Domain-name based ssh login attempts

The last few weeks I have noticed some illicit ssh login attempts that uses parts of the reverse DNS domain name as user name when it tries to login. The last attempt looked like this in my LogWatch summary:

Illegal users from these: ( 9 times
       root/password: 4 times
       cenara/password: 2 times
       ip-83-209-13-88/password: 2 times 1 time

As you can see, the secondary and tertiary domain name, along with the full domain name, was tried as user name when attempting to login. I guess that the attack script tries with a blank password and also with the same password as user name.


The WLAN router as a development platform?

I have a Fonera WLAN router (unfortunately it has been offline for a while now, but nevertheless) and I really like their thing. In their blog I read that their next generation WLAN router will be an open platform for developers. Interested developers will be able to join Fonosfera: The FON Development Community. Also worth noting is that The Fonera 2.0 will have a USB port and they plan to make it possible to connect an HSDPA modem for sharing 3G access. Nice!


Jeff Atwood and Joel Spolsky joint venture

Programming bloggers Jeff Atwood (Coding Horror) and Joel Spolsky (Joel on Software) plans to use the domain to provide a competitor to experts-exhange. It sounds like a good idea. Unfortunately their podcast had weird noises when I played it (in XMMS on Sun Solaris 10 — don’t ask), so it was too annoying for me to listen to right now.

WordPress crack attempt this morning!

When I got to work and viewed this blog I noticed that Sidebar Widgets was disabled. I thought "That’s weird!"

When I tried to login to the administration interface I was told that my WordPress database needed upgrading. I thought "That’s weird!"

Some further investigation revealed that someone managed to upload a PHP script called ro8kfbsmag.txt (MD5 sum df3b74cd38c717d9d7bbf0cd1910baa1) to my /tmp directory. It starts like this:

/*Magic Include Shell by Mag icq 884888*/
//TODO: ñëèòü ôàéëî íà ñâîé ôòï (!)

This gave me enough information too start googling. A must-read is Detailed Post-Mortem of a Website Hack Through WordPress & How To Protect Your WordPress Blog From Hacking, as it describes a very similar attack. There is also a support thread at Weird and Dangerous : ro8kfbsmag.txt.

The attack vector on my server looked like this, originating from with HTTP/1.0 as protocol version and "Opera" as User-Agent. I wish I logged POST data!

POST /wp-admin/options.php
POST /wp-admin/upload.php
POST /wp-admin/options.php
POST /wp-admin/options.php
POST /wp-admin/inline-uploading.php?post=-1&action=upload
POST /wp-admin/options.php
POST /wp-admin/options.php
POST /wp-admin/upload.php?style=inline&tab=upload&post_id=-1
POST /wp-admin/upload.php?style=inline&tab=upload&post_id=-1
POST /wp-admin/options.php
POST /wp-admin/options.php
GET /wp-admin/upgrade.php?step=1

Needless to say, I have restored a backup and taken certain precautions to prevent this from happening again.

The Scandinavian SCM day on May 28th, 2008

From the Scandinavian SCM day web page:

The Scandinavian SCM day is an opportunity for people from academia and industry with a passion for Software Configuration Management to get together once a year to discuss SCM, exchange ideas and share problems.

The reason I tag this post with "Agile" and "Scrum" is that two of the presentations have "Scrum" in the title and I’m pretty confident that they are not the only ones to mention agile development methodologies in relation to Software Configuration Management.

The Scandinavian SCM day is held at the university in Lund, Sweden.