Handling an Oolong SSH attack


FreeBSD has a very good function that it will automatically send two emails to the root user every day, one is a daily report and the other is a security report. I usually forward this email to my mailbox, so that I can pay attention to the system status on my mobile phone every day.

A few days ago, when I was watching the daily security report on my mobile phone, I found that there were a large number of failed SSH logins on the server at home. I went back to the computer to log in and have a look:

grep error auth.log | tail 

Basically, it appears every few minutes. After counting the IP s, there are only a few of them, and they all come from this city.

Mar 26 03:00:41 myserver sshd[33056]: error: PAM: authentication error for raptor from 117.25.180.xx
Mar 26 03:00:41 myserver sshd[33056]: error: maximum authentication attempts exceeded for raptor from 117.25.180.xx port 2423 ssh2 [preauth]

The first thing that comes to mind is: Could it be a hacker attack?

But after analyzing it, it seems impossible:

1. The home IP is dynamic, unless you know my dynamic domain name

2. Secondly, my SSH is not using the default port

3. Third, ROOT users are prohibited from logging in, so I have to know my user name

Unless my computer is hacked, but as I am such a cautious person, the possibility is not very high. Could it be that some domestic software is playing hooligans? There are only a handful of domestic software installed in the computer, and they are all serious software.

After a few days of investigation, I have no clue, changing the port, and adding some configurations that block IP s are useless.

It wasn't until last weekend that I suddenly discovered that one of the attacking IPs was actually my home's external network IP, and I didn't know that the original attack came from my computer.


(assuming the SSH port number is 2222)

lsof -i :2222 

However, there was no result. I looked at the log, and it shows that I try to log in every five minutes or so, so this process should not run for a long time, but run regularly, but there is no such thing in cron, so I can only monitor it cyclically:

while (( $? == 1 )) ; do lsof -i :2222 ; done; 

Waited five minutes and finally grabbed one:

ssh 25390 raptor3uIPv4 0x59231eed85a432f30t0TCP 10.0.xxx.xxx:64077->217.180.xxx.xxx.broad.xm.fj.dynamic.163data.com.cn:2222 (SYN_SENT) 

It's actually SSH? It seems that we have to grab its parent process:

(while (( $? == 1 )) ; do lsof -i :2222 ; done; ) && ps -ef $(lsof -i :2222 | tail -n 1 | cut -b 8-14) 

It's actually HG?

 501 25390 25374 0 11:05 morning ?? 0:00.04 ssh raptor@xxxxx hg -R hg/proj serve --stdio 

OK, keep checking. Of course, at this point, you can basically guess who it is, either zsh or pycharm.

But one-line commands are not very easy to write, let’s write it as a script to run:


while [[ $RES == 1 ]]
dolsof -i :2222RES=$?

PID=`lsof -i :2222 | tail -n 1 | cut -b 8-14`
PID1=`ps -ef $PID | tail -n 1 | cut -b 12-18`
PID2=`ps -ef $PID1 | tail -n 1 | cut -b 12-18`
ps aux | grep $PID2 | grep -v grep 

Sure enough, it is pycharm:

raptor4806 0.09.77425152 812648 ??S Friday 10 12 pm:55.38 /Applications/PyCharm CE.app/Contents/MacOS/pycharm 


Open the Preferences-Version Control-Mercurial of pycharm, and remove the check of Check incoming and outgoing changesets.

After observing for half an hour, those "attacks" finally did not appear again.


pycharm will call hg serve --studio every five minutes to check for updates on my hg server. I have configured a default ssh connection in the hgrc of this project, but this computer does not have an ssh certificate and needs a login password. So this operation of pycharm will fail immediately, leaving a failed ssh login record on the server side.

Network Security Growth Roadmap

This direction is relatively easy to get started in the early stage, master some basic technologies, and pick up various ready-made tools to hack. However, if you want to change from a script kiddie to a master hacker, the further you go in this direction, the more things you need to learn and master. The following is the direction you need to take to learn network security:

# Network security learning method

The technical classification and learning route are introduced above. Here are some learning methods:

## Video learning

Whether you go to station B or YouTube, there are many videos related to network security that you can learn. Of course, if you don’t know which set to choose, I have also compiled a set of video tutorials linked to the above growth roadmap. Complete The version of the video has been uploaded to CSDN official, if you need friends, you can click this link to get it for free. Network security heavy benefits: entry & advanced full set of 282G learning resource packs to share for free!

Tags: Cyber Security ssh root

Posted by Schwalbach on Wed, 22 Feb 2023 17:52:48 +1030