[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [VulnDiscuss] Re: [Full-Disclosure] Automated SSH login attempts?
- To: rbabb@xxxxxxxxx
- Subject: Re: [VulnDiscuss] Re: [Full-Disclosure] Automated SSH login attempts?
- From: Paul Schmehl <pauls@xxxxxxxxxxxx>
- Date: Mon, 26 Jul 2004 15:37:07 -0500
--On Monday, July 26, 2004 03:29:56 PM -0400 RBabb
<rob_mailing_lists@xxxxxxxxx> wrote:
This makes me feel better. I thought it odd that so many machines were
hitting my ssh server. I even blocked it at the firewall for a day or so.
Is anyone talking on what the bot system was that allowed them to
automate this? It seemed that as soon as 1 got it so did a whole bunch
more so obviously people are distributing lists of IP's for potential SSH
access.
That's not obvious at all. In our case, they're hitting IPs in sequential
order, so it looks (to us) more like a "brute force" attempt rather than
the targeting of hosts that are specifically running sshd.
I'm not real sure on who to contact for these machines, but here are all
the ones that have hit me. Mostly seem to be Asian so far.
Jul 25 19:48:40 server sshd[55910]: Failed password for illegal user test
from 212.4.172.123 port 56843 ssh2
Jul 25 19:48:42 server sshd[55915]: Failed password for illegal user
guest from 212.4.172.123 port 56916 ssh2
Jul 25 20:37:19 server sshd[57221]: Failed password for illegal user test
from 210.40.224.10 port 49738 ssh2
Jul 25 20:37:22 server sshd[57223]: Failed password for illegal user
guest from 210.40.224.10 port 49756 ssh2
[pauls@utd49554 pauls]$ dig -x 212.4.172.123
; <<>> DiG 9.2.2-P3 <<>> -x 212.4.172.123
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 123
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; QUESTION SECTION:
;123.172.4.212.in-addr.arpa. IN PTR
;; ANSWER SECTION:
123.172.4.212.in-addr.arpa. 604800 IN PTR mail.enet.de.
Since this is a mail server, I would say the odds are *extremely high* that
it's been compromised and that the owners would greatly appreciate a heads
up. (So I've cc'd them. But these are *your* logs, so *you* should notify
them as well.
Jul 24 21:37:50 server sshd[21578]: Failed password for illegal user test
from 218.244.240.195 port 58900 ssh2
Jul 24 21:37:53 server sshd[21580]: Failed password for illegal user
guest from 218.244.240.195 port 58928 ssh2
person: ShouLan Du
address: Fl./8, South Building, Bridge Mansion, No. 53
country: CN
phone: +86-010-83160000
fax-no: +86-010-83155528
e-mail: dsl327@xxxxxxxxxxxxxx
nic-hdl: SD76-AP
mnt-by: MAINT-CNNIC-AP
changed: dsl327@xxxxxxxxxxxxxx 20020403
source: APNIC
Jul 22 18:23:36 server sshd[38184]: Failed password for illegal user test
from 216.86.221.113 port 58012 ssh2
Jul 22 18:23:37 server sshd[38195]: Failed password for illegal user
guest from 216.86.221.113 port 51509 ssh2
;; ANSWER SECTION:
113.221.86.216.in-addr.arpa. 14400 IN PTR
adsl-gte-la-216-86-215-113.mminternet.com.
Technical Contact:
Master, Host (NC312) hostmaster@xxxxxxxxxxxxxx
3780 Kilroy Airport Way
Suite 410
Long Beach, CA 90806
US
562-427-0344 fax: 562-427-3622
Paul Schmehl (pauls@xxxxxxxxxxxx)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html