Security Incidents mailing list archives

RE: Anyone else seeing SSH scans?

From: "Andrew Kopp ( Tor ZEW )" <andrew.kopp () kuehne-nagel com>
Date: Wed, 28 Jul 2004 08:33:01 -0400

I have seen an significant increase of scans on our ssh ports... 

But none of them seem to be related to any on this list. The attacker is
trying different accounts such as root or admin. They seem to try two
passwords with the admin account and three passwords with the root account.
If they are unable to obtain access they move on to the next host. It seems
to be scripted as each host has the same log except for the timestamp.)

All scans have originated from one source. Below is an example from one of
my servers:


Jul 26 01:55:50 www1 sshd[32674]: Failed password for admin from
128.175.230.71 port 41402 ssh2
Jul 26 01:55:51 www1 sshd[32680]: Failed password for admin from
128.175.230.71 port 41443 ssh2
Jul 26 01:55:52 www1 sshd[32691]: Failed password for root from
128.175.230.71 port 41493 ssh2
Jul 26 01:55:53 www1 sshd[32697]: Failed password for root from
128.175.230.71 port 41518 ssh2
Jul 26 01:55:53 www1 sshd[32703]: Failed password for root from
128.175.230.71 port 41562 ssh2


But since the first attack they have stopped... Mind you they managed to
scan my entire class C.

To be honest, because they are looking for root logins, I am assuming they
are just scanning for badly configured hosts. (could possibly be using
default configurations for some systems such as routers or firewalls)



Regards,


Andrew Kopp
Kuehne + Nagel
andrew.kopp () kuehne-nagel com
Tel: (905) 696-2135
Fax: (905) 670-8942





-----Original Message-----
From:
incidents-return-7833-andrew.kopp=kuehne-nagel.com () securityfocus com
[mailto:incidents-return-7833-andrew.kopp=kuehne-nagel.com@securityfocus
.com]On Behalf Of Matthew Dharm
Sent: Tuesday, July 27, 2004 1:00 PM
To: incidents () securityfocus com
Subject: Anyone else seeing SSH scans?


I've noticed that several *NIX machines I have running (all of which are
located in the same IP block) are periodically getting scanned via ssh for
the accounts 'test' and 'guest'.

The source IP varies with each scan.  But I'm getting about one of these a
day now.  Obviously, I don't have accounts with that name on my systems,
but still....

Is this something new, or just people looking for badly configured
machines?

Matt

-- 
Matthew Dharm                              Home: mdharm () one-eyed-alien net 
Senior Software Designer, Momentum Computer

P:  Nine more messages in admin.policy.
M: I know, I'm typing as fast as I can!
                                        -- Pitr and Mike
User Friendly, 11/27/97

Current thread:

Anyone else seeing SSH scans? Matthew Dharm (Jul 27)
- Re: Anyone else seeing SSH scans? Charles Heselton (Jul 28)
- Re: Anyone else seeing SSH scans? Ed J. Aivazian (Jul 28)
- Re: Anyone else seeing SSH scans? Seth J. Blank (Jul 28)
- Re: Anyone else seeing SSH scans? Jon Lewis (Jul 29)
- <Possible follow-ups>
- Re: Anyone else seeing SSH scans? sk (Jul 28)
  - Re: Anyone else seeing SSH scans? Hossein Rafighi (Jul 29)
- RE: Anyone else seeing SSH scans? Andrew Kopp ( Tor ZEW ) (Jul 28)
- RE: Anyone else seeing SSH scans? R Michael Williams (Jul 29)
- RE: Anyone else seeing SSH scans? Ian Hayes (Jul 29)
- RE: Anyone else seeing SSH scans? GUSAIN, SUBODH (Jul 29)