Gettin’ hacked

I had an email this morning only five days after my billing cycle started saying that I was close to using my 15GB of data. Normally we spend about 5-10GB, but 15GB in five days is exceptional.

I started digging and after ruling out intentional upload/download from inside my network (using wireshark on my LAN segment) I then started looking at the wireless side of things. I have a server on my LAN that is connected via wireless, and this is also a public facing server with sshd running on it.

I had a quick page through the /var/log/auth.log file and to my surprise I found repeated attempts to log in with various usernames (491 different ones so far) from various locations. These were coming in at the rate of one every four seconds. I can’t see how this would account for 15GB (or 1.5GB for that matter) but when I called Orcon they said they saw a definite increase in traffic over the last two days, which also corresponds to the first entry in the auth.log file.

Here’s what the log entries look like:
Sep 27 13:29:59 pandora sshd[17366]: Failed password for invalid user oracle from 60.190.133.228 port 45662 ssh2
Sep 27 13:30:03 pandora sshd[17368]: Failed password for invalid user michael from 60.190.133.228 port 45857 ssh2
Sep 27 13:30:07 pandora sshd[17374]: Failed password for invalid user ftp from 60.190.133.228 port 46079 ssh2
Sep 27 13:30:12 pandora sshd[17376]: Failed password for invalid user test from 60.190.133.228 port 46301 ssh2
Sep 27 13:30:15 pandora sshd[17379]: Failed password for invalid user webmaster from 60.190.133.228 port 46553 ssh2
and so on …

The requests have come from a range of IP addresses in China, Europe, Canada and Bangladesh. It’s likely to be a distributed and targeted attack.

Interesting. I did install fail2ban some time ago which I was told was supposed to prevent this kind of thing but it was an install-and-forget excercise. I’ll have to research it a bit to find out how it actually works.