I get ssh login attempts almost daily, mostly from DSL, asian or eastern european IP addresses but this one caught my eye:
Illegal users from these:
184.108.40.206 (ec2-75-101-221-220.compute-1.amazonaws.com): 210 times
admin/password: 16 times
test/password: 15 times
tester/password: 15 times
testing/password: 15 times
guest/password: 14 times
adm/password: 6 times
administrator/password: 5 times
It comes from Amazon Web Services! I thought that "cloud computing" for these attackers meant "bot network", but maybe that is not the case?
Let’s see what their abuse support says!
The last few weeks I have noticed some illicit ssh login attempts that uses parts of the reverse DNS domain name as user name when it tries to login. The last attempt looked like this in my LogWatch summary:
Illegal users from these:
220.127.116.11 (aquila.euroexpert.tvnet.hu): 9 times
root/password: 4 times
cenara/password: 2 times
ip-83-209-13-88/password: 2 times
ip-83-209-13-88.cenara.com/password: 1 time
As you can see, the secondary and tertiary domain name, along with the full domain name, was tried as user name when attempting to login. I guess that the attack script tries with a blank password and also with the same password as user name.
When I got to work and viewed this blog I noticed that Sidebar Widgets was disabled. I thought "That’s weird!"
When I tried to login to the administration interface I was told that my WordPress database needed upgrading. I thought "That’s weird!"
Some further investigation revealed that someone managed to upload a PHP script called ro8kfbsmag.txt (MD5 sum df3b74cd38c717d9d7bbf0cd1910baa1) to my /tmp directory. It starts like this:
/*Magic Include Shell by Mag icq 884888*/
//TODO: ñëèòü ôàéëî íà ñâîé ôòï (!)
This gave me enough information too start googling. A must-read is Detailed Post-Mortem of a Website Hack Through WordPress & How To Protect Your WordPress Blog From Hacking, as it describes a very similar attack. There is also a support thread at wordpress.org: Weird and Dangerous : ro8kfbsmag.txt.
The attack vector on my server looked like this, originating from 18.104.22.168 with HTTP/1.0 as protocol version and "Opera" as User-Agent. I wish I logged POST data!
Needless to say, I have restored a backup and taken certain precautions to prevent this from happening again.
Today I overcome my SSL certificate anguish. It used to be a bit of a mess to get it right, but it’s so simple on Ubuntu nowadays. It is almost only running the apache2-ssl-certificate command that is needed.
(Continued from Highway to Dell, part three.) Before buying the Dell Inspiron1525 I did some research and I found a thread about PPP problems with Ubuntu on the machine. I sent a PM to the author of the post and asked of his/her experiences. I got this reply (quoted with permission):
I am no longer using Ubuntu 7.10 on this notebook. I converted to Fedora 8, have not yet returned, and do not plan to until the 8.04 release. Fedora functions beautifully in an unprecedented manner. My primary issue with Ubuntu was power management, which is a complete wreck. The screen saver, for example, would activate only sporadically. To no surprise, hibernation and sleep never functioned, and I would lose sessions consistently upon reactivation. Not that this situation is unique, but, on the other hand, Fedora 8 has managed to execute power management flawlessly and I have maintained highly stable uptimes of up to two weeks. I would highly recommend its installation on this particular model, as I have experienced virtually no drawbacks.
Ubuntu works fine for me, but if you can’t get Ubuntu to work properly it sounds like you might want to try Fedora!
Update Continued on Highway to Dell, part five.
I looked in Apache’s error_log file and noticed multiple lines like this:
an unknown filter was not added: DEFLATE
After thinking a bit I recalled that I added the following line in the .htaccess file in the root directory for on one of my domains, but never tested it properly:
AddOutputFilterByType DEFLATE text/html text/plain text/xml
The fix is easy: enable mod_deflate. On Ubuntu:
$ sudo a2enmod deflate
Module deflate installed; run /etc/init.d/apache2 force-reload to enable.
$ sudo /etc/init.d/apache2 force-reload
* Forcing reload of apache 2.0 web server...
Why did I add the above filter line in the first place? It was suggested by YSlow.
Update Another kind of fix is of course to remove AddOutputFilterByType.
(Continued from Highway to Dell, part two.) The trackpad is much easier to work with since I followed these instructions. I also set MaxTapTime to "0" (zero) to disable tapping on the trackpad, and SHMConfig to "on" so that I can use synclient, gsynaptics or similar programs to play with the settings at runtime. The relevant section of /etc/X11/xorg.conf now looks like this:
Identifier "Synaptics Touchpad"
Option "SendCoreEvents" "true"
Option "Device" "/dev/psaux"
Option "Protocol" "auto-dev"
Option "HorizEdgeScroll" "0"
Option "MinSpeed" "0.14"
Option "MaxSpeed" "1.6"
Option "AccelFactor" "0.084"
Option "SHMConfig" "on"
Option "MaxTapTime" "0"
I plan to play with HorizEdgeScroll later! It also seems like ndiswrapper was not loaded at boot so I simply load it from /etc/rc.local with the line below. There is probably a more correct way, but this works fine:
Once when the computer woke up from hibernation it did not restore the X session properly, but it was possible to login from another computer and reboot. Such is life. I was not able to spot anything in the logs to explain this.
Update Continued on Highway to Dell, part four.
(Continued from Highway to Dell, part one.) Yesterday I swapped hard disk drive in the Dell Inspiron 1525 (without even booting Windows Vista), inserted the DVD with ubuntu-dell-1525n-intelvideo-reinstall.iso downloaded from //linux.dell.com/files/ubuntu/iso-images/ and installed Ubuntu. Everything I’ve tried worked out of the box except the wireless network. The Dell 1395 wireless network started working when I followed these great instructions and driver for the Broadcom BCM4310. The solution uses ndiswrapper and it is important to download the Windows XP drivers and not the Windows Vista driver. Don’t worry that lspci says "Broadcom Corporation BCM4310 USB Controller" but Dell writes "not USB" about the driver package. Do not bother with the bcm43xx driver! These things are now tried and seem to work fine:
- 1440×900 pixels resolution
- Wired network
- Wireless network
- Sound playback buttons
The biggest annoyance so far is the trackpad. First of all I’m a TrackPoint guy and second the acceleration is unbearably slow. I’ll try these instructions later though. A note about DVD playback: When buying a Dell laptop with Ubuntu, they include LinDVD, but unfortunately LinDVD is not included on the ISO image. Swedish readers who long for a Dell with Ubuntu preinstalled could read about and envy Dell’s offerings to other European countries.
Update Continued at Highway to Dell, part three.
According to Mark Shuttleworth’s announcement yesterday the name of the autumn release of Ubuntu will be Intrepid Ibex.
(Kind of continued from About to buy a new laptop.) I ordered a Dell Inspiron 1525 on Februrary 12 and the delivery was estimated to Match 17. A few minutes to 7 AM this morning the delivery company called and said they were to deliver before lunch today! Unfortunately I had to call back and ask them to deliver tomorrow instead, but Dell sure exceed expectations on delivery time! My planned is to run Ubuntu 7.10 (Gutsy Gibbon) on the laptop, so I was really pleased to read the Welcome the Inspiron 1525 to the Dell Ubuntu Family blog post! As this option was not available when I ordered (and maybe never will be in Sweden) I obviously paid the "Microsoft tax", but according to a recent article it’s more expensive to buy a Dell without operating system than with Windows in Sweden. Update Dell corrected themselves, but it’s not applicable to me anyway. To my great, great joy, Dell provides ubuntu-dell-1525n-intelvideo-reinstall.iso at //linux.dell.com/files/ubuntu/iso-images/. Wonderful! I have a spare 2,5" hard disk drive, so I’ll probably change hard drive and then try the ISO image from Dell. I’ll follow up with my experiences!
Update Continued at Highway to Dell, part two.