クラック | ～下町物語～

中国からのアタック！監視されているのも知らずに！

rurineko — Thu, 05 Apr 2018 23:18:15 +0000

この記事を読むおよそ時間 3 分

監視されているのも知らずに！

かれこれもう数ヶ月になろうか？私が管理しているとあるserverに、ポートスキャンをして、応答があるサービスに向かってアタックを開始した。それは、server乗っ取り系のアタックであるが、古典的な手法でのアタックである。こちらも知ってはいながら、どんなことをしてくるか？詳細にログを取りながら手口を伺っていたのですが、そろそろ手を打とうかという事で対応を行った。

どんなアタックを仕掛けてきたか？

まずは、私が契約しているグローバルIPに対してポートスキャンを確認した。次に、あるサイトの開発serverで、複数人で使用しているので、お分かりであろうかと思うのだが、SSHをあけているのだが、もちろん標準ポートではないですよ。先ほどのポートスキャンでＳＳＨサービスが応答してしまったので、それに向かってアタックを仕掛けてきた。

下記がそのアタックの一部抜粋したログである。スクリプトによる辞書アタックな典型的なアタック手法ですね。いろんな文言・言葉・名前などを送ってＩＤがあるかないか？を調べて居る模様が手に取るように分かりますね。このserverですよ、パスワード認証許可しておらず、公開鍵だけの認証にしているので、鍵を持ってこないとまず入れる事はないのです。また、前段にIPSがいてパケット単位で監視しているサーバになります。

Apr 1 03:48:01 stg sshd[32096]: input_userauth_request: invalid user beppie
Apr 1 03:54:12 stg sshd[32196]: input_userauth_request: invalid user berangere
Apr 1 04:00:22 stg sshd[32292]: input_userauth_request: invalid user berd
Apr 1 04:06:32 stg sshd[32395]: input_userauth_request: invalid user berenice
Apr 1 04:12:39 stg sshd[32487]: input_userauth_request: invalid user berenice
Apr 1 04:18:48 stg sshd[32582]: input_userauth_request: invalid user berenice
Apr 1 04:24:54 stg sshd[32677]: input_userauth_request: invalid user beret
Apr 1 04:31:01 stg sshd[302]: input_userauth_request: invalid user berg
Apr 1 04:37:07 stg sshd[400]: input_userauth_request: invalid user berger
Apr 1 04:43:14 stg sshd[499]: input_userauth_request: invalid user berget
Apr 1 04:49:18 stg sshd[595]: input_userauth_request: invalid user berk
Apr 1 04:55:22 stg sshd[688]: input_userauth_request: invalid user berna
Apr 1 05:01:25 stg sshd[791]: input_userauth_request: invalid user bernabe
Apr 1 05:07:29 stg sshd[889]: input_userauth_request: invalid user bernabeu
Apr 1 05:13:31 stg sshd[983]: input_userauth_request: invalid user bernadene
Apr 1 05:19:32 stg sshd[1078]: input_userauth_request: invalid user bernadette
Apr 1 05:25:34 stg sshd[1170]: input_userauth_request: invalid user bernadette
Apr 1 05:31:36 stg sshd[1262]: input_userauth_request: invalid user bernadette
Apr 1 05:37:37 stg sshd[1361]: input_userauth_request: invalid user bernadina
Apr 1 05:43:37 stg sshd[1453]: input_userauth_request: invalid user bernadine
Apr 1 05:49:37 stg sshd[1548]: input_userauth_request: invalid user bernadine
Apr 1 05:55:37 stg sshd[1640]: input_userauth_request: invalid user bernadine
Apr 1 06:01:38 stg sshd[1765]: input_userauth_request: invalid user bernard
Apr 1 06:07:39 stg sshd[1861]: input_userauth_request: invalid user bernard
Apr 1 06:13:39 stg sshd[1971]: input_userauth_request: invalid user bernarda
Apr 1 06:19:38 stg sshd[2066]: input_userauth_request: invalid user bernardina
Apr 1 06:25:39 stg sshd[2158]: input_userauth_request: invalid user bernardo
Apr 1 06:31:40 stg sshd[2250]: input_userauth_request: invalid user bernd
Apr 1 06:37:39 stg sshd[2342]: input_userauth_request: invalid user bernhard
Apr 1 06:43:40 stg sshd[2434]: input_userauth_request: invalid user berni
Apr 1 06:49:41 stg sshd[2526]: input_userauth_request: invalid user bernice
Apr 1 06:55:42 stg sshd[2618]: input_userauth_request: invalid user bernice
Apr 1 07:01:43 stg sshd[2721]: input_userauth_request: invalid user bernice
Apr 1 07:07:44 stg sshd[2813]: input_userauth_request: invalid user berri
Apr 1 07:13:45 stg sshd[2905]: input_userauth_request: invalid user berrie
Apr 1 07:19:48 stg sshd[3000]: input_userauth_request: invalid user bert
Apr 1 07:25:49 stg sshd[3092]: input_userauth_request: invalid user bertha
Apr 1 07:31:54 stg sshd[3187]: input_userauth_request: invalid user bertha
Apr 1 07:37:56 stg sshd[3279]: input_userauth_request: invalid user bertha
Apr 1 07:43:58 stg sshd[3371]: input_userauth_request: invalid user bertille
Apr 1 07:50:01 stg sshd[3463]: input_userauth_request: invalid user bertille
Apr 1 07:56:04 stg sshd[3556]: input_userauth_request: invalid user bertille
Apr 1 08:02:06 stg sshd[3661]: input_userauth_request: invalid user bertram
Apr 1 08:08:09 stg sshd[3756]: input_userauth_request: invalid user bertrand
Apr 1 08:14:12 stg sshd[3852]: input_userauth_request: invalid user bery
Apr 1 08:20:18 stg sshd[3949]: input_userauth_request: invalid user beryl
Apr 1 08:26:23 stg sshd[4042]: input_userauth_request: invalid user beryl
Apr 1 08:32:27 stg sshd[4134]: input_userauth_request: invalid user beryl
Apr 1 08:38:33 stg sshd[4226]: input_userauth_request: invalid user beryle
Apr 1 08:44:41 stg sshd[4318]: input_userauth_request: invalid user beshi
Apr 1 08:50:47 stg sshd[4410]: input_userauth_request: invalid user bess
Apr 1 08:56:54 stg sshd[4505]: input_userauth_request: invalid user bess
Apr 1 09:03:02 stg sshd[4608]: input_userauth_request: invalid user bess
Apr 1 09:09:12 stg sshd[4708]: input_userauth_request: invalid user bessie
Apr 1 09:15:25 stg sshd[4804]: input_userauth_request: invalid user bessie
Apr 1 09:21:38 stg sshd[4899]: input_userauth_request: invalid user bessie
Apr 1 09:27:50 stg sshd[4991]: input_userauth_request: invalid user bessy
Apr 1 09:34:04 stg sshd[5088]: input_userauth_request: invalid user best
Apr 1 09:40:18 stg sshd[5191]: input_userauth_request: invalid user bestman

どこからよ！？

って実IPいりですよｗ今回だけ特別ですからね。中国から発信されているっぽですね。以前は166.111.5.141だけだったのですが最近３カ所からアタックし始めたのでウザイので泳がせずブロックする事にしました。見て分かる通り、気づかれないように時間も数分に１度程度のアタックを継続して送ってくる奴っぽいですね。とはいえですね、茶番に付き合う気はないのでとっととブロックです。

泳がすこと数ヶ月、下記のアタック回数となってます。ひどいですよねぇ。

[root@stg ~]# cat /var/log/secure* | grep 166.111.5.141 | wc -l
334

[root@stg ~]# cat /var/log/secure* | grep 103.235.247.242 | wc -l

15281

IPひろばで調べて見ると！中華人民共和国ってでてますね。

ここら辺りからアクセスされているっぽです。まあ、プロバイダーの所在地でしょうけど。

ブログ的には、記事になる案件なのでいいのですが、個人的には人のサーバにログインしてやろうなんてけしからん訳です。皆様も個人的な趣味・趣向でクラックなんかしてると、国内には不正アクセス禁止法なるものが存在していますので、痛い目を見るかも知れませんよ。くれぐれもやめておいた方がいいですよ。

ブロックしたIPは？

ポリシーは詳しくは言えませんが、ブロックしたのはこのIPの32ビットマスクでブロックしてだけではありません。むしろ/32なんかでブロックする訳がありません。もう分かりましたよね？はい。まあそういう事ですね。

結論

ブロックして、１時間程度で３つIPからのアタックは停止したようです。向こうからしてみれば、IPが変わったんだろう程度だろうですが、アタックしている事もログを取って監視されているという事をお忘れ無く！

The post 中国からのアタック！監視されているのも知らずに！ first appeared on ～下町物語～.

【手口】実際に辞書アタックってこういう感じ！

rurineko — Fri, 23 Oct 2015 14:41:23 +0000

この記事を読むおよそ時間 9 分

185.17.1.248のIPからのアタックをgrepかけた結果である。

○ちなみにアタックしてきているIPはロシアのモスクワからはるばる海を越えてやってきてます。

whoisをひくと、いかのプロバイダからやってきている事が確認できます。

うぜーな！

  % This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '185.17.1.0 - 185.17.1.255'

% Abuse contact for '185.17.1.0 - 185.17.1.255' is 'info@le.lc'

inetnum:        185.17.1.0 - 185.17.1.255
org:            ORG-LEL4-RIPE
netname:        LE
descr:          LE
country:        RU
admin-c:        NA4577-RIPE
tech-c:         NA4577-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-NTX
created:        2015-08-11T14:07:37Z
last-modified:  2015-08-11T14:07:37Z
source:         RIPE

organisation:   ORG-LEL4-RIPE
org-name:       Longbow Electric LLC
org-type:       Other
address:        Ekvatornaya str., bld 14, app 31
address:        630060
address:        Novosibirsk
address:        RUSSIAN FEDERATION
phone:          +79859746811
fax-no:         +79859746811
abuse-c:        AR16767-RIPE
mnt-ref:        VG82356-MNT
mnt-ref:        MNT-NTX
mnt-ref:        MNT-NTX
mnt-by:         MNT-NTX
abuse-mailbox:  abuse@le.lc
created:        2013-01-21T14:04:53Z
last-modified:  2015-09-30T09:57:53Z
source:         RIPE # Filtered

role:           NTX-NOC
address:        Russia, Moscow, Nizhgorodskaya 32
nic-hdl:        NA4577-RIPE
mnt-by:         MNT-NTX
remarks:        ***
remarks:        ***
remarks:        ***
created:        2014-11-05T18:02:34Z
last-modified:  2014-11-05T18:03:36Z
source:         RIPE # Filtered

% Information related to '185.17.1.0/24AS199388'

route:          185.17.1.0/24
descr:          LE-1
origin:         AS199388
mnt-by:         MNT-NTX
created:        2015-08-24T16:18:58Z
last-modified:  2015-08-24T16:18:58Z
source:         RIPE

% This query was served by the RIPE Database Query Service version 1.80.1 (DB-2)

○送信テストをしてもて、オープンリレーになっていないかをチェックしていますね。

NOQUEUE: reject: RCPT from unknown[185.17.1.248]: 554 5.7.1 : Client host rejected: Access denied;

○辞書アタックってどういうログをはくのか！？不明な方もいらっしゃると思うので一例を下記の通り実際のログを掲載してみました。

ざーっと、思いつく文言でユーザがいるかいないかをチェックしていますね。

ユーザがいると、パスワードを求められるので、次のステップとしては

そのユーザへの辞書クラックを始める訳です。

Oct 18 05:28:59 [809] : auth failure: [user=service] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 05:33:46 [812] : auth failure: [user=agent] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 05:43:35 [809] : auth failure: [user=contact] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 05:47:38 [809] : auth failure: [user=service] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 05:51:59 [812] : auth failure: [user=agent] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 06:04:06 [812] : auth failure: [user=spam] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 06:08:03 [812] : auth failure: [user=video] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 06:22:43 [812] : auth failure: [user=spam] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 06:26:07 [812] : auth failure: [user=video] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 06:30:00 [812] : auth failure: [user=contact] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 06:42:14 [812] : auth failure: [user=sekretariat] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 06:57:37 [812] : auth failure: [user=contakt] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 07:00:23 [812] : auth failure: [user=sekretariat] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 07:16:15 [812] : auth failure: [user=contact] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 07:16:26 [812] : auth failure: [user=secretaria] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 07:32:37 [812] : auth failure: [user=sales] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 07:34:39 [812] : auth failure: [user=secretaria] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 07:48:56 [812] : auth failure: [user=exit] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 07:50:42 [812] : auth failure: [user=webmaster] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 07:58:54 [812] : auth failure: [user=admin] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 08:02:18 [812] : auth failure: [user=contact] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 08:08:55 [812] : auth failure: [user=webmaster] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 08:23:46 [812] : auth failure: [user=education] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 08:24:56 [812] : auth failure: [user=baseball] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 08:43:04 [812] : auth failure: [user=baseball] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 08:58:30 [812] : auth failure: [user=fax] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 08:59:07 [812] : auth failure: [user=backup] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 09:16:53 [812] : auth failure: [user=fax] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 09:17:17 [812] : auth failure: [user=backup] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 09:33:29 [812] : auth failure: [user=backuppc] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 09:51:39 [812] : auth failure: [user=formation] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 09:51:47 [812] : auth failure: [user=backuppc] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 10:07:50 [812] : auth failure: [user=badmin] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 10:07:57 [809] : auth failure: [user=general] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 10:26:02 [809] : auth failure: [user=badmin] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 10:42:09 [809] : auth failure: [user=bank] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 10:42:38 [812] : auth failure: [user=guest] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 10:55:00 [812] : auth failure: [user=admin] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 11:00:27 [812] : auth failure: [user=bank] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 11:01:04 [809] : auth failure: [user=guest] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 11:16:42 [809] : auth failure: [user=billing] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 11:35:03 [809] : auth failure: [user=billing] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 11:35:43 [809] : auth failure: [user=sample] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 11:51:08 [809] : auth failure: [user=biblioteca] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 11:52:11 [812] : auth failure: [user=sales01] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 12:09:27 [812] : auth failure: [user=biblioteca] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 12:10:29 [812] : auth failure: [user=sales01] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 12:25:33 [812] : auth failure: [user=blink] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 12:43:53 [812] : auth failure: [user=blink] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 12:45:15 [812] : auth failure: [user=sales1] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 12:59:50 [812] : auth failure: [user=blog] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 13:18:09 [812] : auth failure: [user=blog] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 13:20:01 [812] : auth failure: [user=score] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 13:27:03 [812] : auth failure: [user=admin] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 13:34:21 [812] : auth failure: [user=bo] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 13:36:15 [812] : auth failure: [user=scores] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 13:52:48 [812] : auth failure: [user=bo] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 13:54:41 [812] : auth failure: [user=scores] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 14:09:04 [812] : auth failure: [user=boffice] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 14:11:01 [812] : auth failure: [user=scan] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 14:27:24 [812] : auth failure: [user=boffice] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 14:43:37 [812] : auth failure: [user=book] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 15:02:01 [812] : auth failure: [user=book] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 15:04:18 [812] : auth failure: [user=scanner] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 15:18:15 [812] : auth failure: [user=box] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 15:36:41 [812] : auth failure: [user=box] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 15:53:02 [812] : auth failure: [user=business] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 15:55:25 [809] : auth failure: [user=send] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 16:11:34 [809] : auth failure: [user=business] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 16:13:59 [809] : auth failure: [user=send] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 16:24:09 [809] : auth failure: [user=admin] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 16:27:47 [809] : auth failure: [user=buster] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 16:30:12 [809] : auth failure: [user=setting] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 16:46:06 [809] : auth failure: [user=buster] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 17:02:23 [809] : auth failure: [user=cache] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 17:20:43 [809] : auth failure: [user=cache] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 17:36:55 [812] : auth failure: [user=captured] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 17:55:19 [812] : auth failure: [user=captured] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 17:58:27 [812] : auth failure: [user=root] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 18:11:22 [812] : auth failure: [user=captures] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 18:14:49 [812] : auth failure: [user=hr] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 18:29:44 [812] : auth failure: [user=captures] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 18:33:16 [812] : auth failure: [user=hr] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 18:46:00 [812] : auth failure: [user=ceo] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 18:56:20 [812] : auth failure: [user=admin] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 19:04:24 [812] : auth failure: [user=ceo] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 19:08:10 [812] : auth failure: [user=info] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 19:20:35 [812] : auth failure: [user=checkin] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 19:24:21 [812] : auth failure: [user=intern] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 19:38:56 [812] : auth failure: [user=checkin] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 19:42:47 [812] : auth failure: [user=intern] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 19:55:17 [812] : auth failure: [user=checkout] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 20:13:46 [809] : auth failure: [user=checkout] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 20:30:02 [809] : auth failure: [user=chief] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 20:48:29 [809] : auth failure: [user=chief] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 20:52:16 [809] : auth failure: [user=library] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 21:04:43 [809] : auth failure: [user=clamav] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 21:08:34 [812] : auth failure: [user=monitor] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 21:22:53 [812] : auth failure: [user=clamav] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 21:26:47 [809] : auth failure: [user=monitor] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 21:38:44 [809] : auth failure: [user=clerk] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 21:42:47 [812] : auth failure: [user=newsletter] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 21:53:10 [812] : auth failure: [user=admin] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 21:56:38 [812] : auth failure: [user=clerk] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 22:00:56 [812] : auth failure: [user=newsletter] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 22:12:06 [812] : auth failure: [user=client] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 22:16:57 [809] : auth failure: [user=office] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 22:30:02 [809] : auth failure: [user=client] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 22:35:13 [809] : auth failure: [user=office] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 22:45:51 [809] : auth failure: [user=communication] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 22:51:11 [809] : auth failure: [user=reception] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 22:59:17 [812] : auth failure: [user=rurineko] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 23:03:45 [812] : auth failure: [user=communication] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 23:09:33 [812] : auth failure: [user=reception] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 23:19:31 [812] : auth failure: [user=com] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 23:37:31 [812] : auth failure: [user=com] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 23:43:39 [812] : auth failure: [user=user01] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 18 23:53:20 [809] : auth failure: [user=couple] [service=smtp] [realm=mx.a.com] [mech=shadow] [reason=Unknown]
Oct 18 23:59:56 [809] : auth failure: [user=user1] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 19 05:14:44 [809] : auth failure: [user=abuse] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 19 08:51:19 [812] : auth failure: [user=abuse] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 19 12:30:09 [809] : auth failure: [user=abuse] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 19 15:24:00 [812] : auth failure: [user=gomi] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 19 16:11:32 [809] : auth failure: [user=abuse] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 19 19:54:52 [809] : auth failure: [user=abuse] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 19 23:34:31 [812] : auth failure: [user=test] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 20 02:09:38 [780] : auth failure: [user=test] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 20 10:33:26 [782] : auth failure: [user=asdgas] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 20 10:33:53 [780] : auth failure: [user=asdgas] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 22 00:11:48 [782] : auth failure: [user=noauth] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:11:51 [780] : auth failure: [user=spam] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:11:53 [782] : auth failure: [user=test] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:11:54 [782] : auth failure: [user=noauth] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:11:56 [782] : auth failure: [user=info] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:11:57 [782] : auth failure: [user=spam] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:11:58 [782] : auth failure: [user=admin] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:00 [782] : auth failure: [user=test] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:01 [782] : auth failure: [user=administrator] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:03 [782] : auth failure: [user=info] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:03 [782] : auth failure: [user=mail] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:05 [780] : auth failure: [user=admin] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:06 [780] : auth failure: [user=postmaster] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:08 [780] : auth failure: [user=administrator] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:09 [780] : auth failure: [user=sales] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:10 [780] : auth failure: [user=mail] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:11 [782] : auth failure: [user=support] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:13 [782] : auth failure: [user=postmaster] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:14 [782] : auth failure: [user=webmaster] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:16 [782] : auth failure: [user=sales] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:16 [782] : auth failure: [user=help] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:18 [782] : auth failure: [user=support] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:19 [782] : auth failure: [user=contact] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:21 [782] : auth failure: [user=webmaster] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:21 [782] : auth failure: [user=office] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:23 [782] : auth failure: [user=help] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:24 [782] : auth failure: [user=staff] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:26 [782] : auth failure: [user=contact] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:26 [782] : auth failure: [user=news] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:29 [782] : auth failure: [user=office] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:29 [782] : auth failure: [user=careers] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:31 [782] : auth failure: [user=staff] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:32 [782] : auth failure: [user=fax] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:34 [782] : auth failure: [user=news] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:34 [782] : auth failure: [user=abuse] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:37 [782] : auth failure: [user=careers] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:37 [782] : auth failure: [user=hostmaster] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:39 [782] : auth failure: [user=fax] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:39 [782] : auth failure: [user=noreply] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:42 [782] : auth failure: [user=abuse] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:42 [782] : auth failure: [user=pop3] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:44 [782] : auth failure: [user=hostmaster] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:45 [782] : auth failure: [user=sysadmin] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:47 [782] : auth failure: [user=noreply] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:47 [782] : auth failure: [user=web] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:50 [782] : auth failure: [user=pop3] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:50 [782] : auth failure: [user=www] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:52 [782] : auth failure: [user=sysadmin] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:55 [782] : auth failure: [user=web] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 00:12:57 [782] : auth failure: [user=www] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 22 22:12:13 [782] : auth failure: [user=muietrista] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 22 22:13:03 [780] : auth failure: [user=muietrista] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 23 02:08:21 [782] : auth failure: [user=admin] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 23 02:09:19 [780] : auth failure: [user=administrator] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Oct 23 03:59:31 [780] : auth failure: [user=test] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]
Oct 23 13:07:12 [780] : auth failure: [user=gomi] [service=smtp] [realm=a.com] [mech=shadow] [reason=Unknown]

The post 【手口】実際に辞書アタックってこういう感じ！ first appeared on ～下町物語～.

まじか！まさか１ID　辞書マッチングでクラックｗ

rurineko — Sun, 18 Oct 2015 11:17:21 +0000

この記事を読むおよそ時間 1未満分

まじか！！！！

パターンマッチングでクラックされ、そこからメールがまかれていた用だ。

件数としては、それほど無いけどクレームが来て浮き彫りになって

さっき詳細な通報時のヘッダーをもらってメッセージIDより調査した結果そうだった！

接続もとは「188.53.220.208」サウジアラビアだった！下記が生LOGである。

ろくな事してくれねーなｗ　オープンリレーは一切ないし

ブラックリストチェックもバッチで監視しているから、大丈夫だと思ってたんだけどな。

サーバ運用者様お気をつけて運用されてください。

＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾＾

Oct 5 00:00:04 mx postfix/smtpd[29710]: 79D2F61A0DF: client=unknown[188.53.220.208], sasl_method=PLAIN, sasl_username=gomi1234@aaaaaa.com
Oct 5 00:00:05 mx /usr/local/sbin/geoip-policyd[29716]: address:188.53.220.208 country:SA result:DUNNO
Oct 5 00:00:17 mx last message repeated 18 times
Oct 5 00:00:18 mx postfix/cleanup[29717]: 79D2F61A0DF: message-id=<34235a9c7ebe$b96b9e62$83b274f8$@aaaaaa.com>
Oct 5 00:00:18 mx postfix/qmgr[18126]: 79D2F61A0DF: from=, size=2000, nrcpt=20 (queue active)
Oct 5 00:00:18 mx postfix/smtpd[29722]: connect from localhost.localdomain[127.0.0.1]
Oct 5 00:00:18 mx postfix/smtpd[29722]: 9D1A361A181: client=localhost.localdomain[127.0.0.1]
Oct 5 00:00:18 mx postfix/cleanup[29717]: 9D1A361A181: message-id=<34235a9c7ebe$b96b9e62$83b274f8$@aaaaaa.com>
Oct 5 00:00:18 mx postfix/qmgr[18126]: 9D1A361A181: from=, size=2294, nrcpt=20 (queue active)
Oct 5 00:00:18 mx postfix/smtpd[29722]: disconnect from localhost.localdomain[127.0.0.1]
Oct 5 00:00:18 mx amavis[28622]: (28622-11) Passed CLEAN {RelayedOpenRelay}, [188.53.220.208] -> ,,,,,,,,,,,,,,,,,,,, Message-ID: <34235a9c7ebe$b96b9e62$83b274f8$@aaaaaa.com>, mail_id: GPnE7ipa7x5p, Hits: -, size: 2212, queued_as: 9D1A361A181, dkim_sd=key1:aaaaaa.com, 208 ms
Oct 5 00:00:18 mx postfix/smtp[29719]: 79D2F61A0DF: to=, relay=127.0.0.1[127.0.0.1]:10024, delay=15, delays=15/0.01/0/0.21, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 9D1A361A181)
Oct 5 00:00:18 mx postfix/smtp[29719]: 79D2F61A0DF: to=, relay=127.0.0.1[127.0.0.1]:10024, delay=15, delays=15/0.01/0/0.21, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 9D1A361A181)
Oct 5 00:00:18 mx postfix/smtp[29719]: 79D2F61A0DF: to=, relay=127.0.0.1[127.0.0.1]:10024, delay=15, delays=15/0.01/0/0.21, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 9D1A361A181)
Oct 5 00:00:18 mx postfix/smtp[29719]: 79D2F61A0DF: to=, relay=127.0.0.1[127.0.0.1]:10024, delay=15, delays=15/0.01/0/0.21, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 9D1A361A181)
Oct 5 00:00:18 mx postfix/smtp[29719]: 79D2F61A0DF: to=, relay=127.0.0.1[127.0.0.1]:10024, delay=15, delays=15/0.01/0/0.21, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 9D1A361A181)
Oct 5 00:00:18 mx postfix/smtp[29719]: 79D2F61A0DF: to=, relay=127.0.0.1[127.0.0.1]:10024, delay=15, delays=15/0.01/0/0.21, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 9D1A361A181)
Oct 5 00:00:18 mx postfix/smtp[29719]: 79D2F61A0DF: to=, relay=127.0.0.1[127.0.0.1]:10024, delay=15, delays=15/0.01/0/0.21, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 9D1A361A181)

The post まじか！まさか１ID　辞書マッチングでクラックｗ first appeared on ～下町物語～.