Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Internet SSH scans

From: Daniel Cid <danielcid () yahoo com br>
Date: Fri, 3 Mar 2006 16:56:24 -0300 (ART)
Hi Alexandre,

I also noticed an increase of the SSH scans... I have
some honeypots setup and all of them are being scanned

constantly. To avoid this on my "real" servers I run
the OSSEC HIDS with active response enabled... It by
default analyses your logs (on real time) and after a
few invalid user names or multiple password attempts
it will add the IP to the hosts.deny list and also
block it on the firewall (right now only iptables,
ipfilter and aix ipsec are supported).

Changing the port of the SSH also helps reducing the
trash in the logs...

*http://www.ossec.net/hids/ (ossec hids web site)

Thanks,

--
Daniel B. Cid, CISSP


--- Alexandre H <alexandre.hamelin () gmail com>
escreveu:


Hi,

I've witnessed what I think is an increase in SSH
scans over the
Internet in the past four or five weeks. The scan
seems to originate
from various countries around the globe which makes
me think of it to be
a worm-like spreading virus searching for vulnerable
systems running the
SSH service. I confirmed the attack with a friend of
mine who also
happens to run a SSH server at home. We both live in
Montreal, QC,
Canada and are using the same ISP.

Since January 29 (maybe before), no less than 26000+
connection attempts
have been made on my system (which is running SSH)
-- 4000 just in the
last three days. Each attempt tries to login with a
specific username,
but many attempts are made in a short period of time
(1 to 2 minutes)
with different usernames. I believe that the worm
holds a list of common
usernames and passwords and successively tries to
connect with each of
them when it finds a host with a port 22 open.

Typical attacks are similar to the following:

# grep Invalid /var/log/messages | head
Feb 26 15:06:12 localhost sshd[3500]: Invalid user
delta from 194.44.247.243
Feb 26 15:06:14 localhost sshd[3502]: Invalid user
admin from 194.44.247.243
Feb 26 15:06:16 localhost sshd[3504]: Invalid user
test from 194.44.247.243
Feb 26 15:06:18 localhost sshd[3506]: Invalid user
testing from
194.44.247.243
Feb 26 15:06:20 localhost sshd[3508]: Invalid user
tester from
194.44.247.243
Feb 26 15:06:22 localhost sshd[3510]: Invalid user
academy from
194.44.247.243
Feb 26 15:06:24 localhost sshd[3512]: Invalid user
protector from
194.44.247.243
Feb 26 15:06:27 localhost sshd[3516]: Invalid user
skylyn from
194.44.247.243
Feb 26 15:06:31 localhost sshd[3520]: Invalid user
webmaster from
194.44.247.243
Feb 26 15:06:33 localhost sshd[3522]: Invalid user
master from
194.44.247.243

In my attempt to get an initial idea of what it
could be, I fired my
telnet client to connect to 2-3 random hosts among
the addresses and
tried to see if their SSH service was up. Indeed
they were, and their
banner shown what seemed to be an older version of
SSH (seen OpenSSH 3.5
and 3.6). Also, one of these had the default Apache
web page on its web
server.

I have attached a list of IP addresses from which
the attack originated
so far. The text file contains the addresses from my
system log files
and from my friend's log files. I have yet to
contact the responsable
people of the corresponding domains.

Also, the list of different usernames is various --
I count 4712
different login names in my system log files. I
attached a list of
usernames to this message. It may be a good idea to
check your systems
to see if any of the provided usernames is present
and has a weak password.

A quick look on the web for a mention of this SSH
scan didn't provide me
with a satisfying explanation.

Did anyone ever notice such abnormal traffic in
their system logs? I'd
be interested to hear about it. Also, to read about
it if any alert has
been published on the web.

Thanks.

Alexandre Hamelin


127.0.0.1

132.208.131.220
195.136.50.169
195.226.181.130
200.243.20.1
201.128.58.157
201.224.216.66
201.231.41.75
202.87.44.6
203.232.240.62
207.150.188.10
209.1.163.104
211.114.82.252
211.21.59.105
216.143.235.193
217.77.71.41
218.233.70.200
218.80.222.134
219.123.39.115
219.134.
220.193.98.15
220.247.217.189
220.248.119.254
221.158.159.71
221.247.6.118
24.152.183.143
24.34.144.241
24.37.8.148
59.106.29.182
59.120.34.161
61.154.10.28
62.217.39.27
65.98.70.122
67.41.115.90
70.26.122.173
80.191.68.130
82.224.139.101
83.17.24.30
87.226.11.39
125.248.150.148
161.111.231.250
170.140.151.53
193.147.136.95
194.44.247.243
195.50.153.246
200.206.25.19
200.49.242.35
201.12.114.5
201.234.207.16
202.138.185.211
202.141.128.120
202.63.110.66
202.63.163.98
203.117.210.109
209.205.202.70
209.59.134.195
210.181.198.72
210.245.87.54
211.137.85.187
211.20.135.84
211.214.219.118
212.227.165.57
218.188.0.35
218.248.33.225
218.27.102.6
219.166.83.13
220.194.58.127
24.6.172.227
58.80.230.46
59.124.30.40
61.11.52.6
61.19.46.137
61.219.134.90
61.220.106.90
61.222.201.234
61.78.59.216
62.111.225.188
66.201.244.225
67.69.105.30
69.159.103.178
80.53.222.218
83.104.159.111
84.245.14.208
::ffff:12.5.252.13
::ffff:125.251.147.197
::ffff:202.115.131.206
::ffff:202.57.134.147
::ffff:203.100.127.12
::ffff:203.131.72.116
::ffff:209.45.74.105
::ffff:210.104.255.77
::ffff:211.162.78.106
::ffff:211.90.119.91
::ffff:213.33.189.42
::ffff:213.85.52.3
::ffff:216.208.255.30
::ffff:218.146.254.87
::ffff:218.24.139.109
::ffff:218.97.192.161
::ffff:220.194.55.122
::ffff:220.66.95.133
::ffff:222.233.123.198
::ffff:24.203.174.17
::ffff:24.39.225.89
::ffff:58.81.118.237
::ffff:59.0.190.1
::ffff:61.152.114.111
::ffff:61.152.162.37
::ffff:61.233.28.130
::ffff:61.250.82.53
::ffff:67.177.243.77
::ffff:67.32.49.180
::ffff:69.53.127.51
::ffff:80.190.207.15
::ffff:84.55.133.100

1

123qwe
2005
20admin
20info
20jobs
20mail
20support
Aaliyah
Aaron
Aba
Abel
Access
Chicago
Christ
Dakota
Exit
Ionut
Ionutz
Jewel
Jordan
Joshua
Justin
Melk
Nicole
PostgreSQL
Robert
Victor
Where
Zmeu
a-sawa
a...
a1
a2
a3
aa
aaa
aabusiness
aahelp
aai
aaliyah
aaron
aarti
abbey
abby
abc
abcd
abdenace
abdol
abdul
abdulkaf
abdullah
abdur
abe
abel
abigail
abilenki
abliss
abofus
abracadabra
abraham
abrar
absolute
absurdir_deadphp
abundant
abuse
acacia
academia
academic
academy
accept
access
acchan
accompong
account
accounting
accounts
accountservices
accoutn
ace
achille
acid
acosialls
action
ad
ada
adabas
adam
add
addcat
addictioninformation
addies
addiessandravol
addlife
addlink
address
adela
adelina
adeline
adi
adidas
adina
adine
adinfo
adkmotel
adlai
admin
admin2
adminbox
admincontact
administration
administrator
admins
adminsbb
adminsupport
admissions
adolf
adolph
adonis
adonix
adouglas
adresponse
adrian
adriana
ads
adsales
aduard
adult
adv
advantage
advertise
advertising
advisor
ae
aecpro
af
affiliate
affiliateinfo
affiliatel
affiliateprogram
affiliater
affiliaterelations
affiliates
affiliatesale
affiliatesuccess
affiliatesupport
africa
afrodita
ag
agata
agatha
agency
agent
agentsale
agnes
ahile
ahmed
ahmet
ahto
ai
aidan
aimee
air
airplain
aisha
aix
aizawa
aja
ajiro
aki
akia
akon
al
alain
alan
alancat
alarm
alarmist
alastair
albert
albertha
alberto
album
aldo
alec
alegra
alejandro
alen
alenka
aleon
alert
alex
alexa
alexander
alexandra
alexandru
alexie
alexis
alf
alfred
ali


=== message truncated ===



                
_______________________________________________________
Yahoo! Acesso Grátis - Internet rápida e grátis. Instale o discador agora!
http://br.acesso.yahoo.com
Previous By Date Next
Previous By Thread Next

Current thread: