Friday, April 4, 2008

Daily Lab / POC Activities

Daily Lab / POC Activities

Extramural:

  • Configured a SimpleCA on lab 1001 to test OGSA-DAI installation. We are testing OGSA-DAI on an internal grid before we do a roll out on PHGRID.
  • Analyzed hack attacks on lab servers and plugged security holes:
It is recommended that strong security measures be put in place to fend off hacker attacks like the examples listed below. The first two attacks were conducted before the server was protected by hardened security measures. The third attack was conducted after the server was hardened. I did a trace on the source of the hack and included the hacker information and method of attack below.

Hacker Info:
IP address: 203.144.221.26
Host server: 203-144-221-26.static.asianet.co.th
Network: TRUENET-TH
ISP/organization: True Internet Co., Ltd.
ISP/organization address: Internet Service Provider, Bangkok, Thailand.
Geographical location: Thailand
Email: abuse@trueinternet.co.th
Phone: +662 6411800
Fax: +662 6421557

Attack Method:
Attempted compromise the server using a dictionary hack on common system accounts and common user names. This attack was attempted hundreds of time by this hacker. The hacker was clearly using a to generate so many attacks in a short amount of time. Below is an excerpt of the attack.

Feb 28 15:53:29 gump sshd[5368]: Invalid user admin from 203.144.221.26
Feb 28 15:53:32 gump sshd[5370]: Invalid user guest from 203.144.221.26
Feb 28 15:53:35 gump sshd[5373]: Invalid user master from 203.144.221.26
Feb 28 15:53:56 gump sshd[5385]: Invalid user admin from 203.144.221.26
Feb 28 15:53:58 gump sshd[5387]: Invalid user admin from 203.144.221.26
Feb 28 15:54:01 gump sshd[5389]: Invalid user admin from 203.144.221.26
Feb 28 15:54:04 gump sshd[5392]: Invalid user admin from 203.144.221.26
Feb 28 15:54:19 gump sshd[5402]: Invalid user webmaster from 203.144.221.26
Feb 28 15:54:22 gump sshd[5404]: Invalid user username from 203.144.221.26
Feb 28 15:54:25 gump sshd[5406]: Invalid user user from 203.144.221.26
Feb 28 15:54:30 gump sshd[5410]: Invalid user admin from 203.144.221.26
Feb 28 15:54:44 gump sshd[5424]: Invalid user danny from 203.144.221.26
Feb 28 15:54:47 gump sshd[5426]: Invalid user alex from 203.144.221.26
Feb 28 15:54:50 gump sshd[5428]: Invalid user brett from 203.144.221.26

Hacker Info:
IP address: 202.63.185.230
Host server: 202-63-185-230.static.exatt.net
Network: EXATT
ISP/organization: Exatt Technologies Pvt. Ltd.
ISP/organization address: 510 Akruti Arcade,, Opp Wadia School,, J. P. Road., Andheri (W), Mumbai, Maharashtra, India., Internet Service Provider
Geographical location: India in
Name: IP-Admin NOC
Email: noc_mum@exatt.com
Phone: +91-022-5645-0200
Fax: +91-022-5691-9342

Attack Method:
Spoofing while attempting to compromise the server using a dictionary hack on common system accounts and common user names.

- POSSIBLE BREAKIN ATTEMPT!
Apr 2 11:02:43 gump sshd[4986]: Invalid user sara from 202.63.185.230
Apr 2 11:02:43 gump sshd[4986]: Address 202.63.185.230 maps to 202-63-185-230.static.exatt.net, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Apr 2 11:02:53 gump sshd[4990]: Address 202.63.185.230 maps to 202-63-185-230.static.exatt.net, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Apr 2 11:02:55 gump sshd[4992]: Address 202.63.185.230 maps to 202-63-185-230.static.exatt.net, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Apr 2 11:02:57 gump sshd[4994]: Address 202.63.185.230 maps to 202-63-185-230.static.exatt.net, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Apr 2 11:03:00 gump sshd[4996]: Invalid user ftpuser from 202.63.185.230
Apr 2 11:03:00 gump sshd[4996]: Address 202.63.185.230 maps to 202-63-185-230.static.exatt.net, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Apr 2 11:03:02 gump sshd[4998]: Invalid user uid from 202.63.185.230
Apr 2 11:03:02 gump sshd[4998]: Address 202.63.185.230 maps to 202-63-185-230.static.exatt.net, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Apr 2 11:03:04 gump sshd[5000]: Invalid user gid from 202.63.185.230
Apr 2 11:03:04 gump sshd[5000]: Address 202.63.185.230 maps to 202-63-185-230.static.exatt.net, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Apr 2 11:03:06 gump sshd[5002]: Invalid user shell from 202.63.185.230
Apr 2 11:03:06 gump sshd[5002]: Address 202.63.185.230 maps to 202-63-185-230.static.exatt.net, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!

Hacker Info:
IP address: 218.207.69.139
Host server: 218.207.69.139
Network: CMNET
ISP/organization: China Mobile Communications Corporation
ISP/organization address: Mobile Communications Network Operator in China, Internet Service Provider in China
Geographical location: China cn
Name: Jinxia Sun
Email: abuse@chinamobile.com
Phone: +86-10-66006688-1755
Fax: +86-10-66006012

Attack Method:
Attempted to breach the server via SSH, but the server has been modified to reject unauthorized users. The hacker tried to breach the server twice and moved on.

Apr 4 06:26:41 gump sshd[12345]: refused connect from ::ffff:218.207.69.139 (::ffff:218.207.69.139)
Apr 4 06:32:33 gump sshd[12390]: refused connect from ::ffff:218.207.69.139 (::ffff:218.207.69.139)

No comments: