Saturday, January 16, 2010

Fun with lastb

So, I have a few servers on the Internet, and a couple of them have a /var/log/btmp file (the others don't, so they haven't been collecting this stuff). The btmp file collects bad login info, which can be displayed with the lastb command. Although I rate-limit SSH connections to those machines to 3 per minute before blocking the connecting IP address, they still some of the usual SSH bf bot login attempts, so the file has grown over the last year or so. I wondered what names the Bad Guys thought might get them in. A quick bit of pipelinery (lastb | cut -f1 -d' '|sort|uniq -c|sort -nr|less) later, here's the top 20 or so names on the machines:

Machine 1 (mail gateway and squid proxy):
968 admin
892 sales
863 test
781 staff
596 guest
197 fluffy
194 oracle
188 user
162 info
154 www
137 data
136 web
129 http
128 support
128 jeff
127 mike
126 john
126 install
126 cvs
124 tim
123 steve
117 demo
91 eaguilar

Machine 2 (mail gateway and web server):
355 admin
258 staff
118 sales
103 test
83 guest
54 eaguilar
53 user
47 globus
39 cisco
33 t1na
28 oracle
24 PlcmSpIp
24 lesbell
23 webmaste
23 a
22 alexis
16 mlmb
14 nagios
14 adam
13 lpd
12 raimundo
11 supporte
11 administ

OK, so it's obviously a bad idea to create accounts like admin, staff, test and sales, especially with weak passwords. And there must be a lot of Jeffs, Mikes, Johns and Tims out there.

But "fluffy"? I mean, really, who ever has a Unix account called "fluffy"? And who is this "eaguilar", who rates so highly? Not to mention "PlcmSplp" (and the lower-case variant, "plcmspip"); I guess it must have worked somewhere, once, or it wouldn't be on their list.

Looking at the log generally, it's interesting to see account names like "218-214-" (obviously derived from a reverse DNS lookup on the machine's IP address), not to mention snippets of HTML.

1 comment:

Jim said...

Never came across the btmp file before, so I hurried over to my nearest server to look through it.

Alas it was empty, but maybe that's because I run my ssh server on a non-standard port. It really cuts down on the amount of scriptkiddy sniffing, and if you start getting login attempts on a non-standard port, you can be sure that they're a lot more serious. Keeps the signal to noise ratio high, if you will ...