DaemonForums  

Go Back   DaemonForums > Miscellaneous > General software and network

General software and network General OS-independent software and network questions, X11, MTA, routing, etc.

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 31st December 2009
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,193
Thanked 182 Times in 149 Posts
Default Discovering SSH versions of compromised hosts with nc(1)

On the
FreeBSD stable mailing list a posting about a compromised FreeBSD box, led to an interesting discussion about boxes being hammered with SSH probes.

One of the participants posted a list of about 40 hosts which probed his box for weak passwords using SSH.

Several years, when my wife was in another country, I enabled SSH access so she could use fetchmail and pine to read her mail.
Opening port 22 on my firewall of course triggered the same SSH probes. To some of these hosts I could telnet and some after displaying their RedHat login banner prompted me for a login name.

Reading the freebsd-stable discussion I wondered what kind of boxes are initiating these annoying login attempts.

The OpenBSD 'nc' man page shows a simple way to get a box to display the login banner.
Code:
PORT SCANNING
     It may be useful to know which ports are open and running services on a
     target machine.  The -z flag can be used to tell nc to report open ports,
     rather than initiate a connection.  For example:

           $ nc -z host.example.com 20-30
           Connection to host.example.com 22 port [tcp/ssh] succeeded!
           Connection to host.example.com 25 port [tcp/smtp] succeeded!

     The port range was specified to limit the search to ports 20 - 30.

     Alternatively, it might be useful to know which server software is run-
     ning, and which versions.  This information is often contained within the
     greeting banners.  In order to retrieve these, it is necessary to first
     make a connection, and then break the connection when the banner has been
     retrieved.  This can be accomplished by specifying a small timeout with
     the -w flag, or perhaps by issuing a "QUIT" command to the server:

           $ echo "QUIT" | nc host.example.com 20-30
           SSH-1.99-OpenSSH_3.6.1p2
           Protocol mismatch.
           220 host.example.com IMS SMTP Receiver Version 0.84 Ready
A simple shell script to probe these hosts
Code:
PORT=22

hosts='
  24.69.83.139
  24.106.149.2
  59.108.230.130
     [snip] 
  218.97.254.206
  218.206.233.43
  221.202.118.39
  222.221.2.210
'

for MACHINE in ${hosts} ; do
   printf "%s %s " $(date "+%Y-%m-%d %H:%M:%S") " host $MACHINE "
   result=$(echo QUIT | nc ${MACHINE} $PORT)
   printf "%s\n" "$result"
done
Because we will redirect the output to logfile we can use tail to follow the progress. In another xterm before running the script:
Code:
$ tail -f logfile
tail: logfile: No such file or directory
$ touch logfile
$ tail -f logfile 
2009-12-31 00:49:31  host 24.69.83.139   SSH-2.0-OpenSSH_5.1p1 Debian-5
Protocol mismatch.
2009-12-31 00:49:31  host 24.106.149.2   SSH-1.99-OpenSSH_4.3p2
Protocol mismatch.
2009-12-31 00:49:32  host 59.108.230.130   SSH-1.99-OpenSSH_3.9p1
After starting the script with sh scan-ssh-versions >logfile 2>&1 the 'tailed' logfile showed the first results.

Actually using tee is a simpler approach.
Code:
$ sh scan-ssh-versions 2>&1 | tee logfile
After seeing som progress for some time, a connection seemed to be stuck.
Code:
$ netstat -an -f inet
 
Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp        0      0  192.168.222.20.42645   211.144.32.185.22      FIN_WAIT_2
tcp        0      0  *.587                  *.*                    LISTEN
tcp        0      0  *.25                   *.*                    LISTEN
tcp        0      0  *.6000                 *.*                    LISTEN
tcp        0      0  *.22                   *.*                    LISTEN
tcp        0      0  *.515                  *.*                    LISTEN
A simple $ pkill -TERM nc took care of that

Filtering the SSH version answers
Code:
$ grep SSH logfile
2009-12-31 00:49:31  host 24.69.83.139   SSH-2.0-OpenSSH_5.1p1 Debian-5
2009-12-31 00:49:31  host 24.106.149.2   SSH-1.99-OpenSSH_4.3p2
2009-12-31 00:49:32  host 59.108.230.130   SSH-1.99-OpenSSH_3.9p1
2009-12-31 00:49:33  host 60.6.237.54   SSH-1.99-OpenSSH_3.9p1
2009-12-31 00:49:37  host 60.212.42.11   SSH-2.0-OpenSSH_4.0
2009-12-31 00:49:58  host 61.47.34.67   SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1
2009-12-31 00:49:59  host 78.40.82.74   SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1
2009-12-31 00:49:59  host 79.136.123.7   SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1
2009-12-31 00:49:59  host 79.188.234.58   SSH-2.0-OpenSSH_4.3p2 Debian-9etch3
2009-12-31 00:50:00  host 85.12.25.157   SSH-2.0-OpenSSH_5.1p1 Debian-5
2009-12-31 00:50:00  host 85.38.97.122   SSH-2.0-SSH-2.0-OpenSSH_4.3
2009-12-31 00:50:00  host 85.114.135.208   SSH-2.0-OpenSSH_4.3p2 Debian-9etch3
2009-12-31 00:51:15  host 110.12.64.141   SSH-1.99-OpenSSH_4.3
2009-12-31 00:51:16  host 114.255.100.163   SSH-1.99-OpenSSH_4.7p1
2009-12-31 00:51:19  host 116.28.64.181   SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.5
2009-12-31 00:51:20  host 121.254.228.61   SSH-2.0-OpenSSH_4.3
2009-12-31 00:51:21  host 123.15.41.98   SSH-2.0-OpenSSH_4.3
2009-12-31 00:51:24  host 123.124.236.195   SSH-1.99-OpenSSH_3.9p1
2009-12-31 00:52:46  host 173.10.126.225   SSH-2.0-OpenSSH_4.3
2009-12-31 00:52:46  host 189.108.172.26   SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1.2
2009-12-31 00:54:02  host 195.219.57.189   SSH-2.0-OpenSSH_4.3
2009-12-31 00:54:02  host 202.103.25.246   SSH-2.0-OpenSSH_4.3
2009-12-31 00:55:18  host 203.94.231.11   SSH-2.0-OpenSSH_3.4p1
2009-12-31 00:57:48  host 211.92.149.147   SSH-2.0-OpenSSH_4.3
2009-12-31 02:10:29  host 216.36.150.58   SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1.2
2009-12-31 02:13:00  host 221.202.118.39   SSH-2.0-OpenSSH_4.3
We queried 39 hosts
Code:
$ grep -c host logfile
39
Out of these 39, 26 hosts displayed the SSH version.
Code:
$ grep SSH logfile | wc -l
      26
10 out of 26 were Debian based
Code:
$ grep -i Debian logfile | wc -l 
           10
Remember any box, Windows, Linux or BSD, exposed to the internet, only is as secure as the monkey who administrates it.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Red Hat servers compromised tanked Other BSD and UNIX/UNIX-like 10 25th August 2008 04:41 PM
Both versions installing in same location, & can't delete jaymax FreeBSD General 5 9th June 2008 06:25 PM


All times are GMT. The time now is 08:45 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick