Security Incidents mailing list archives

RE: Internet SSH scans

From: "Peter Bassill" <home () peterbassill com>
Date: Fri, 3 Mar 2006 08:48:11 -0000

I have seen similar scans against my network. Its not too much bother as we
only accept ssh connections from known hosts. It does seem, in my opinion,
to be some zombies.

Peter D. Bassill
Freelance Penetration Tester & Security Consultant
___________________________________________

(m)     07915 049922
(e)     itsec () peterbassill com
(w)     http://www.peterbassill.com


This email is confidential and intended solely for the use of the individual
to whom it is addressed. Any views or opinions presented are solely those of
the author and do not necessarily represent those of Starlite Solutions
Limited. If you are not the intended recipient, be advised that you have
received this email in error and that any use, dissemination, forwarding,
printing or copying of this email is strictly prohibited. If you have
received this email in error please notify postmaster () peterbassill com

-----Original Message-----
From: steve [mailto:steve () thebarnesonline org] 
Sent: 03 March 2006 04:56
To: Alexandre H; incidents () securityfocus com
Subject: RE: Internet SSH scans

Yes, I get scans every single day from all over the world as well. Run
your ssh server non an alternate port other than 22 and you will avoid
all the script kiddies.

-sb

-----Original Message-----
From: Alexandre H [mailto:alexandre.hamelin () gmail com] 
Sent: Thursday, March 02, 2006 6:08 PM
To: incidents () securityfocus com
Subject: Internet SSH scans

Hi,

I've witnessed what I think is an increase in SSH scans over the
Internet in the past four or five weeks. The scan seems to originate
from various countries around the globe which makes me think of it to be
a worm-like spreading virus searching for vulnerable systems running the
SSH service. I confirmed the attack with a friend of mine who also
happens to run a SSH server at home. We both live in Montreal, QC,
Canada and are using the same ISP.

Since January 29 (maybe before), no less than 26000+ connection attempts
have been made on my system (which is running SSH) -- 4000 just in the
last three days. Each attempt tries to login with a specific username,
but many attempts are made in a short period of time (1 to 2 minutes)
with different usernames. I believe that the worm holds a list of common
usernames and passwords and successively tries to connect with each of
them when it finds a host with a port 22 open.

Typical attacks are similar to the following:

# grep Invalid /var/log/messages | head
Feb 26 15:06:12 localhost sshd[3500]: Invalid user delta from
194.44.247.243
Feb 26 15:06:14 localhost sshd[3502]: Invalid user admin from
194.44.247.243
Feb 26 15:06:16 localhost sshd[3504]: Invalid user test from
194.44.247.243
Feb 26 15:06:18 localhost sshd[3506]: Invalid user testing from
194.44.247.243
Feb 26 15:06:20 localhost sshd[3508]: Invalid user tester from
194.44.247.243
Feb 26 15:06:22 localhost sshd[3510]: Invalid user academy from
194.44.247.243
Feb 26 15:06:24 localhost sshd[3512]: Invalid user protector from
194.44.247.243
Feb 26 15:06:27 localhost sshd[3516]: Invalid user skylyn from
194.44.247.243
Feb 26 15:06:31 localhost sshd[3520]: Invalid user webmaster from
194.44.247.243
Feb 26 15:06:33 localhost sshd[3522]: Invalid user master from
194.44.247.243

In my attempt to get an initial idea of what it could be, I fired my
telnet client to connect to 2-3 random hosts among the addresses and
tried to see if their SSH service was up. Indeed they were, and their
banner shown what seemed to be an older version of SSH (seen OpenSSH 3.5
and 3.6). Also, one of these had the default Apache web page on its web
server.

I have attached a list of IP addresses from which the attack originated
so far. The text file contains the addresses from my system log files
and from my friend's log files. I have yet to contact the responsable
people of the corresponding domains.

Also, the list of different usernames is various -- I count 4712
different login names in my system log files. I attached a list of
usernames to this message. It may be a good idea to check your systems
to see if any of the provided usernames is present and has a weak
password.

A quick look on the web for a mention of this SSH scan didn't provide me
with a satisfying explanation.

Did anyone ever notice such abnormal traffic in their system logs? I'd
be interested to hear about it. Also, to read about it if any alert has
been published on the web.

Thanks.

Alexandre Hamelin

Current thread:

Internet SSH scans Alexandre H (Mar 02)
- RE: Internet SSH scans Tom Frerichs (Mar 02)
  - RE: Internet SSH scans terry white (Mar 03)
    - Re: Internet SSH scans Jonathan Nichols (Mar 03)
- Re: Internet SSH scans Skip Carter (Mar 03)
- Re: Internet SSH scans Daniel Cid (Mar 03)
- Message not available
  - Re: Internet SSH scans Jamie Riden (Mar 03)
- Re: Internet SSH scans Matt Rae (Mar 03)
- Re: Internet SSH scans Hugo J. Curti (Mar 06)
- <Possible follow-ups>
- RE: Internet SSH scans steve (Mar 02)
  - RE: Internet SSH scans Peter Bassill (Mar 03)
- Re: RE: Internet SSH scans admin (Mar 03)
  - Re: RE: Internet SSH scans Daxomatic (Mar 03)
  - Re: RE: Internet SSH scans Christine Kronberg (Mar 03)
  - Re: Internet SSH scans JK Adams (Mar 03)
- Re: RE: Internet SSH scans joakim . berge (Mar 03)
- Re: Re: RE: Internet SSH scans mrbits (Mar 03)
  - RE: Internet SSH scans Adriano Carvalho (Mar 21)
    - Re: Internet SSH scans Valdis . Kletnieks (Mar 22)
    - Re: Internet SSH scans Adriano Carvalho (Mar 22)
- RE: Internet SSH scans William Tarkington (Mar 03)

(Thread continues...)