I saw some weird entries in my web server's error log; apparently
some idiot at 65.1.102.112 (cc876461-a.andrson1.tn.home.com) was
trying to brute force his way into password-protected areas of my
site. Sample log entries:
65.1.102.112 - backup [21/Feb/2001:21:29:52 -0500] "HEAD
/people/gerald/2000/12/31/nye.html HTTP/1.1" 401 0 ""
"Mozilla/3.0 (Compatible);Brutus/AET"
65.1.102.112 - backup [21/Feb/2001:21:29:52 -0500] "HEAD
/people/gerald/2000/12/31/nye.html HTTP/1.1" 401 0 ""
"Mozilla/3.0 (Compatible);Brutus/AET"
It made 9860 requests in 25 minutes, up to 31 reqs/sec. The
usernames it tried were root, guest, admin, test, administrator,
and backup. (none of which are valid on my site :)
So I searched the web for "Brutus AET" and found the host site: [1]
> Introduction
>
> Brutus is one of the fastest, most flexible remote password
> crackers you can get your hands on - it's also free. It is
> available for Windows 9x, NT and 2000, there is no UN*X version
> available although it is a possibility at some point in the
> future.
> Features
>
> Brutus version AET2 is the current release and includes the
> following authentication types :
>
> - HTTP (Basic Authentication)
> - HTTP (HTML Form/CGI)
> - POP3
> - FTP
> - SMB
> - Telnet
> - Other types such as IMAP, NNTP, NetBus etc are freely
> downloadable from this site and simply imported into your
> copy of Brutus. You can create your own types or use
> other peoples.
>
> The current release includes the following functionality :
>
> - Multi-stage authentication engine
> - 60 simultaneous target connections
> - No username, single username and multiple username modes
> - Password list, combo (user/password) list and configurable
> brute force modes
> - Highly customisable authentication sequences
> - Load and resume position
> - Import and Export custom authentication types as BAD files seamlessly
> - SOCKS proxy support for all authentication types
> - User and password list generation and manipulation functionality
> - HTML Form interpretation for HTML Form/CGI authentication types
> - Error handling and recovery capability inc. resume after crash/failure.
The screenshots page [2] is interesting:
| Below is a screenshot of the main Brutus window in action. Brutus
| is running against a web server here using the HTTP basic
| authentication type. Brutus is going for the user admin using
| brute force to generate passwords (every 5 character combination
| using 'a-z'), the maximum number of passwords attempted will be
| just under 12 million. The status bar indicates that Brutus has
| attempted just over 1.16 million attempts and is running at an
| average speed of 501 attempts per second (that's over 30,000 per
| minute.) The worst case remaining execution time for this attack
| is just under six hours.
500 hits per second seems slightly antisocial to me :)
The other day when a bad bot in Portugal was hammering my server
I was thinking of finally getting around to writing something to
prevent these kinds of abuses, but didn't yet. (it would have come
in handy a bunch of times at work in the past few years, too.)
The way I thought it would work is: monitor the httpd logs for IPs
that issue several requests per second over an extended period of
time, and firewall those systems off.
These bots hardly ever cause actual problems though (the one in
portugal did, but brutus didn't.)
[1]
http://www.hoobie.net/brutus/
[2]
http://www.hoobie.net/brutus/brutus-screenshots.html
--
Gerald Oskoboiny <
[email protected]>
http://impressive.net/people/gerald/