Lawman Technology and Consulting Group LLC

SSH brute force attempts seem to be on the rise again, at the SANS Internet Storm Center we have received a number of reports that a number of networks are seeing them. The source IP addresses vary with each new attempted username in the wordlist, which would indicate that the attempts are distributed through botnet(s). It only takes a single user with a weak password for a breach to occur, then with that foothold escalation and further attacks are likely next. This is certainly not a new phenomenon, however I think it is a good time to raise awareness about it once again.



Reader xemaps wrote in with this log snippet:



Whole day my server has been targeted by a botnet, attacker also changed ip each new dictionary user.



Jun 17 23:02:03 pro sshd[17444]: Invalid user mailer from 217.37.x.x

Jun 17 23:03:24 pro sshd[17460]: Invalid user mailer from 87.66.x.x

Jun 17 23:05:27 pro sshd[17617]: Invalid user mailman from 89.97.x.x

Jun 17 23:09:30 pro sshd[17639]: Invalid user mailtest from 62.2.x.x

Jun 17 23:15:44 pro sshd[17894]: Invalid user maker from 83.236.x.x

Jun 17 23:16:47 pro sshd[17925]: Invalid user mama from 84.73.x.x



Reader Ingvar wrote in with a similar pattern:



On my home system I have seen these login attempts that start with user aaa and goes on alphabetically from over 1000 different hosts around the world (judging from the DenyHosts reports). Normally I only see single-digit attempts per day.



Jun 17 02:14:56 MyHost sshd[808]: error: PAM: authentication error for illegal user aaa from 151.100.x.x

Jun 17 02:23:11 MyHost sshd[870]: error: PAM: authentication error for illegal user aabakken from 150.254.x.x

Jun 17 02:24:57 MyHost sshd[875]: error: PAM: authentication error for illegal user aapo from 173.33.x.x

Jun 17 02:35:23 MyHost sshd[885]: error: PAM: authentication error for illegal user abakus from 121.160.x.x

Jun 17 02:37:32 MyHost sshd[895]: error: PAM: authentication error for illegal user abas from 190.200.x.x

Jun 17 02:38:18 MyHost sshd[900]: error: PAM: authentication error for illegal user abc from 193.251.x.x



Last year ISC Handler Rick wrote up a diary for Cyber Security Awareness Month - Day 17 - Port 22/SSH about SSH brute force attempts and some safeguards that can be implemented. Here is a brief summary:

Deploy the SSH server on a port other than 22/TCP
Deploy one of the SSH brute force prevention tools
Disallow remote root logins
Set PasswordAuthentication to no and use keys
If you must use passwords, ensure that they are all complex
Use AllowGroups to limit access to a specific group of users
Use as a chroot jail for SSH if possible
Limit the IP ranges that can connect to SSH

If you have any comments, additional examples of safeguards, or additional information please let us know here.
Cheers,

Adrien de Beaupr

EWA-Canada.com


















(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Microsoft and the National Cyber-Forensics and Training Alliance (NCFTA), with the support of

Accuity, the American Bankers Association, Anti-Phishing Working Group, Citizens Bank, eBay Inc.,

Federal Trade Commission, National Consumers League and PayPal are introducing a new program to

help identify potential fraudulent financial activity due to online fraud and to notify the

institutions involved that their customers personal identity may be at risk of abuse. This

program:
Will offer a trusted and effective mechanism for participating researchers to report stolen

credentials discovered online -
The program was unveiled today and will go into effect immediately. For more information see:
http://www.microsoft.com/Presspass/press/2010/jun10/06-17FraudAlertPR.mspx
http://ifraudalert.org/
Deb Hale Long Lines, LLC (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Cisco announces the end-of-sale and end-of life dates for the Cisco Security Agent. There is no replacement available for the Cisco Security Agent at this time.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5739/ps2330/end_of_life_c51-602579.html

(Sales end this December, Maintenance the following December, and it will no longer be supported after December 2013).

Thanks Brian!
Cheers,

Adrien de Beaupr

EWA-Canada.com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Just a quick word of caution.... Be careful what you type. We have just received information from one of our

readers, thanks Aaron, that w w w . malware domain lists . com is masquerading as legitimate site

www.malwaredomainlist.com (without the s). A quick check finds articles referencing this bad

boy site as part of the Personal Antivirus infector group.
Deb Hale Long Lines, LLC (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Just a quick word of caution.... Be careful what you type. We have just received information from one of our

readers, thanks Aaron, that w w w . malware domain lists . com is masquerading as legitimate site

www.malwaredomainlist.com (without the s). A quick check finds articles referencing this bad

boy site as part of the Personal Antivirus infector group.
Deb Hale Long Lines, LLC (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

I just happened upon a CBS News video that gave me pause for thought.This once posted back in April however

I missed it until now.



http://www.cbsnews.com/video/watch/?id=6412572n
The video talks about the fact that modern digital copy machines, those sold after 2002, contain a hard

drive.These hard drives store the images copied. These machines are traded in for new models and then

refurbed and resold.However, the hard drives more than likely are not getting scrubbed to remove the content.

One of the copy machines in the video notonly contained content on the hard drive but also still had documents

left on the copy bed.
This brings up some interesting discussions. What is on your copymachine hard drive? When it is sent in for

repair what information may be gleaned from a quick glance at the drive? Is your copy machine another potential

target to aid in identity theft?



Food for thought. Should there be processes and procedures in place for the disposal of these devices? Do you

know what other devices in your organization contain a hard drive or other storage device?Is there a process

for cleaning before disposal?



Let me know what you think? What does your company do if anything to ensure that no confidential data is

leaked by disposal of old equipment?
Deb Hale Long Lines, LLC (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Please patch those flash players as soon as possible.



Last week Handler Deb Hale posted a diary speaking to some Adobe proof of concept malware in the wild.

http://isc.sans.edu/diary.html?storyid=8932
Here is the summary from the Adobe Security Bulletin.

http://www.adobe.com/support/security/bulletins/apsb10-14.html

Critical vulnerabilities have been identified in Adobe Flash Player

version 10.0.45.2 and earlier. These vulnerabilities could cause the

application to crash and could potentially allow an attacker to take

control of the affected system.

Adobe recommends users of Adobe Flash Player 10.0.45.2 and earlier

versions update to Adobe Flash Player 10.1.53.64. Adobe recommends users

of Adobe AIR 1.5.3.9130 and earlier versions update to Adobe AIR

2.0.2.12610.
Flash Player 10.1 - Release Notes

http://kb2.adobe.com/cps/838/cpsid_83808.html
US-CERT Technical Cyber Security Alert

http://www.us-cert.gov/cas/techalerts/TA10-159A.html


Thanks goes to Joe D. for supporting the Internet Storm Center and giving us a heads up on this security update.
Kevin Shortt

ISCHandler on Duty
UPDATE: Joe D. followed up with the following note:
once installed, it is identified as version 10.1.53.64.
UPDATE 2: Thanks for the note Deapesh.
It is noteworthy that this Security Update was released by Adobe on June 10, 2010. (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Paterva has released Maltego 3.
Thanks to Joe for giving us a heads up on this release.
http://www.paterva.com/web5/client/download.php#Community

Kevin Shortt
ISCHandler on Duty
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Well, seems to be if you order an iPhone 4 you might get access to private information of other ATT customers. The exposed information includes private addresses, phone calls, and bills.
More information at http://gizmodo.com/5564262/apple-iphone-4-order-security-breach-exposes-private-information
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander| http://manuel.santander.name| msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Apple released today an advisory for multiple vulnerabilities discovered in Mac OS X. Impacted programs includes CUPS, Desktop Services, Folder Manager, Help Viewer, iChat, ImageIO, Kerberos, libcurl, Network Autorization, Open Directory, Printer Setup, Printing, Ruby, SMB File Server, Squirrelmail, and Wiki Server. Mac users: please download the Mac OS X Server v10.6.4 Update Mac mini (Mid 2010) at http://support.apple.com/downloads/DL1055/en_US/MacOSXSrvUp10.6.4MacminiMid2010.dmg. Better to patch quickly before an exploit goes outside the wild.
More information for the advisory at http://support.apple.com/kb/HT4188.
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Reader Jack showed us notifications that the vulnerability for Microsoft Windows Help and Support Center is being exploited in the wild. More information for this vulnerability at http://www.microsoft.com/technet/security/advisory/2219475.mspx.
To fix this problem, please visit http://support.microsoft.com/kb/2219475and look for the Enable this fix image. It will download a MSI that unregisters the HCPprotocol as a workaround, because there is currently no patch available.
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org


(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

I live in a country where credit and debit card fraud is pretty high and unfortunately banks have not provided secure means to avoid credit and debitcard cloning. In USA, I have seen OTP devices to access online banking, but credit cards are pretty much the same. I learned that Mastercard will provide credit cards with OTP included. This is great news because will decrease bank fraud a lot.
More information athttp://www.slashgear.com/mastercard-trialling-smart-credit-cards-with-display-keypads-1089351/
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Judy Novak posted on her blog an excellent article of IDS/IPS evations on TCP, showing a real example when linux runs on the destination host. Check it out at http://www.packetstan.com.
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Reader Freddie showed us a Sophos report of an application that has gone rogue by spamming your contacts once you add it to your profile. The application claims to give you access to a video named Teacher nearly killed this boy.
Facebook users: please be careful on the links you visit and applications you add to your profile, even if they claim to give you access to shocking content like this one. Always use applications that comes from a trusted source or you might be helping without knowing a future malware to spread around the world.
More information at: http://www.sophos.com/blogs/gc/g/2010/06/14/teacher-killed-boy-rogue-spamming-facebook-app-large/
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Reader Edward pointed us a interesting link showing there is a small lot of Olympus Stylus Tough 6010 shipped with a malware insidetheirinternal memory. More information at: http://www.sophos.com/blogs/gc/g/2010/06/08/olympus-stylus-tough-camera-carries-malware-infection/
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

I saw this interesting project that wants to create a python virtual machine to run inside a microcontroller without an underlying OS. This couldbe the gate to obtain soon a pythonhardware processor.
More information at:http://code.google.com/p/python-on-a-chip/
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Are you a security professional that needs to learn the basis of metasploit but haven't found a source? Darknet consulting (http://darknet-consulting.com/) hasdone a nice video that shows how to use it.
Download the video here: http://darknet-consulting.com/video/vector2/meta101.wmv
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

I am a fan of modsecurity (http://www.modsecurity.org/) as a fast and cheap way to get decent protection for application layer attacks. But,as you know, risks are increasing andwhenthe risk analysisperformed to your organization shows that applicationdisruptions have a big impact tothe core business,it's time tostrengthen controls and think about delivering protection from the code itself. I have founduseful PHPIDS library, whichdetectsXSS, SQL Injection, header injection, directory traversal, DoS and LDAP attacks. Since it works from code, you can get the output and send it to your favorite alert vault to correlate security events.
Version 0.6.4 was recently released. Moreinformation athttp://php-ids.org/2010/06/06/phpids-0-6-4-is-ready/
Want to use same functionality in perl? Tryhttp://search.cpan.org/dist/CGI-IDS/lib/CGI/IDS.pm.It isbasedon php-ids.
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.