testReporting an attack on a server
I thought I would make this a separate post from my previous one, which talked about my report of a recent attempt to get access to my server.
This is specific to attempts against sshd, if they attempted to gain access through other services or ‘door’ you would need to look through other logs, but the procedure is pretty much the same. The first thing of course is to make sure that it was an attempt. Every morning I receive and email from logwatch telling me what has happened in the last 24 hours and in my email I had the following information (edited of course):
--------------------- pam_unix Begin ------------------------
sshd:
Authentication Failures:
unknown (***.******.com): 256 Time(s)
root (***.******.com): 30 Time(s)
[.......]
Invalid Users:
Unknown Account: 256 Time(s)
---------------------- pam_unix End -------------------------
Which outlines the user names that failed and the number of invalid users.
Failed logins from:
194.**.***.*** (***.*******.com): 80 times
***.**.***.*** (my.hostmask): 1 time
Illegal users from:
194.**.***.*** (***.*******.com): 256 times
Users logging in through sshd:
achilles:
***.**.***.*** (my.hostmask): 4 times
The second part will detail successful logins in addition to the failed attempts. It is best to check those against the list of failed addresses to see if the attacker was able to gain access. It doesn’t mean they didn’t, they could have edited the logs and left a list of attempts from another IP to make you look under the wrong rock.
One you have determined whether you should report it or not, try to find the owner of the address. In my case it traced back to a website and from there I was able to get contact information. When you visit the website, if there is one, you may not find a contact page, which happened when I went to their site. The alternative is to view terms of service pages, privacy policy, or corporate information pages. These pages will usually contain a address, phone number, or email address to contact them with any questions. I believe it may even be required to have a proper privacy policy. The other alternative is to use a WHOIS result with email addresses to see if you can get a technical contact or have a domain service to have pass email through.
When reporting it, I have a couple thoughts on variations of this. When I reported the attack I sent the section of the email that states the number of failed attempts and invalid users. I then followed that will a sentence saying similar to “Please do not overlook these events, if they continue I will have to have someone look into the problem more thoroughly.” If they are serious about finding out about it they should ask for more information since sending them a # of failed attempts gives them no time frame or address the attacker was attacking. The reply for this information is critical, this should show they have interest in fixing the problem, and it confirms they received the first email. I received an email a few hours after I originally sent mine asking for more information. In the follow up I specified my hostname and domain for the server along with the possible IP addresses the attacker was targeting. I also made a copy of the /var/log/secure file and removed information for valid users that had been given access along with any failed attempts there may have been coming from hostmasks I recognized. It is important to remove as much valid information as possible incase the attacker is working inside the corporation. If the attacker is on the inside, they may have been left log entries or other information thinking you will report the incident giving up information like valid ssh users and their hostmasks, which can be used to restrict/permit access.
The company may not let you know if there was a problem or not, because obviously you may be the actual attacker and you are testing their response or some other possible test you could be doing to get information. The company I contacted let me know there was a problem and that I helped them fix it, which is nice to know.
