Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: [VulnDiscuss] Re: Automated SSH login attempts?
From: Paul Schmehl <pauls () utdallas edu>
Date: Mon, 26 Jul 2004 15:37:07 -0500

--On Monday, July 26, 2004 03:29:56 PM -0400 RBabb <rob_mailing_lists () rbabb net> wrote:

This makes me feel better. I thought it odd that so many machines were
hitting my ssh server. I even blocked it at the firewall for a day or so.
Is anyone talking on what the bot system was that allowed them to
automate this? It seemed that as soon as 1 got it so did a whole bunch
more so obviously people are distributing lists of IP's for potential SSH
access.

That's not obvious at all. In our case, they're hitting IPs in sequential order, so it looks (to us) more like a "brute force" attempt rather than the targeting of hosts that are specifically running sshd.

I'm not real sure on who to contact for these machines, but here are all
the ones that have hit me. Mostly seem to be Asian so far.

Jul 25 19:48:40 server sshd[55910]: Failed password for illegal user test
from 212.4.172.123 port 56843 ssh2
Jul 25 19:48:42 server sshd[55915]: Failed password for illegal user
guest from 212.4.172.123 port 56916 ssh2
Jul 25 20:37:19 server sshd[57221]: Failed password for illegal user test
from 210.40.224.10 port 49738 ssh2
Jul 25 20:37:22 server sshd[57223]: Failed password for illegal user
guest from 210.40.224.10 port 49756 ssh2

[pauls () utd49554 pauls]$ dig -x 212.4.172.123

; <<>> DiG 9.2.2-P3 <<>> -x 212.4.172.123
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 123
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; QUESTION SECTION:
;123.172.4.212.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
123.172.4.212.in-addr.arpa. 604800 IN   PTR     mail.enet.de.

Since this is a mail server, I would say the odds are *extremely high* that it's been compromised and that the owners would greatly appreciate a heads up. (So I've cc'd them. But these are *your* logs, so *you* should notify them as well.

Jul 24 21:37:50 server sshd[21578]: Failed password for illegal user test
from 218.244.240.195 port 58900 ssh2
Jul 24 21:37:53 server sshd[21580]: Failed password for illegal user
guest from 218.244.240.195 port 58928 ssh2

person:       ShouLan Du
address:      Fl./8, South Building, Bridge Mansion, No. 53
country:      CN
phone:        +86-010-83160000
fax-no:       +86-010-83155528
e-mail:       dsl327 () btamail net cn
nic-hdl:      SD76-AP
mnt-by:       MAINT-CNNIC-AP
changed:      dsl327 () btamail net cn 20020403
source:       APNIC

Jul 22 18:23:36 server sshd[38184]: Failed password for illegal user test
from 216.86.221.113 port 58012 ssh2
Jul 22 18:23:37 server sshd[38195]: Failed password for illegal user
guest from 216.86.221.113 port 51509 ssh2

;; ANSWER SECTION:
113.221.86.216.in-addr.arpa. 14400 IN PTR adsl-gte-la-216-86-215-113.mminternet.com.

Technical Contact:
     Master, Host  (NC312)             hostmaster () MMINTERNET COM
     3780 Kilroy Airport Way
     Suite 410
     Long Beach, CA 90806
     US
     562-427-0344 fax: 562-427-3622


Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]