Security Incidents mailing list archives
SSHd spider attempts
From: "David D.W. Downey" <pgpkeys () pgpkeys net>
Date: Sat, 31 Jul 2004 23:53:13 -0400
As I'm sure you're aware from Security Focus, we have a spider in the wild that's checking sshd for password vulnerabilities. I'm coming across traffic from IPs in mainly RIPE's range of control that may either be compromised boxes, or the originator's machine(s). I'm leaning towards cracked boxes, but I'll keep both options open until disproved. Here is a log snippet. Since total connection attempts cover several large time spaces, they however look exactly the same. Therefore, only one snippet is pasted here (most recent), for brevity. This particular network is not the only one to receive email regarding this. There are quite a few of us working to maintain awareness within our respective communities, as well as notify IP block controlling authorities. [ If for no other reason than to help get the compromised box(es) shut down and less of a threat, regardless if said information succeeds, doubtfully, in finding the origination point. ] Since this is a RIPE assigned address, I had to notify their upstream, since, as usual for RIPE address space, the listed abuse@ email address over it's quota limit. I hate to do it, however, too many RIPE abuse addresses fail to react, or respond, or properly manage their abuse email which unfortunately requires pushing at the upstream. Since there are 3 different potential renditions of this "signature", I list their expected payloads. 1) An exploit spider simply looking for default password combos, which when breeched is then turned into an IRC ddos botnet host. 2) A potential version-specific crack attempt possibly only taking place within the initial handshake, and 3) Some newbie kiddie having difficulties figuring out his new toys. In general #1 isn't something to freak home to mom about, but #2 does scare me enough to consider it's potential merits and to call for proof from the field aimed at disproving it. #3, I think we've all seen enough of to know where that goes. Considering the growing number of IPs attempting this check, either we have a spider successfully hiding it's singular self by simply changing it's originating IP blocks across each run, or we have a growing number of compromised boxes. Pgpkeys SYSLOG ENTRIES - TYPICAL ACROSS REQUESTS Jul 31 21:51:43 services sshd[695]: Illegal user test from 195.228.156.19 Jul 31 21:51:44 services sshd[697]: Illegal user guest from 195.228.156.19 Jul 31 21:51:46 services sshd[699]: Illegal user admin from 195.228.156.19 Jul 31 21:51:47 services sshd[701]: Illegal user admin from 195.228.156.19 Jul 31 21:51:48 services sshd[703]: Illegal user user from 195.228.156.19 Jul 31 21:51:49 services sshd[705]: Failed password for root from 195.228.156.19 port 1619 ssh2 Jul 31 21:51:51 services sshd[707]: Failed password for root from 195.228.156.19 port 1649 ssh2 Jul 31 21:51:52 services sshd[709]: Failed password for root from 195.228.156.19 port 1684 ssh2 Whois 195.228.156.19 route: 195.228.0.0/16 descr: Hungarian Telecom, Axelero descr: Public Internet Access Provider descr: Budapest, Hungary descr: HU origin: AS5483 notify: net-admin () matav net mnt-by: AS5483-MNT changed: jattila () htitig hti matav hu 19960806 changed: bat () matav net 20021002 source: RIPE whois -h whois.ripe.net AS15555-MNT person: Irina Varnai remarks: IT Specialist remarks: Contact abuse () axelero hu concerning remarks: activities like spam, portscan and other address: Axelero Co, Hungarian Telecom Group address: Petofi S. 17-19 address: H-1054 Budapest address: Hungary phone: +36 1 3713548 fax-no: +36 1 4110541 e-mail: irina () axelero hu notify: irina () axelero hu nic-hdl: IV32-RIPE changed: irina () matavnet hu 20000512 changed: irina () axelero hu 20040406 source: RIPE person: Andras Tudos remarks: Working for Axelero, C3 and BIX address: Computronic address: Karinthy F. u. 15. address: H-1117 Budapest address: Hungary phone: +36 1 3713543 fax-no: +36 1 3713545 e-mail: ripe () tudos hu nic-hdl: AT41-RIPE changed: ripe () tudos hu 20040730 source: RIPE
Current thread:
- SSHd spider attempts David D.W. Downey (Aug 01)