Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

SSHd spider attempts

From: "David D.W. Downey" <pgpkeys () pgpkeys net>
Date: Sat, 31 Jul 2004 23:53:13 -0400
As I'm sure you're aware from Security Focus, we have a spider in the  wild that's checking sshd for password 
vulnerabilities.

I'm coming across traffic from IPs in mainly RIPE's range of control that may either be compromised boxes, or the 
originator's machine(s). I'm leaning towards cracked boxes, but I'll keep both options open until disproved.

Here is a log snippet. Since total connection attempts cover several large time spaces, they however look exactly the 
same. Therefore, only one snippet is pasted here (most recent), for brevity. This particular network is not the only 
one to receive email regarding this. There are quite a few of us working to maintain awareness within our respective 
communities, as well as notify IP block controlling authorities. [ If for no other reason than to help get the 
compromised box(es) shut down and less of a threat, regardless if said information succeeds, doubtfully, in finding the 
origination point. ] 

Since this is a RIPE assigned address, I had to notify their upstream, since, as usual for RIPE address space, the 
listed abuse@ email address over it's quota limit. I hate to do it, however, too many RIPE abuse addresses fail to 
react, or respond, or properly manage their abuse email which unfortunately requires pushing at the upstream.

Since there are 3 different potential renditions of this "signature", I list their expected payloads. 1) An exploit 
spider simply looking for default password combos, which when breeched is then turned into an IRC ddos botnet host. 2) 
A potential version-specific crack attempt possibly only taking place within the initial handshake, and 3) Some newbie 
kiddie having difficulties figuring out his new toys.

In general #1 isn't something to freak home to mom about, but #2 does scare me enough to consider it's potential merits 
and to call for proof from the field aimed at disproving it. #3, I think we've all seen enough of to know where that 
goes.

Considering the growing number of IPs attempting this check, either we have a spider successfully hiding it's singular 
self by simply changing it's originating IP blocks across each run, or we have a growing number of compromised boxes.


Pgpkeys
  

SYSLOG ENTRIES - TYPICAL ACROSS REQUESTS

Jul 31 21:51:43 services sshd[695]: Illegal user test from 
195.228.156.19
Jul 31 21:51:44 services sshd[697]: Illegal user guest from 
195.228.156.19
Jul 31 21:51:46 services sshd[699]: Illegal user admin from 
195.228.156.19
Jul 31 21:51:47 services sshd[701]: Illegal user admin from 
195.228.156.19
Jul 31 21:51:48 services sshd[703]: Illegal user user from 
195.228.156.19
Jul 31 21:51:49 services sshd[705]: Failed password for root from 
195.228.156.19 port 1619 ssh2
Jul 31 21:51:51 services sshd[707]: Failed password for root from 
195.228.156.19 port 1649 ssh2
Jul 31 21:51:52 services sshd[709]: Failed password for root from 
195.228.156.19 port 1684 ssh2



Whois 195.228.156.19

route:        195.228.0.0/16
descr:        Hungarian Telecom, Axelero
descr:        Public Internet Access Provider
descr:        Budapest, Hungary
descr:        HU
origin:       AS5483
notify:       net-admin () matav net
mnt-by:       AS5483-MNT
changed:      jattila () htitig hti matav hu 19960806
changed:      bat () matav net 20021002
source:       RIPE

whois -h whois.ripe.net AS15555-MNT

person:       Irina Varnai
remarks:      IT Specialist
remarks:      Contact abuse () axelero hu concerning
remarks:      activities like spam, portscan and other
address:      Axelero Co, Hungarian Telecom Group
address:      Petofi S. 17-19
address:      H-1054 Budapest
address:      Hungary
phone:        +36 1 3713548
fax-no:       +36 1 4110541
e-mail:       irina () axelero hu
notify:       irina () axelero hu
nic-hdl:      IV32-RIPE
changed:      irina () matavnet hu 20000512
changed:      irina () axelero hu 20040406
source:       RIPE

person:       Andras Tudos
remarks:      Working for Axelero, C3 and BIX
address:      Computronic
address:      Karinthy F. u. 15.
address:      H-1117 Budapest
address:      Hungary
phone:        +36 1 3713543
fax-no:       +36 1 3713545
e-mail:       ripe () tudos hu
nic-hdl:      AT41-RIPE
changed:      ripe () tudos hu 20040730
source:       RIPE
Previous By Date Next
Previous By Thread Next

Current thread: