Educause Security Discussion mailing list archives

Re: Ongoing distributed Linux SSH dictionary attack

From: "Daly, Douglas" <DDALY () NYMC EDU>
Date: Fri, 17 Apr 2009 15:19:22 -0400

It looks like this might fit... http://lwn.net/Articles/324415/

Regards,
Douglas Daly
Associate Director,
Technical Services
New York Medical College
Valhalla, NY  10595

914.594.4961



-----Original Message-----
From: Andrew Daviel [mailto:advax () TRIUMF CA]
Sent: Thursday, April 16, 2009 7:15 PM
Subject: Ongoing distributed Linux SSH dictionary attack


FYI

We are seeing a distributed-source SSH dictionary attack on multiple machines.
The sources appear to be running Linux according to P0F. This blows past our
"15 strikes sitewide and you are out" filter.

Apr 16 15:24:27 xxxx sshd[25699]: error: PAM: User not known to the underlying authentication module for illegal user 
blithe from 67.159.44.179 Apr 16 15:26:05 xxxx sshd[25706]: error: PAM: User not known to the underlying authentication 
module for illegal user blithe from 77.92.129.178 Apr 16 15:27:38 xxxx sshd[25716]: error: PAM: User not known to the 
underlying authentication module for illegal user blithe from 85.17.201.76 Apr 16 15:29:04 xxxx sshd[25726]: error: 
PAM: User not known to the underlying authentication module for illegal user blithe from 061239249180.ctinets.com Apr 
16 15:30:35 xxxx sshd[25752]: error: PAM: User not known to the underlying authentication module for illegal user 
blodwyn from 220.232.240.148 Apr 16 15:32:19 xxxx sshd[25757]: error: PAM: User not known to the underlying 
authentication module for illegal user blodwyn from 184.197.221.203-static.velocitynet.com.au

etc.

--- p0f 2.0.8 resuming operations at <Thu Apr 16 15:18:26 2009> --- <Thu Apr 16 15:18:32 2009> 83.149.64.3:46261 - 
Linux 2.6 (newer, 3) (up: 382 hrs) -> xxxx (distance 15, link: ethernet/modem) <Thu Apr 16 15:20:14 2009> 
200.29.169.172:59119 - Linux 2.6 (newer, 2) (up: 429 hrs) -> xxxx (distance 18, link: ethernet/modem) <Thu Apr 16 
15:23:27 2009> 118.69.205.23:53479 - Linux 2.6, seldom 2.4 (older, 4) (up: 200 hrs) -> xxxx (distance 15, link: 
ethernet/modem) <Thu Apr 16 15:24:27 2009> 67.159.44.179:54611 - Linux 2.6 (newer, 3) (up: 317 hrs) -> xxxx (distance 
17, link: ethernet/modem)

etc.




--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)
Network Security Manager

Current thread:

Ongoing distributed Linux SSH dictionary attack Andrew Daviel (Apr 16)
- <Possible follow-ups>
- Re: Ongoing distributed Linux SSH dictionary attack Pete Hickey (Apr 16)
- Re: Ongoing distributed Linux SSH dictionary attack Ken Connelly (Apr 16)
- Re: Ongoing distributed Linux SSH dictionary attack Andrew Daviel (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Michael Horne (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Kevin Wilcox (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Russell Fulton (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Daly, Douglas (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Andrew Daviel (Apr 18)
- Re: Ongoing distributed Linux SSH dictionary attack Andrew Daviel (Apr 18)