踏み台@フィッシング詐欺
Published by M-naka on 2005/2/27 (2764 reads)
正直、ウザい。
最近SSH(TCP22)へのアタックが多い。
アクセスログはこんな感じ。ムカツクのでIPは晒す。
Feb 27 11:28:42 Casper sshd[27936]: Did not receive identification string from 218.95.228.150
Feb 27 11:33:58 Casper sshd[27939]: Invalid user jordan from 218.95.228.150
Feb 27 11:33:59 Casper sshd[27942]: Invalid user michael from 218.95.228.150
Feb 27 11:34:00 Casper sshd[27945]: Invalid user nicole from 218.95.228.150
Feb 27 11:34:01 Casper sshd[27948]: Invalid user daniel from 218.95.228.150
Feb 27 11:34:02 Casper sshd[27951]: Invalid user andrew from 218.95.228.150
Feb 27 11:34:03 Casper sshd[27954]: Invalid user magic from 218.95.228.150
Feb 27 11:34:04 Casper sshd[27957]: Invalid user lion from 218.95.228.150
Feb 27 11:34:05 Casper sshd[27960]: Invalid user david from 218.95.228.150
Feb 27 11:34:06 Casper sshd[27963]: Invalid user jason from 218.95.228.150
Feb 27 11:34:07 Casper sshd[27966]: Invalid user carmen from 218.95.228.150
Feb 27 11:34:08 Casper sshd[27969]: Invalid user justin from 218.95.228.150
Feb 27 11:34:09 Casper sshd[27972]: Invalid user charlie from 218.95.228.150
Feb 27 11:34:10 Casper sshd[27975]: Invalid user steven from 218.95.228.150
Feb 27 11:34:12 Casper sshd[27978]: Invalid user brandon from 218.95.228.150
Feb 27 11:34:13 Casper sshd[27981]: Invalid user brian from 218.95.228.150
Feb 27 11:34:14 Casper sshd[27984]: Invalid user stephen from 218.95.228.150
Feb 27 11:34:15 Casper sshd[27987]: Invalid user william from 218.95.228.150
Feb 27 11:34:16 Casper sshd[27990]: Invalid user angel from 218.95.228.150
Feb 27 11:34:17 Casper sshd[27993]: Invalid user emily from 218.95.228.150
Feb 27 11:34:18 Casper sshd[27996]: Invalid user eric from 218.95.228.150
Feb 27 11:34:19 Casper sshd[27999]: Invalid user joe from 218.95.228.150
Feb 27 11:34:20 Casper sshd[28002]: Invalid user tom from 218.95.228.150
Feb 27 11:34:21 Casper sshd[28005]: Invalid user billy from 218.95.228.150
Feb 27 11:34:23 Casper sshd[28008]: Invalid user buddy from 218.95.228.150
Feb 27 11:34:24 Casper sshd[28011]: Invalid user jeremy from 218.95.228.150
Feb 27 11:34:25 Casper sshd[28014]: Invalid user vampire from 218.95.228.150
Feb 27 11:34:26 Casper sshd[28017]: Invalid user betty from 218.95.228.150
Feb 27 11:34:27 Casper sshd[28020]: Invalid user max from 218.95.228.150
Feb 27 11:34:28 Casper sshd[28023]: Invalid user nicholas from 218.95.228.150
Feb 27 11:34:29 Casper sshd[28026]: Invalid user robin from 218.95.228.150
Feb 27 11:34:30 Casper sshd[28029]: Invalid user johnny from 218.95.228.150
Feb 27 11:34:32 Casper sshd[28032]: Invalid user lucy from 218.95.228.150
Feb 27 11:34:33 Casper sshd[28035]: Invalid user maria from 218.95.228.150
Feb 27 11:34:34 Casper sshd[28038]: Invalid user rose from 218.95.228.150
Feb 27 11:34:36 Casper sshd[28044]: Invalid user god from 218.95.228.150
Feb 27 11:34:37 Casper sshd[28047]: Invalid user barbara from 218.95.228.150
Feb 27 11:34:38 Casper sshd[28050]: Invalid user larisa from 218.95.228.150
Feb 27 11:34:39 Casper sshd[28053]: Invalid user jane from 218.95.228.150
Feb 27 11:34:40 Casper sshd[28056]: Invalid user dog from 218.95.228.150
Feb 27 11:34:41 Casper sshd[28059]: Invalid user sparc from 218.95.228.150
Feb 27 11:34:43 Casper sshd[28062]: Invalid user credit from 218.95.228.150
Feb 27 11:34:44 Casper sshd[28065]: Invalid user info from 218.95.228.150
Feb 27 11:34:45 Casper sshd[28068]: Invalid user manager from 218.95.228.150
Feb 27 11:34:46 Casper sshd[28071]: Invalid user horse from 218.95.228.150
Feb 27 11:34:47 Casper sshd[28074]: Invalid user nokia from 218.95.228.150
Feb 27 11:34:48 Casper sshd[28077]: Invalid user tv from 218.95.228.150
Feb 27 11:34:49 Casper sshd[28080]: Invalid user connect from 218.95.228.150
Feb 27 11:34:50 Casper sshd[28083]: Invalid user fire from 218.95.228.150
Feb 27 11:34:51 Casper sshd[28086]: Invalid user local from 218.95.228.150
Feb 27 11:34:52 Casper sshd[28089]: Invalid user host from 218.95.228.150
Feb 27 11:34:53 Casper sshd[28092]: Invalid user billy from 218.95.228.150
Feb 27 11:34:54 Casper sshd[28095]: Invalid user yoyo from 218.95.228.150
Feb 27 11:34:55 Casper sshd[28098]: Invalid user victor from 218.95.228.150
Feb 27 11:34:56 Casper sshd[28101]: Invalid user fbi from 218.95.228.150
Feb 27 11:34:57 Casper sshd[28104]: Invalid user mark from 218.95.228.150
Feb 27 11:34:58 Casper sshd[28107]: Invalid user william from 218.95.228.150
Feb 27 11:34:59 Casper sshd[28110]: Invalid user patrick from 218.95.228.150
Feb 27 11:35:00 Casper sshd[28113]: Invalid user shin from 218.95.228.150
Feb 27 11:35:01 Casper sshd[28116]: Invalid user veronica from 218.95.228.150
Feb 27 11:35:02 Casper sshd[28119]: Invalid user justin from 218.95.228.150
Feb 27 11:35:04 Casper sshd[28122]: Invalid user ana from 218.95.228.150
Feb 27 11:35:05 Casper sshd[28125]: Invalid user daniel from 218.95.228.150
Feb 27 11:35:06 Casper sshd[28128]: Invalid user alex from 218.95.228.150
Feb 27 11:35:07 Casper sshd[28131]: Invalid user laser from 218.95.228.150
Feb 27 11:35:08 Casper sshd[28134]: Invalid user tcp from 218.95.228.150
Feb 27 11:35:09 Casper sshd[28137]: Invalid user andrea from 218.95.228.150
Feb 27 11:35:10 Casper sshd[28140]: Invalid user bob from 218.95.228.150
Feb 27 11:35:11 Casper sshd[28143]: Invalid user gai from 218.95.228.150
Feb 27 11:35:12 Casper sshd[28146]: Invalid user gay from 218.95.228.150
Feb 27 11:35:13 Casper sshd[28149]: User rpc not allowed because account is locked
Feb 27 11:35:14 Casper sshd[28152]: Invalid user george from 218.95.228.150
Feb 27 11:35:15 Casper sshd[28155]: Invalid user smile from 218.95.228.150
Feb 27 11:35:16 Casper sshd[28158]: Invalid user smith from 218.95.228.150
Feb 27 11:35:17 Casper sshd[28161]: Invalid user christopher from 218.95.228.150
Feb 27 11:35:18 Casper sshd[28164]: Invalid user robert from 218.95.228.150
Feb 27 11:35:20 Casper sshd[28167]: Invalid user coolboy from 218.95.228.150
Feb 27 11:35:21 Casper sshd[28170]: Invalid user derek from 218.95.228.150
Feb 27 11:35:22 Casper sshd[28173]: Invalid user james from 218.95.228.150
Feb 27 11:35:23 Casper sshd[28176]: Invalid user james from 218.95.228.150
Feb 27 11:35:24 Casper sshd[28179]: Invalid user james from 218.95.228.150
Feb 27 11:35:25 Casper sshd[28182]: Invalid user lisa from 218.95.228.150
Feb 27 11:35:26 Casper sshd[28185]: Invalid user mario from 218.95.228.150
Feb 27 11:35:27 Casper sshd[28188]: Invalid user martin from 218.95.228.150
Feb 27 11:35:28 Casper sshd[28191]: Invalid user sonya from 218.95.228.150
Feb 27 11:35:29 Casper sshd[28194]: Invalid user tony from 218.95.228.150
Feb 27 11:35:30 Casper sshd[28197]: Invalid user just from 218.95.228.150
Feb 27 11:35:32 Casper sshd[28200]: Invalid user justice from 218.95.228.150
Feb 27 11:35:33 Casper sshd[28203]: Invalid user bank from 218.95.228.150
Feb 27 11:35:34 Casper sshd[28206]: Invalid user vip from 218.95.228.150
自動実行スクリプトを用いたランダムアタックと推察。ランダムなIPアドレスでTCP22(SSH)にアクセスし、「Did not receive identification string from 218.95.228.150」のようにアクセス先から何らかのレスポンスがあったIPアドレスに対してブルートフォースを仕掛ける、という感じか。あとは毎秒1回の頻度で延々ログインを試みる、と。まぁウチの場合はIDとパスワードだけじゃログインできない(RSAキー必須)にしてあるから、一応は大丈夫なんだけど。実家に置いてあるwww.mythril.mydns.jp も先日1時間に1000回以上のSSHアタックを受けていた。通常のトラフィックがショボイので、MRTGを見て変なトラフィックがあるとアタックと大体判ってしまうのである。
と思っていたら、JPCERTのMLでフィッシング詐欺の踏み台サーバ化に関する注意喚起が来た。あー、なるほど。SSHアタックはこれへの布石になっていたりするわけだ。SSHでログインしてroot権限奪取→サーバのフィッシング詐欺踏み台化、という経路を辿るのだろう。
基本的なコトだが、不要なポートは閉じ、不要なサービスも止め、開放ポートと提供サービスは必要最低限に絞る。Linuxではあまりクリティカルなセキュリティホールというのはそう頻繁に見つかることはないが、適宜パッケージのアップデートを行うことも当然必要だ。
ちなみに不正アクセス元は中国と韓国でほとんど全て。このあたりはお国柄というか何と言うか……。ま、アクセス元ホストが踏み台にされている可能性も十分あるけどね。
最近SSH(TCP22)へのアタックが多い。
アクセスログはこんな感じ。ムカツクのでIPは晒す。
Feb 27 11:28:42 Casper sshd[27936]: Did not receive identification string from 218.95.228.150
Feb 27 11:33:58 Casper sshd[27939]: Invalid user jordan from 218.95.228.150
Feb 27 11:33:59 Casper sshd[27942]: Invalid user michael from 218.95.228.150
Feb 27 11:34:00 Casper sshd[27945]: Invalid user nicole from 218.95.228.150
Feb 27 11:34:01 Casper sshd[27948]: Invalid user daniel from 218.95.228.150
Feb 27 11:34:02 Casper sshd[27951]: Invalid user andrew from 218.95.228.150
Feb 27 11:34:03 Casper sshd[27954]: Invalid user magic from 218.95.228.150
Feb 27 11:34:04 Casper sshd[27957]: Invalid user lion from 218.95.228.150
Feb 27 11:34:05 Casper sshd[27960]: Invalid user david from 218.95.228.150
Feb 27 11:34:06 Casper sshd[27963]: Invalid user jason from 218.95.228.150
Feb 27 11:34:07 Casper sshd[27966]: Invalid user carmen from 218.95.228.150
Feb 27 11:34:08 Casper sshd[27969]: Invalid user justin from 218.95.228.150
Feb 27 11:34:09 Casper sshd[27972]: Invalid user charlie from 218.95.228.150
Feb 27 11:34:10 Casper sshd[27975]: Invalid user steven from 218.95.228.150
Feb 27 11:34:12 Casper sshd[27978]: Invalid user brandon from 218.95.228.150
Feb 27 11:34:13 Casper sshd[27981]: Invalid user brian from 218.95.228.150
Feb 27 11:34:14 Casper sshd[27984]: Invalid user stephen from 218.95.228.150
Feb 27 11:34:15 Casper sshd[27987]: Invalid user william from 218.95.228.150
Feb 27 11:34:16 Casper sshd[27990]: Invalid user angel from 218.95.228.150
Feb 27 11:34:17 Casper sshd[27993]: Invalid user emily from 218.95.228.150
Feb 27 11:34:18 Casper sshd[27996]: Invalid user eric from 218.95.228.150
Feb 27 11:34:19 Casper sshd[27999]: Invalid user joe from 218.95.228.150
Feb 27 11:34:20 Casper sshd[28002]: Invalid user tom from 218.95.228.150
Feb 27 11:34:21 Casper sshd[28005]: Invalid user billy from 218.95.228.150
Feb 27 11:34:23 Casper sshd[28008]: Invalid user buddy from 218.95.228.150
Feb 27 11:34:24 Casper sshd[28011]: Invalid user jeremy from 218.95.228.150
Feb 27 11:34:25 Casper sshd[28014]: Invalid user vampire from 218.95.228.150
Feb 27 11:34:26 Casper sshd[28017]: Invalid user betty from 218.95.228.150
Feb 27 11:34:27 Casper sshd[28020]: Invalid user max from 218.95.228.150
Feb 27 11:34:28 Casper sshd[28023]: Invalid user nicholas from 218.95.228.150
Feb 27 11:34:29 Casper sshd[28026]: Invalid user robin from 218.95.228.150
Feb 27 11:34:30 Casper sshd[28029]: Invalid user johnny from 218.95.228.150
Feb 27 11:34:32 Casper sshd[28032]: Invalid user lucy from 218.95.228.150
Feb 27 11:34:33 Casper sshd[28035]: Invalid user maria from 218.95.228.150
Feb 27 11:34:34 Casper sshd[28038]: Invalid user rose from 218.95.228.150
Feb 27 11:34:36 Casper sshd[28044]: Invalid user god from 218.95.228.150
Feb 27 11:34:37 Casper sshd[28047]: Invalid user barbara from 218.95.228.150
Feb 27 11:34:38 Casper sshd[28050]: Invalid user larisa from 218.95.228.150
Feb 27 11:34:39 Casper sshd[28053]: Invalid user jane from 218.95.228.150
Feb 27 11:34:40 Casper sshd[28056]: Invalid user dog from 218.95.228.150
Feb 27 11:34:41 Casper sshd[28059]: Invalid user sparc from 218.95.228.150
Feb 27 11:34:43 Casper sshd[28062]: Invalid user credit from 218.95.228.150
Feb 27 11:34:44 Casper sshd[28065]: Invalid user info from 218.95.228.150
Feb 27 11:34:45 Casper sshd[28068]: Invalid user manager from 218.95.228.150
Feb 27 11:34:46 Casper sshd[28071]: Invalid user horse from 218.95.228.150
Feb 27 11:34:47 Casper sshd[28074]: Invalid user nokia from 218.95.228.150
Feb 27 11:34:48 Casper sshd[28077]: Invalid user tv from 218.95.228.150
Feb 27 11:34:49 Casper sshd[28080]: Invalid user connect from 218.95.228.150
Feb 27 11:34:50 Casper sshd[28083]: Invalid user fire from 218.95.228.150
Feb 27 11:34:51 Casper sshd[28086]: Invalid user local from 218.95.228.150
Feb 27 11:34:52 Casper sshd[28089]: Invalid user host from 218.95.228.150
Feb 27 11:34:53 Casper sshd[28092]: Invalid user billy from 218.95.228.150
Feb 27 11:34:54 Casper sshd[28095]: Invalid user yoyo from 218.95.228.150
Feb 27 11:34:55 Casper sshd[28098]: Invalid user victor from 218.95.228.150
Feb 27 11:34:56 Casper sshd[28101]: Invalid user fbi from 218.95.228.150
Feb 27 11:34:57 Casper sshd[28104]: Invalid user mark from 218.95.228.150
Feb 27 11:34:58 Casper sshd[28107]: Invalid user william from 218.95.228.150
Feb 27 11:34:59 Casper sshd[28110]: Invalid user patrick from 218.95.228.150
Feb 27 11:35:00 Casper sshd[28113]: Invalid user shin from 218.95.228.150
Feb 27 11:35:01 Casper sshd[28116]: Invalid user veronica from 218.95.228.150
Feb 27 11:35:02 Casper sshd[28119]: Invalid user justin from 218.95.228.150
Feb 27 11:35:04 Casper sshd[28122]: Invalid user ana from 218.95.228.150
Feb 27 11:35:05 Casper sshd[28125]: Invalid user daniel from 218.95.228.150
Feb 27 11:35:06 Casper sshd[28128]: Invalid user alex from 218.95.228.150
Feb 27 11:35:07 Casper sshd[28131]: Invalid user laser from 218.95.228.150
Feb 27 11:35:08 Casper sshd[28134]: Invalid user tcp from 218.95.228.150
Feb 27 11:35:09 Casper sshd[28137]: Invalid user andrea from 218.95.228.150
Feb 27 11:35:10 Casper sshd[28140]: Invalid user bob from 218.95.228.150
Feb 27 11:35:11 Casper sshd[28143]: Invalid user gai from 218.95.228.150
Feb 27 11:35:12 Casper sshd[28146]: Invalid user gay from 218.95.228.150
Feb 27 11:35:13 Casper sshd[28149]: User rpc not allowed because account is locked
Feb 27 11:35:14 Casper sshd[28152]: Invalid user george from 218.95.228.150
Feb 27 11:35:15 Casper sshd[28155]: Invalid user smile from 218.95.228.150
Feb 27 11:35:16 Casper sshd[28158]: Invalid user smith from 218.95.228.150
Feb 27 11:35:17 Casper sshd[28161]: Invalid user christopher from 218.95.228.150
Feb 27 11:35:18 Casper sshd[28164]: Invalid user robert from 218.95.228.150
Feb 27 11:35:20 Casper sshd[28167]: Invalid user coolboy from 218.95.228.150
Feb 27 11:35:21 Casper sshd[28170]: Invalid user derek from 218.95.228.150
Feb 27 11:35:22 Casper sshd[28173]: Invalid user james from 218.95.228.150
Feb 27 11:35:23 Casper sshd[28176]: Invalid user james from 218.95.228.150
Feb 27 11:35:24 Casper sshd[28179]: Invalid user james from 218.95.228.150
Feb 27 11:35:25 Casper sshd[28182]: Invalid user lisa from 218.95.228.150
Feb 27 11:35:26 Casper sshd[28185]: Invalid user mario from 218.95.228.150
Feb 27 11:35:27 Casper sshd[28188]: Invalid user martin from 218.95.228.150
Feb 27 11:35:28 Casper sshd[28191]: Invalid user sonya from 218.95.228.150
Feb 27 11:35:29 Casper sshd[28194]: Invalid user tony from 218.95.228.150
Feb 27 11:35:30 Casper sshd[28197]: Invalid user just from 218.95.228.150
Feb 27 11:35:32 Casper sshd[28200]: Invalid user justice from 218.95.228.150
Feb 27 11:35:33 Casper sshd[28203]: Invalid user bank from 218.95.228.150
Feb 27 11:35:34 Casper sshd[28206]: Invalid user vip from 218.95.228.150
自動実行スクリプトを用いたランダムアタックと推察。ランダムなIPアドレスでTCP22(SSH)にアクセスし、「Did not receive identification string from 218.95.228.150」のようにアクセス先から何らかのレスポンスがあったIPアドレスに対してブルートフォースを仕掛ける、という感じか。あとは毎秒1回の頻度で延々ログインを試みる、と。まぁウチの場合はIDとパスワードだけじゃログインできない(RSAキー必須)にしてあるから、一応は大丈夫なんだけど。実家に置いてあるwww.mythril.mydns.jp も先日1時間に1000回以上のSSHアタックを受けていた。通常のトラフィックがショボイので、MRTGを見て変なトラフィックがあるとアタックと大体判ってしまうのである。
と思っていたら、JPCERTのMLでフィッシング詐欺の踏み台サーバ化に関する注意喚起が来た。あー、なるほど。SSHアタックはこれへの布石になっていたりするわけだ。SSHでログインしてroot権限奪取→サーバのフィッシング詐欺踏み台化、という経路を辿るのだろう。
基本的なコトだが、不要なポートは閉じ、不要なサービスも止め、開放ポートと提供サービスは必要最低限に絞る。Linuxではあまりクリティカルなセキュリティホールというのはそう頻繁に見つかることはないが、適宜パッケージのアップデートを行うことも当然必要だ。
ちなみに不正アクセス元は中国と韓国でほとんど全て。このあたりはお国柄というか何と言うか……。ま、アクセス元ホストが踏み台にされている可能性も十分あるけどね。
| Navigate through the articles | |
情報セキュリティ上の最大の敵
|
こんなサイトは嫌だ
|
|
The comments are owned by the poster. We aren't responsible for their content.
|
