Security Incidents mailing list archives
Re: Internet SSH scans
From: Daniel Cid <danielcid () yahoo com br>
Date: Fri, 3 Mar 2006 16:56:24 -0300 (ART)
Hi Alexandre, I also noticed an increase of the SSH scans... I have some honeypots setup and all of them are being scanned constantly. To avoid this on my "real" servers I run the OSSEC HIDS with active response enabled... It by default analyses your logs (on real time) and after a few invalid user names or multiple password attempts it will add the IP to the hosts.deny list and also block it on the firewall (right now only iptables, ipfilter and aix ipsec are supported). Changing the port of the SSH also helps reducing the trash in the logs... *http://www.ossec.net/hids/ (ossec hids web site) Thanks, -- Daniel B. Cid, CISSP --- Alexandre H <alexandre.hamelin () gmail com> escreveu:
Hi, I've witnessed what I think is an increase in SSH scans over the Internet in the past four or five weeks. The scan seems to originate from various countries around the globe which makes me think of it to be a worm-like spreading virus searching for vulnerable systems running the SSH service. I confirmed the attack with a friend of mine who also happens to run a SSH server at home. We both live in Montreal, QC, Canada and are using the same ISP. Since January 29 (maybe before), no less than 26000+ connection attempts have been made on my system (which is running SSH) -- 4000 just in the last three days. Each attempt tries to login with a specific username, but many attempts are made in a short period of time (1 to 2 minutes) with different usernames. I believe that the worm holds a list of common usernames and passwords and successively tries to connect with each of them when it finds a host with a port 22 open. Typical attacks are similar to the following: # grep Invalid /var/log/messages | head Feb 26 15:06:12 localhost sshd[3500]: Invalid user delta from 194.44.247.243 Feb 26 15:06:14 localhost sshd[3502]: Invalid user admin from 194.44.247.243 Feb 26 15:06:16 localhost sshd[3504]: Invalid user test from 194.44.247.243 Feb 26 15:06:18 localhost sshd[3506]: Invalid user testing from 194.44.247.243 Feb 26 15:06:20 localhost sshd[3508]: Invalid user tester from 194.44.247.243 Feb 26 15:06:22 localhost sshd[3510]: Invalid user academy from 194.44.247.243 Feb 26 15:06:24 localhost sshd[3512]: Invalid user protector from 194.44.247.243 Feb 26 15:06:27 localhost sshd[3516]: Invalid user skylyn from 194.44.247.243 Feb 26 15:06:31 localhost sshd[3520]: Invalid user webmaster from 194.44.247.243 Feb 26 15:06:33 localhost sshd[3522]: Invalid user master from 194.44.247.243 In my attempt to get an initial idea of what it could be, I fired my telnet client to connect to 2-3 random hosts among the addresses and tried to see if their SSH service was up. Indeed they were, and their banner shown what seemed to be an older version of SSH (seen OpenSSH 3.5 and 3.6). Also, one of these had the default Apache web page on its web server. I have attached a list of IP addresses from which the attack originated so far. The text file contains the addresses from my system log files and from my friend's log files. I have yet to contact the responsable people of the corresponding domains. Also, the list of different usernames is various -- I count 4712 different login names in my system log files. I attached a list of usernames to this message. It may be a good idea to check your systems to see if any of the provided usernames is present and has a weak password. A quick look on the web for a mention of this SSH scan didn't provide me with a satisfying explanation. Did anyone ever notice such abnormal traffic in their system logs? I'd be interested to hear about it. Also, to read about it if any alert has been published on the web. Thanks. Alexandre Hamelin127.0.0.1132.208.131.220 195.136.50.169 195.226.181.130 200.243.20.1 201.128.58.157 201.224.216.66 201.231.41.75 202.87.44.6 203.232.240.62 207.150.188.10 209.1.163.104 211.114.82.252 211.21.59.105 216.143.235.193 217.77.71.41 218.233.70.200 218.80.222.134 219.123.39.115 219.134. 220.193.98.15 220.247.217.189 220.248.119.254 221.158.159.71 221.247.6.118 24.152.183.143 24.34.144.241 24.37.8.148 59.106.29.182 59.120.34.161 61.154.10.28 62.217.39.27 65.98.70.122 67.41.115.90 70.26.122.173 80.191.68.130 82.224.139.101 83.17.24.30 87.226.11.39 125.248.150.148 161.111.231.250 170.140.151.53 193.147.136.95 194.44.247.243 195.50.153.246 200.206.25.19 200.49.242.35 201.12.114.5 201.234.207.16 202.138.185.211 202.141.128.120 202.63.110.66 202.63.163.98 203.117.210.109 209.205.202.70 209.59.134.195 210.181.198.72 210.245.87.54 211.137.85.187 211.20.135.84 211.214.219.118 212.227.165.57 218.188.0.35 218.248.33.225 218.27.102.6 219.166.83.13 220.194.58.127 24.6.172.227 58.80.230.46 59.124.30.40 61.11.52.6 61.19.46.137 61.219.134.90 61.220.106.90 61.222.201.234 61.78.59.216 62.111.225.188 66.201.244.225 67.69.105.30 69.159.103.178 80.53.222.218 83.104.159.111 84.245.14.208 ::ffff:12.5.252.13 ::ffff:125.251.147.197 ::ffff:202.115.131.206 ::ffff:202.57.134.147 ::ffff:203.100.127.12 ::ffff:203.131.72.116 ::ffff:209.45.74.105 ::ffff:210.104.255.77 ::ffff:211.162.78.106 ::ffff:211.90.119.91 ::ffff:213.33.189.42 ::ffff:213.85.52.3 ::ffff:216.208.255.30 ::ffff:218.146.254.87 ::ffff:218.24.139.109 ::ffff:218.97.192.161 ::ffff:220.194.55.122 ::ffff:220.66.95.133 ::ffff:222.233.123.198 ::ffff:24.203.174.17 ::ffff:24.39.225.89 ::ffff:58.81.118.237 ::ffff:59.0.190.1 ::ffff:61.152.114.111 ::ffff:61.152.162.37 ::ffff:61.233.28.130 ::ffff:61.250.82.53 ::ffff:67.177.243.77 ::ffff:67.32.49.180 ::ffff:69.53.127.51 ::ffff:80.190.207.15 ::ffff:84.55.133.1001123qwe 2005 20admin 20info 20jobs 20mail 20support Aaliyah Aaron Aba Abel Access Chicago Christ Dakota Exit Ionut Ionutz Jewel Jordan Joshua Justin Melk Nicole PostgreSQL Robert Victor Where Zmeu a-sawa a... a1 a2 a3 aa aaa aabusiness aahelp aai aaliyah aaron aarti abbey abby abc abcd abdenace abdol abdul abdulkaf abdullah abdur abe abel abigail abilenki abliss abofus abracadabra abraham abrar absolute absurdir_deadphp abundant abuse acacia academia academic academy accept access acchan accompong account accounting accounts accountservices accoutn ace achille acid acosialls action ad ada adabas adam add addcat addictioninformation addies addiessandravol addlife addlink address adela adelina adeline adi adidas adina adine adinfo adkmotel adlai admin admin2 adminbox admincontact administration administrator admins adminsbb adminsupport admissions adolf adolph adonis adonix adouglas adresponse adrian adriana ads adsales aduard adult adv advantage advertise advertising advisor ae aecpro af affiliate affiliateinfo affiliatel affiliateprogram affiliater affiliaterelations affiliates affiliatesale affiliatesuccess affiliatesupport africa afrodita ag agata agatha agency agent agentsale agnes ahile ahmed ahmet ahto ai aidan aimee air airplain aisha aix aizawa aja ajiro aki akia akon al alain alan alancat alarm alarmist alastair albert albertha alberto album aldo alec alegra alejandro alen alenka aleon alert alex alexa alexander alexandra alexandru alexie alexis alf alfred ali
=== message truncated === _______________________________________________________ Yahoo! Acesso Grátis - Internet rápida e grátis. Instale o discador agora! http://br.acesso.yahoo.com
Current thread:
- Internet SSH scans Alexandre H (Mar 02)
- RE: Internet SSH scans Tom Frerichs (Mar 02)
- RE: Internet SSH scans terry white (Mar 03)
- Re: Internet SSH scans Jonathan Nichols (Mar 03)
- RE: Internet SSH scans terry white (Mar 03)
- Re: Internet SSH scans Skip Carter (Mar 03)
- Re: Internet SSH scans Daniel Cid (Mar 03)
- Message not available
- Re: Internet SSH scans Jamie Riden (Mar 03)
- RE: Internet SSH scans Tom Frerichs (Mar 02)
- Re: Internet SSH scans Matt Rae (Mar 03)
- Re: Internet SSH scans Hugo J. Curti (Mar 06)
- <Possible follow-ups>
- RE: Internet SSH scans steve (Mar 02)
- RE: Internet SSH scans Peter Bassill (Mar 03)
- Re: RE: Internet SSH scans admin (Mar 03)
- Re: RE: Internet SSH scans Daxomatic (Mar 03)
- Re: RE: Internet SSH scans Christine Kronberg (Mar 03)
- Re: Internet SSH scans JK Adams (Mar 03)
- Re: RE: Internet SSH scans joakim . berge (Mar 03)