Educause Security Discussion mailing list archives

Re: Uptick in SSH scanning ?

From: Joseph Tam <tam () MATH UBC CA>
Date: Fri, 12 Dec 2014 15:19:20 -0800

Jason Gates <jasongates () SOUTHERN EDU> writes:

Andrew Daviel writes:

> We seem to have seen a 10x increase in SSH scans over the last few days.
> I wondered if that was a common experience.

> From something like 40 unique source addresses/day to a /16 subnet to over> 1000 yesterday.


Two /20 subnets here..
Today: 1135 unique addresses
Yesterday: 1328
3 days ago: 1638
4 days ago: 400
5 days ago: 121
6 days and beyond: ~100

source ip address list attached..


Yes, huge uptick.

In your IPs listed, there are two sets: the usual players, and the extra
distributed ssh bfd that contributes to most of the increase.

The usual players are the Chinese networks that have been the source of
the majority of the BFD attempts before this sudden rise (e.g. 1.93.*,
61.174.* 222.186.* have been brute forcing for months, if not years).

The others seem to be spread out all over the place (with German ISPs being
overrepresented).  I've spot checked them, and most appear to be compromised
web servers (maybe succumbed to the Shellshock exploit?).

Almost all of them are on the blocklist.de blacklist (web server offline
owing to high system load!), but their stats clearly show BFD attempts
going off the charts.

Joseph Tam <tam () math ubc ca>

Current thread:

Uptick in SSH scanning ? Andrew Daviel (Dec 11)
- Re: Uptick in SSH scanning ? Joel L. Rosenblatt (Dec 11)
  - Re: Uptick in SSH scanning ? Michael Benedetto (Dec 11)
- Re: Uptick in SSH scanning ? Jason Gates (Dec 11)
  - Re: Uptick in SSH scanning ? Laurie Zirkle (Dec 11)
- Re: Uptick in SSH scanning ? Justin C. Klein Keane (Dec 18)
  - Re: Uptick in SSH scanning ? Livio Ricciulli (Dec 18)
- <Possible follow-ups>
- Re: Uptick in SSH scanning ? Joseph Tam (Dec 12)