OVH Community, your new community space.

OVH Hacking attempts


dansgalaxy
07-12-2009, 01:40
Hmm interesting, cool to know though

Myatu
07-12-2009, 00:28
You don't have to. Just add a "&" to it, so it'll run in the background (called "forking"; ie., "./echoserver.py 22 &"). It's a handy little thing to know, since it works with anything. And it'll be safe to log out or do other things in meantime.

You can use the "kill" command to stop it. To find the process ID (used for "kill") use "ps aux | grep echoserver".

Now, I'd say that this crude script really is for "educational purposes" only though, and here's why:

If someone constantly hammers your script and you keep sending data back, imagine what will happen after an hour with 1000 requests per second. You're DoSsed and eating up all the bandwidth better served for sending HTTP responses -- the website(s) on your server.

At the same time, you're acknowledging to a rouge person that "something" is there, and thus worth his/her while to continue. For this reasons most firewalls are set to "ignore" traffic to unauthorized ports, in that they will not send anything back at all.

Furthermore, you shouldn't really have any ports accessible if it's not really necessary. What if there's an unknown (to you) flaw in Python and a buffer-overrun is possible? This will open your server for all kinds of exploits. Sure, SSH may have a similar issue, but that's needed for you to access it, so you need to take a required risk. But something that says "Uh-uh! Nice try!" for no real reason begs to be exploited.

dansgalaxy
07-12-2009, 00:03
Ah but will I need to have a shell open constantly for this to work?

I was thinking having something on the SSH port (with real SSH on another port) so when people try and connect.

Apologies im bit noobish in anything outside of PHP :P

Myatu
06-12-2009, 23:13
Quote Originally Posted by dansgalaxy
How might you setup a dummy program on port 22? Just for funzies?
Save this:
Code:
#!/usr/bin/env python
"USAGE: echoserver.py "
from SocketServer import BaseRequestHandler, TCPServer
import sys, socket

class EchoHandler(BaseRequestHandler):
  def handle(self):
	  print "Client connected:", self.client_address
	  self.request.sendall(self.request.recv(2**16))
	  self.request.close()

if len(sys.argv) != 2:
  print __doc__
else:
  TCPServer(('',int(sys.argv[1])), EchoHandler).serve_forever()
into a file called "echoserver.py" and do a "chmod +x echoserver.py". Then simply start it with "./echoserver.py 22" and kill it with Ctrl+C. It'll send back whatever is typed, but you can change this to simply send the "Sorry dude" message

Not my code by the way, I'm not that into Python (though I forgot where I got it from. Google will tell, I'm sure).

PS: forgot. Ports <= 1024 require root priv. So "sudo" if needed.

dansgalaxy
06-12-2009, 22:30
Random thing to through out here, apologies for thread jackin'

How might you setup a dummy program on port 22? Just for funzies?

Eg, so when someone tries to connect on port 22 they just get a message back to the terminal? Eg. "Ah. Sorry not hacking this server by port 22! Try again!"



IainK
02-12-2009, 07:51
I really don't like this idea of changing ports. As monkey56657 has stated some services don't like random ports and some people decide to configure their routers to allow port 22 higher priority than other traffic.

I seriously recommend disabling password based authentication, that way when all these hack attempts come in they simply will not have the option of entering a password.

freshwire
02-12-2009, 01:48
Quote Originally Posted by Andy
To all of those being hit on port 22... change it. Simple as that. Use a non standard port and bots won't hit you anywhere near as often. Also make sure your password is secure (e.g. over 12 characters and including symbols and numbers). Make sure it does not use dictionary words and substitute letters for numbers, e.g. a 1 for an L, etc. Even the simplest of measures can prevent your server being compromised.
Some wifi service will allow outgoing connections to port 22 but not another random port... So I will stick with 22. But not allowing access via root account is a good idea. Make some other account that can sudo to root (even if automatically).

Andy
02-12-2009, 01:11
To all of those being hit on port 22... change it. Simple as that. Use a non standard port and bots won't hit you anywhere near as often. Also make sure your password is secure (e.g. over 12 characters and including symbols and numbers). Make sure it does not use dictionary words and substitute letters for numbers, e.g. a 1 for an L, etc. Even the simplest of measures can prevent your server being compromised.

Myatu
01-12-2009, 19:59
LOL. I know, shame on me!

freshwire
01-12-2009, 19:32
Quote Originally Posted by Myatu
In the last few days I'm seeing 3 particular servers at OVH running a bot on my SSH port, but other than that, this isn't something out of the ordinary. Like DigitalDaz said, I'd actually be a little worried if this didn't happen -- it's a good for checking internet reachability, for free (Yes, China can reach my server)
I think I can reach your server .. but maybe it's not right.. no new blog posts for AGES

Myatu
01-12-2009, 19:11
In the last few days I'm seeing 3 particular servers at OVH running a bot on my SSH port, but other than that, this isn't something out of the ordinary. Like DigitalDaz said, I'd actually be a little worried if this didn't happen -- it's a good for checking internet reachability, for free (Yes, China can reach my server)

DigitalDaz
01-12-2009, 18:46
If my port 22 wasn't being hit on my boxes I would start to wonder if there was something wrong with them, its kinda comforting to know everything is still working

fozl
01-12-2009, 18:11
As said already, to prevent "background brute force", it's best to change your ssh port and disable root login.

IainK
01-12-2009, 12:23
I used to get requests like these. Even although I know no one could possibly hack my password I still disable password based authentication and use public/private keys. This way, I know that no one can get in to my server without my private key and even if the device becomes compromised, the key's passphrase is still required.

Neil
01-12-2009, 11:33
Right lets clear this up, its not an OVH Employee, since we have the SSH Key if it has been left, also why would we want to 'hack' the server.

In your case it was another server, which has been disabled and is now waiting on reinstallation by the customer.

This also goes to all you, if you have any SSH attempts that come from OVH Servers then send them to abuse@ovh.net.

jonlewi5
30-11-2009, 22:52
Quote Originally Posted by Paw-Fox
best one i've seen so far is: "emoboy : knives" as a login attempt.
hahaha

you know im going through my logs tonight to try and beat that

Paw-Fox
30-11-2009, 21:36
As your IP is public, aka easyabc-hosting.com - Anybody with a computer can run a "robot" which locates an IP in seconds, so in this case it found yours.

Using an dictionary file, it then tries every word in the list to see if it can gain access. Why as a server admin you never have an password as "bumblebee" or even "Antidisestablishmentarianism" it's still crackable.

Possibly many machines have been exploited and running these programs without the user's knowledge of it running. Yes you'll get an OVH because its the easy to trace, doing a simple network scan of the ip: 87.98.155. would show me the servers that are on-line and off-line. It then runs down the list of ips in its collection and try to crack it using a dictionary attack.

Happens to me all the time on my FTP Sevr, I see random logins - best one i've seen so far is: "emoboy : knives" as a login attempt.

jonlewi5
30-11-2009, 20:41
Quote Originally Posted by easyhost
I am no *****, done this and OVH wont do anything
no offence meant,

But throwing those kind allegations (spelling?) around kinda makes you look a bit daft.

Euan
30-11-2009, 20:17
Quote Originally Posted by easyhost
I am no *****, done this and OVH wont do anything
You blatantly are if you think OVH is the one hacking you and for some reason posted this in the new section just to confirm that you are indeed retarded.

Andy
30-11-2009, 20:12
Probably because they have real hacking to deal with. This was a hacking attempt, meanwhile there are hacks that have succeeded. I think they get priority over "attempts".

easyhost
30-11-2009, 20:11
Quote Originally Posted by jonlewi5
Those are ovh servers, not ovh themselves. possibly worth forwawrding your logs to the abuse address

~EDIT

Did the search for you

abuse@ovh.net
I am no *****, done this and OVH wont do anything

Andy
30-11-2009, 20:09
It makes me laugh when people accuse OVH of these sorts of things just because it's an OVH IP. OVH own hundreds of thousands of IP's, so it's always them? Nah...

MicroChip123
30-11-2009, 19:38
can you change your SSH port to something else and disable root login as that will give you a far degree of protection against SSH brute forcing.

jonlewi5
30-11-2009, 19:25
Those are ovh servers, not ovh themselves. possibly worth forwawrding your logs to the abuse address

~EDIT

Did the search for you

abuse@ovh.net

gigabit
30-11-2009, 19:24
"OVH are hackers" i think not. People using OVHs servers might be running SSH bots, but thats nothing new. That happens on any network and almost any public IP will get bot attempts on port 22.

easyhost
30-11-2009, 19:05
Just to warn all OVH users that OVH are HACKERS as all the evidence below proves as all IPs used belong to OVH and OVH refuse to do anything about these attempts.

----- Original Message -----
From:
To:
Sent: Friday, November 27, 2009 9:07 PM
Subject: Large Number of Failed Login Attempts from IP 87-98-155-67.ovh.net
>3 failed login attempts to account root (system) -- Large number of attempts from this IP: 87-98-155-67.ovh.net
>
server log
Nov 27 21:07:55 monroe lfd[29017]: 5 (sshd) login failures from 87.98.155.67 in the last 300 secs - *Blocked in csf*
Nov 27 21:08:30 monroe lfd[29156]: 5 (sshd) login failures from 87.98.155.67 in the last 300 secs - *Blocked in csf*
------------------------------------------------
----- Original Message -----
From:
To:
Sent: Friday, November 27, 2009 11:26 PM
Subject: Large Number of Failed Login Attempts from IP 188-165-114-104.reverse.sundedicated.net
>3 failed login attempts to account guest (system) -- Large number of attempts from this IP: 188-165-114-104.reverse.sundedicated.net
>
server logs
Nov 27 23:26:56 monroe lfd[27755]: 5 (sshd) login failures from 188.165.114.104 in the last 300 secs - *Blocked in csf*
Nov 27 23:27:26 monroe lfd[27856]: 5 (sshd) login failures from 188.165.114.104 in the last 300 secs - *Blocked in csf*
--------------------------------------------------
----- Original Message -----
From:
To:
Sent: Sunday, November 29, 2009 3:29 AM
Subject: Large Number of Failed Login Attempts from IP ns208569.ovh.net
>3 failed login attempts to account webmaster (system) -- Large number of attempts from this IP: ns208569.ovh.net
>
Server Log
Nov 29 03:29:52 monroe lfd[11109]: 5 (sshd) login failures from 94.23.224.211 in the last 300 secs - *Blocked in csf*
Nov 29 03:30:12 monroe lfd[11219]: 5 (sshd) login failures from 94.23.224.211 in the last 300 secs - *Blocked in csf*
Nov 29 03:30:33 monroe lfd[11268]: 5 (sshd) login failures from 94.23.224.211 in the last 300 secs - *Blocked in csf*
Nov 29 03:30:52 monroe lfd[11341]: 5 (sshd) login failures from 94.23.224.211 in the last 300 secs - *Blocked in csf*
Nov 29 03:31:17 monroe lfd[11448]: 5 (sshd) login failures from 94.23.224.211 in the last 300 secs - *Blocked in csf*
--------------------------------------------
----- Original Message -----
From:
To:
Sent: Sunday, November 29, 2009 2:55 PM
Subject: Large Number of Failed Login Attempts from IP ks23721.kimsufi.com
>3 failed login attempts to account admin (system) -- Large number of attempts from this IP: ks23721.kimsufi.com
>
server log
Nov 29 14:56:10 monroe lfd[23088]: 5 (sshd) login failures from 91.121.15.151 in the last 300 secs - *Blocked in csf*
Nov 29 17:34:51 monroe lfd[24337]: 5 (sshd) login failures from 91.121.15.151 in the last 300 secs - *Blocked in csf*
----------------------------------------------
----- Original Message -----
From:
To:
Sent: Monday, November 30, 2009 1:51 AM
Subject: Large Number of Failed Login Attempts from IP 87-98-155-67.ovh.net
>3 failed login attempts to account webmaster (system) -- Large number of attempts from this IP: 87-98-155-67.ovh.net
>
server log
Nov 30 01:51:50 monroe lfd[1744]: 5 (sshd) login failures from 87.98.155.67 in the last 300 secs - *Blocked in csf*
--------------------------------------------------------
----- Original Message -----
From:
To:
Sent: Monday, November 30, 2009 9:58 AM
Subject: Large Number of Failed Login Attempts from IP mail.skynet.fr
>3 failed login attempts to account root (system) -- Large number of attempts from this IP: mail.skynet.fr
>
server log
Nov 30 09:58:47 monroe lfd[5947]: 5 (sshd) login failures from 213.251.177.21 in the last 300 secs - *Blocked in csf*
Nov 30 09:59:32 monroe lfd[6095]: 5 (sshd) login failures from 213.251.177.21 in the last 300 secs - *Blocked in csf*
-------------------------------------------------------------
----- Original Message -----
From:
To:
Sent: Monday, November 30, 2009 3:19 PM
Subject: Large Number of Failed Login Attempts from IP ns208569.ovh.net
>3 failed login attempts to account guest (system) -- Large number of attempts from this IP: ns208569.ovh.net
>
server log
Nov 30 15:19:33 monroe lfd[7859]: 5 (sshd) login failures from 94.23.224.211 in the last 300 secs - *Blocked in csf*
Nov 30 15:25:08 monroe lfd[8957]: 5 (mod_security) login failures from 86.11.184.151 in the last 300 secs - *Blocked in csf*
Nov 30 15:28:23 monroe lfd[9650]: 5 (mod_security) login failures from 86.11.184.151 in the last 300 secs - *Blocked in csf*
Nov 30 15:29:33 monroe lfd[9840]: 5 (mod_security) login failures from 86.11.184.151 in the last 300 secs - *Blocked in csf*
Nov 30 15:30:13 monroe lfd[10013]: 5 (mod_security) login failures from 86.11.184.151 in the last 300 secs - *Blocked in csf*
----------------------------------------------------------
----- Original Message -----
From:
To:
Sent: Monday, November 30, 2009 3:56 PM
Subject: Large Number of Failed Login Attempts from IP 188-165-114-104.reverse.sundedicated.net
>3 failed login attempts to account root (system) -- Large number of attempts from this IP: 188-165-114-104.reverse.sundedicated.net
>
server log
Nov 30 15:56:25 monroe lfd[15399]: 5 (sshd) login failures from 188.165.114.104 in the last 300 secs - *Blocked in csf*
--------------------------------------------------
----- Original Message -----
From:
To:
Sent: Monday, November 30, 2009 5:17 PM
Subject: Large Number of Failed Login Attempts from IP ns305050.ovh.net
>4 failed login attempts to account payala (system) -- Large number of attempts from this IP: ns305050.ovh.net
>
server log
Nov 30 17:18:10 monroe lfd[323]: 5 (sshd) login failures from 94.23.216.72 in the last 300 secs - *Blocked in csf*
Nov 30 17:18:45 monroe lfd[460]: 5 (sshd) login failures from 94.23.216.72 in the last 300 secs - *Blocked in csf*
Nov 30 17:19:05 monroe lfd[548]: 5 (sshd) login failures from 94.23.216.72 in the last 300 secs - *Blocked in csf*
Nov 30 17:19:25 monroe lfd[614]: 5 (sshd) login failures from 94.23.216.72 in the last 300 secs - *Blocked in csf*
---------------------------------------------------
----- Original Message -----
From:
To:
Sent: Monday, November 30, 2009 5:50 PM
Subject: Large Number of Failed Login Attempts from IP ns305050.ovh.net
>3 failed login attempts to account root (system) -- Large number of attempts from this IP: ns305050.ovh.net
>
server log
Nov 30 17:50:22 monroe lfd[6943]: 5 (sshd) login failures from 94.23.216.72 in the last 300 secs - *Blocked in csf*