Under hacker attack!

Update – Apparently it was about May of this year when there was a large surge in ssh password attacks. I believe that my computer became a target sometime after that. Here are some good articles reporting on the situation:

Brute-Force SSH Server Attacks Surge” by InformationWeek

Brute-force SSH attacks surge by SC Magazine

This may not be news to many of you, but my new home development machine is under attack! This isn’t your typical script kiddie HTTP attack, but rather a full-blown SSHD password guessing attack. Unfortunately, I did not take screenshots of everything as I detected the attack (which has been going on for about two weeks now) but I do have a few screenshots to help describe the timeline of events:


1 – I opened process explorer (an excellent replacement for the Windows Task Manager) to investigate my current cpu usage and running processes. The screenshot above doesn’t show it because I didn’t take a screenshot at the time, but what drew my attention to a possible attack was multiple sshd.exe processes appearing and then disappearing (brightly colored in red to indicate that the process was marked for destruction). My immediate instinct was that somebody was making connections and attempting to guess a password!


2 – I then instinctively (i.e., immediately and as fast as I could) opened a command prompt and typed the command netstat -a which shows the list of active TCP connections. Sure enough, there was a number of connections to static-217-133-194-98.clienti.tiscali.it


3 – Next I decided to see if the event viewer had recorded any activity. Wow! Over 30,000 events relating to sshd activity. The screenshot above shows the very first event recording a break-in attempt. On the evening of November 25, I switched my hardware firewall to redirect all port 22 SSH requests to my new computer. The next morning at 11:55:19 AM, the first attack commenced and proceeded to send a new username/password login attempt every 8 seconds for just over 1.5 hours ending at 1:19:19 PM. The attack sequence generated 2489 entries in the event viewer. You can see that the entry records a failed password guess for non-existent user root. The attacking computer then tried a different password before switching to a new user account ftp. Again, this is a non-existent user account. Then the user tried a second time with this user account before switching to another account: sales.

Continue reading

Final exams

I am in the process of giving my Intro to Computer Science exam right now with two more exams to go after this one. I thought I would take a minute to update on a number of projects in the works:

  • Ajax Performance Toolkit – I am in the final stages of getting ready to release this to web developers under the GNU General Public License (GPL). This “plug-and-play-and-configure” software allows a web developer to insert a small segment of code onto any web page to monitor the performance of Ajax requests being generated and the responses being received from a web server as well as the current load on the web server. Click on the screenshot below to see a larger image showing the toolkit applied to a page that retrieves the elevation under the cursor by sending an Ajax request to the server every time the mouse moves.
  • Overclocked Q9550 processor – back up to 3.78GHz running at 1.38 core voltage. I invested the money on a nice processor, nice motherboard, why not use its full potential? A color-coded shaded relief map of the entire state of Colorado can be generated over 20% faster with the overclocked processor as opposed to the stock setup. Here is the updated PC Mark Vantage results.