Security Incidents mailing list archives
RE: Internet SSH scans
From: "Peter Bassill" <home () peterbassill com>
Date: Fri, 3 Mar 2006 08:48:11 -0000
I have seen similar scans against my network. Its not too much bother as we only accept ssh connections from known hosts. It does seem, in my opinion, to be some zombies. Peter D. Bassill Freelance Penetration Tester & Security Consultant ___________________________________________ (m) 07915 049922 (e) itsec () peterbassill com (w) http://www.peterbassill.com This email is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of Starlite Solutions Limited. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing or copying of this email is strictly prohibited. If you have received this email in error please notify postmaster () peterbassill com -----Original Message----- From: steve [mailto:steve () thebarnesonline org] Sent: 03 March 2006 04:56 To: Alexandre H; incidents () securityfocus com Subject: RE: Internet SSH scans Yes, I get scans every single day from all over the world as well. Run your ssh server non an alternate port other than 22 and you will avoid all the script kiddies. -sb -----Original Message----- From: Alexandre H [mailto:alexandre.hamelin () gmail com] Sent: Thursday, March 02, 2006 6:08 PM To: incidents () securityfocus com Subject: Internet SSH scans Hi, I've witnessed what I think is an increase in SSH scans over the Internet in the past four or five weeks. The scan seems to originate from various countries around the globe which makes me think of it to be a worm-like spreading virus searching for vulnerable systems running the SSH service. I confirmed the attack with a friend of mine who also happens to run a SSH server at home. We both live in Montreal, QC, Canada and are using the same ISP. Since January 29 (maybe before), no less than 26000+ connection attempts have been made on my system (which is running SSH) -- 4000 just in the last three days. Each attempt tries to login with a specific username, but many attempts are made in a short period of time (1 to 2 minutes) with different usernames. I believe that the worm holds a list of common usernames and passwords and successively tries to connect with each of them when it finds a host with a port 22 open. Typical attacks are similar to the following: # grep Invalid /var/log/messages | head Feb 26 15:06:12 localhost sshd[3500]: Invalid user delta from 194.44.247.243 Feb 26 15:06:14 localhost sshd[3502]: Invalid user admin from 194.44.247.243 Feb 26 15:06:16 localhost sshd[3504]: Invalid user test from 194.44.247.243 Feb 26 15:06:18 localhost sshd[3506]: Invalid user testing from 194.44.247.243 Feb 26 15:06:20 localhost sshd[3508]: Invalid user tester from 194.44.247.243 Feb 26 15:06:22 localhost sshd[3510]: Invalid user academy from 194.44.247.243 Feb 26 15:06:24 localhost sshd[3512]: Invalid user protector from 194.44.247.243 Feb 26 15:06:27 localhost sshd[3516]: Invalid user skylyn from 194.44.247.243 Feb 26 15:06:31 localhost sshd[3520]: Invalid user webmaster from 194.44.247.243 Feb 26 15:06:33 localhost sshd[3522]: Invalid user master from 194.44.247.243 In my attempt to get an initial idea of what it could be, I fired my telnet client to connect to 2-3 random hosts among the addresses and tried to see if their SSH service was up. Indeed they were, and their banner shown what seemed to be an older version of SSH (seen OpenSSH 3.5 and 3.6). Also, one of these had the default Apache web page on its web server. I have attached a list of IP addresses from which the attack originated so far. The text file contains the addresses from my system log files and from my friend's log files. I have yet to contact the responsable people of the corresponding domains. Also, the list of different usernames is various -- I count 4712 different login names in my system log files. I attached a list of usernames to this message. It may be a good idea to check your systems to see if any of the provided usernames is present and has a weak password. A quick look on the web for a mention of this SSH scan didn't provide me with a satisfying explanation. Did anyone ever notice such abnormal traffic in their system logs? I'd be interested to hear about it. Also, to read about it if any alert has been published on the web. Thanks. Alexandre Hamelin
Current thread:
- Internet SSH scans Alexandre H (Mar 02)
- RE: Internet SSH scans Tom Frerichs (Mar 02)
- RE: Internet SSH scans terry white (Mar 03)
- Re: Internet SSH scans Jonathan Nichols (Mar 03)
- RE: Internet SSH scans terry white (Mar 03)
- Re: Internet SSH scans Skip Carter (Mar 03)
- Re: Internet SSH scans Daniel Cid (Mar 03)
- Message not available
- Re: Internet SSH scans Jamie Riden (Mar 03)
- RE: Internet SSH scans Tom Frerichs (Mar 02)
- Re: Internet SSH scans Matt Rae (Mar 03)
- Re: Internet SSH scans Hugo J. Curti (Mar 06)
- <Possible follow-ups>
- RE: Internet SSH scans steve (Mar 02)
- RE: Internet SSH scans Peter Bassill (Mar 03)
- Re: RE: Internet SSH scans admin (Mar 03)
- Re: RE: Internet SSH scans Daxomatic (Mar 03)
- Re: RE: Internet SSH scans Christine Kronberg (Mar 03)
- Re: Internet SSH scans JK Adams (Mar 03)
- Re: RE: Internet SSH scans joakim . berge (Mar 03)
- Re: Re: RE: Internet SSH scans mrbits (Mar 03)
- RE: Internet SSH scans Adriano Carvalho (Mar 21)
- Re: Internet SSH scans Valdis . Kletnieks (Mar 22)
- Re: Internet SSH scans Adriano Carvalho (Mar 22)
- RE: Internet SSH scans Adriano Carvalho (Mar 21)