Level 6
Those of you with public servers know that intrusion attempts are a daily occurance. I can get hundreds of futile ssh login attempts each day on one server alone. "They" typically try the usual "root", "oracle", "mysql", "sql", "admin", etc logins.
Thoughout the years, I've had the philosophy that one shouldn't block any addresses, because letting them attempt attacks keeps one on one's toes.
However, recently I wanted to use regex(3) for something, and I decided to write a fail2ban:ish tool (but with a twist), so I started blocking addresses which appeared in authlog under the wrong circumstances.
I was slightly bemused to find that as I started blocking addresses, certain .. four-letter words started appearing in authlog, and grepping for such entries in the archived logs revealed no such entries. 
...and just for the record, I think it was just a coincidence -- but the timing did make me laugh.
Anyone else seen these four-letter words used during intrusion attempts?
Level 1
I havent seen any profanity in our logs ! we used to get thousands of attacks every week very annoying . it helped when we disabled password auth did you try that ?
a few years ago on another job our admin one morning sent out a mail which said "lol ! Were getting attacked by some loser who couldnt begin to guess how lucky hes been with the user names so far !". around lunch came a new mail from him "i think something is wrong" and late in the afternoon came a panic mail were he said our network may have been compromised ! it was funny seeing him going from ridicule to suspicion to panic .
Globoux wrote:
a few years ago on another job our admin one morning sent out a mail which said "lol ! Were getting attacked by some loser who couldnt begin to guess how lucky hes been with the user names so far !". around lunch came a new mail from him "i think something is wrong" and late in the afternoon came a panic mail were he said our network may have been compromised ! it was funny seeing him going from ridicule to suspicion to panic .
It certainly does sound a riot in the world of IT system administration.
Level 6
dannyjt wrote:
Can you please explain what some of these things are.
I could if I knew what is unclear to you. Could you be more specific?
In essence, I'm going to need to use regular expressions in the programming language C not long from now, so I was looking for a small project just to get started with them (I've used plenty of regular expressions before, just not in C). There's a tool called fail2ban which automatically configures the firewall to blocks IP addresses of hosts which fail to do remote logins via ssh (Secure SHell). I wrote a tool which works sort-of like fail2ban using the regex library.
Previously when logins failed, I simply let them keep trying, but now they get blocked after three failed attempts. And that's when they started using four-letter words as user names.
It got me wondering if botnet administrators actually monitor failures. If one has a botnet, it's pretty trivial to detect if someone starts banning login bots, and it would be trivial to instruct other bots to start logging in using more .. creative user names.
Website ©2013 Sony Computer Entertainment Europe
All content, game titles, trade names and/or trade dress, trademarks, artwork and associated imagery are trademarks and/or copyright material of their respective owners. All rights reserved. [more info]
