I see so many attacks on my SSH server trying to brute force the password for usernames ‘admin’ and ‘root’. Clever sshd just lets them keep guessing without telling them that the username doesn’t exist. It just sits there and enjoys the conversation. Actually it is fun to see the usernames/password that are tried. Just fire up wireshark/tcpdump when under attack and look at the packets, the username/passwords are as amusing as they can get. Sometimes the passwords are pure dictionary attack. Sometimes they even have a local tinge in them. For example, Chinese names !!!

Most of the attacks are from bots. Bots running on ‘owned’ machines – compromised machines at government offices, educational institutes and public kiosks. Basically, this is generally how botnets work – a bot infects your computer, it then starts launching attacks on other computer in its quest to multiply. In addition it also opens up other services on the infected computer to achieve its other primary objectives. Remember, bots and botnets are all about money today. It is no longer a fame game. So typically a owned machine will have port 80 (http), 21(ftp), 22(ssh). You will also see compromised computers hosting a website (often porn) and running services like webmail, phpmyadmin etc.

Last weekend, I thought – is there something I can do when under attack… Ummm well maybe I can become a good netizen and let the world know about the attack. Why would that help anyone? Well just in case someone else in world is getting attacked by the same IP address and chooses to type its IP address on google, he can have a little more information about the attack and his fellow sufferers.

Okay, so I want to make the attack information quickly available to the world. So probably I can have a webpage of such attack information and I’ll keep updating it as and when I get an attack. Well … sort of good idea but not so slick. If google indexes my webpage every 30 days, it will take 30 days (worst case) for the information to be available on google.

A better approach is to ‘tweet’ about the attack . Google indexes twitter accounts far more frequently than it indexes an average website. So an twitter update can be indexed even within minutes after it has been tweet’ed.

We* wrote a quick and dirty python script to help us do exactly that. The scripts monitors the log files every few minutes (15 minutes in our case). The log files are /var/log/auth.log and /var/log/vsftpd.log.
The scripts maintains an in-memory hash table of <ip, [list of usernames used in attack]>. Here ip is IP address of the attacker and it serves as an key in the hash table. The corresponding value is a list of all the usernames that the attacking computer tried.

So the in memory hash table grows with each attack and would typically look like:
< 210.90.74.163, [admin, test, root, nagios…]>

The following algorithm is repeated every 15 minutes:

• We check the new attacks in past 15 minutes and update our in memory hash table
• For all those entries that have surpassed a threshold number of tries in this timeslot are eligible to get tweeted. For eg. With a threshold of 5 tries, all those entries that now have more than 5 entries in the username list (and were not tweeted before) are deemed as attacks and are tweeted.
• A simple twitter API for python makes tweeting as simple as possible.
• A new tweet appears on http://twitter.com/compromised_sys account.

A diagrammatic representation of the process is below:

Overview of the entire process

In case you are interested in seeing the python implementation, you can download the file below. As I said earlier, it is quick and dirty implementation and requires code cleanup.
tweet_attacks.py

Results:
The script runs in production and tweets the twitter account http://twitter.com/compromised_sys regularly. Once we had the first version up and running, we could see tweets getting indexed in as less as 15 minutes after updates to twitter account.

*This code was co-authored by Aditya Mahendrakar