSH

If you have any comments, additional examples of safeguards, or additional information please let us know here.
Cheers,

Adrien de Beaupr

EWA-Canada.com


















(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Microsoft and the National Cyber-Forensics and Training Alliance (NCFTA), with the support of

Accuity, the American Bankers Association, Anti-Phishing Working Group, Citizens Bank, eBay Inc.,

Federal Trade Commission, National Consumers League and PayPal are introducing a new program to

help identify potential fraudulent financial activity due to online fraud and to notify the

institutions involved that their customers personal identity may be at risk of abuse. This

program:
Will offer a trusted and effective mechanism for participating researchers to report stolen

credentials discovered online -
The program was unveiled today and will go into effect immediately. For more information see:
http://www.microsoft.com/Presspass/press/2010/jun10/06-17FraudAlertPR.mspx
http://ifraudalert.org/
Deb Hale Long Lines, LLC (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Cisco announces the end-of-sale and end-of life dates for the Cisco Security Agent. There is no replacement available for the Cisco Security Agent at this time.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5739/ps2330/end_of_life_c51-602579.html

(Sales end this December, Maintenance the following December, and it will no longer be supported after December 2013).

Thanks Brian!
Cheers,

Adrien de Beaupr

EWA-Canada.com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Just a quick word of caution.... Be careful what you type. We have just received information from one of our

readers, thanks Aaron, that w w w . malware domain lists . com is masquerading as legitimate site

www.malwaredomainlist.com (without the s). A quick check finds articles referencing this bad

boy site as part of the Personal Antivirus infector group.
Deb Hale Long Lines, LLC (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

I just happened upon a CBS News video that gave me pause for thought.This once posted back in April however

I missed it until now.



http://www.cbsnews.com/video/watch/?id=6412572n
The video talks about the fact that modern digital copy machines, those sold after 2002, contain a hard

drive.These hard drives store the images copied. These machines are traded in for new models and then

refurbed and resold.However, the hard drives more than likely are not getting scrubbed to remove the content.

One of the copy machines in the video notonly contained content on the hard drive but also still had documents

left on the copy bed.
This brings up some interesting discussions. What is on your copymachine hard drive? When it is sent in for

repair what information may be gleaned from a quick glance at the drive? Is your copy machine another potential

target to aid in identity theft?



Food for thought. Should there be processes and procedures in place for the disposal of these devices? Do you

know what other devices in your organization contain a hard drive or other storage device?Is there a process

for cleaning before disposal?



Let me know what you think? What does your company do if anything to ensure that no confidential data is

leaked by disposal of old equipment?
Deb Hale Long Lines, LLC (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Please patch those flash players as soon as possible.



Last week Handler Deb Hale posted a diary speaking to some Adobe proof of concept malware in the wild.

http://isc.sans.edu/diary.html?storyid=8932
Here is the summary from the Adobe Security Bulletin.

http://www.adobe.com/support/security/bulletins/apsb10-14.html

Critical vulnerabilities have been identified in Adobe Flash Player

version 10.0.45.2 and earlier. These vulnerabilities could cause the

application to crash and could potentially allow an attacker to take

control of the affected system.

Adobe recommends users of Adobe Flash Player 10.0.45.2 and earlier

versions update to Adobe Flash Player 10.1.53.64. Adobe recommends users

of Adobe AIR 1.5.3.9130 and earlier versions update to Adobe AIR

2.0.2.12610.
Flash Player 10.1 - Release Notes

http://kb2.adobe.com/cps/838/cpsid_83808.html
US-CERT Technical Cyber Security Alert

http://www.us-cert.gov/cas/techalerts/TA10-159A.html


Thanks goes to Joe D. for supporting the Internet Storm Center and giving us a heads up on this security update.
Kevin Shortt

ISCHandler on Duty
UPDATE: Joe D. followed up with the following note:
once installed, it is identified as version 10.1.53.64.
UPDATE 2: Thanks for the note Deapesh.
It is noteworthy that this Security Update was released by Adobe on June 10, 2010. (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Paterva has released Maltego 3.
Thanks to Joe for giving us a heads up on this release.
http://www.paterva.com/web5/client/download.php#Community

Kevin Shortt
ISCHandler on Duty
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Well, seems to be if you order an iPhone 4 you might get access to private information of other ATT customers. The exposed information includes private addresses, phone calls, and bills.
More information at http://gizmodo.com/5564262/apple-iphone-4-order-security-breach-exposes-private-information
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander| http://manuel.santander.name| msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.