Re: Ongoing distributed Linux SSH dictionary attack

[Andrew Daviel <advax () TRIUMF CA>]

On Thu, 16 Apr 2009, Pete Hickey wrote:

> We're seeing a large increase of ssh dictionary attacks this week.  Although
> it's coming from a number of different machines, I wouldn't call it a large
> enough number to consider it a distributed attack.

Semantics :-)  Surely "distributed", but not "massively distributed".
We see about 480 attacking one machine. Most of them are listed in
http://danger.rulez.sk/projects/bruteforceblocker/blist.php

I managed to talk to an admin at one of the attacking hosts. He'd found
an IRC-controlled scan tool that was installed via a vulnerability in the
"roundcube" webmail program. So it's not a worm as I had conjectured
(using it's own exploit to spread exponentially), just someone targetting
us with a smallish botnet.

Most of the SSH attacks I've seen have come from a single machine, and
try some 100 passwords for "root". This one seems to be trying hundreds
of different usernames - about 900 in A and B so far, with perhaps 10
guesses each.

The scanner found at the one site is a thing called "dt_ssh5", which
downloads target addresses from port 44321 on a configured server


--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)
Network Security Manager