We are getting lots of requests at the moment trying to log into one of our box's via SSH. It happens in 20 minute bursts, with a new request being tried every 6s. After the 20 minutes it goes away for 8 hours. It appears to be a straight dictionary attack, with the attempts cycling though usernames like root, user, test, john, henry, george, frank, alan, adam, server, backup, account, master, sybase, oracle, web, data, webmaster, noc, cip51, cip52, cosmin, pamela, jane, adm, irc, apache, operator, mysql, www-data, matt, www, wwwrun, cyrus, horde, iceuser, rolo, patrick, nobody. It spends most of its time trying to login as root. The requests are mostly coming from Russia, with a couple of other IP's from other countries. The device they are attempting to log into is not advertised in anyway, so was probably picked up during a normal port scan. For the moment I've limited connections to the box for SSH to only be accepted over IPSec, so that's the end of the login attempts. I guess what I'm posting this for is to make sure everybody has a good password policy in place. Someone is actively trying to compromise accounts via SSH.
We are getting lots of requests at the moment trying to log into one of our box's via SSH. It happens in 20 minute bursts, with a new request being tried every 6s. After the 20 minutes it goes away for 8 hours.
It appears to be a straight dictionary attack, with the attempts cycling though usernames like root, user, test, john, henry, george, frank, alan, adam, server, backup, account, master, sybase, oracle, web, data, webmaster, noc, cip51, cip52, cosmin, pamela, jane, adm, irc, apache, operator, mysql, www-data, matt, www, wwwrun, cyrus, horde, iceuser, rolo, patrick, nobody.
It spends most of its time trying to login as root.
The requests are mostly coming from Russia, with a couple of other IP's from other countries.
The device they are attempting to log into is not advertised in anyway, so was probably picked up during a normal port scan.
For the moment I've limited connections to the box for SSH to only be accepted over IPSec, so that's the end of the login attempts.
I guess what I'm posting this for is to make sure everybody has a good password policy in place. Someone is actively trying to compromise accounts via SSH.
We've been seeing the same thing for a couple of months now. I think it was discussed on this list about a month ago.... it's either a worm or a script kiddy script (I forget which) which scans for ssh servers, looking for insecure passwords and attempting to install an irc bot... Regards, Simon
"Simon Byrnand"
We've been seeing the same thing for a couple of months now. I think it was discussed on this list about a month ago.... it's either a worm or a script kiddy script (I forget which) which scans for ssh servers, looking for insecure passwords and attempting to install an irc bot...
IIRC someone set up a honeypot with username/password root/root specifically to see what would happen and they did get an IRC bot installed and possibly a rootkit as well. cheers, Jamie -- James Riden / j.riden(a)massey.ac.nz / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/
Were the majority of attempts comming from: 210.0.192.40 Thats where I seem to be getting the majority of my attempts from.
"Simon Byrnand"
writes: We've been seeing the same thing for a couple of months now. I think it was discussed on this list about a month ago.... it's either a worm or a script kiddy script (I forget which) which scans for ssh servers, looking for insecure passwords and attempting to install an irc bot...
IIRC someone set up a honeypot with username/password root/root specifically to see what would happen and they did get an IRC bot installed and possibly a rootkit as well.
cheers, Jamie -- James Riden / j.riden(a)massey.ac.nz / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
On Tue, 2004-12-14 at 18:48 +1300, Philip D'Ath wrote:
We are getting lots of requests at the moment trying to log into one of our box's via SSH. It happens in 20 minute bursts, with a new request being tried every 6s. After the 20 minutes it goes away for 8 hours.
Yup, there are several scripts available for brute forcing ssh logins, these attacks have been prevalent for several months now. The attacking host is almost certainly compromised so if it belongs to someone with obvious contact info then drop them a note and do the rest of the 'Net a favour! -- Russell Fulton, Information Security Officer, The University of Auckland New Zealand
Russell Fulton wrote:
Yup, there are several scripts available for brute forcing ssh logins, these attacks have been prevalent for several months now. The attacking host is almost certainly compromised so if it belongs to someone with obvious contact info then drop them a note and do the rest of the 'Net a favour!
Moving the ssh port to something else that 22 seems to help as well. -- Juha
"Philip D'Ath"
We are getting lots of requests at the moment trying to log into one of our box's via SSH. It happens in 20 minute bursts, with a new request being tried every 6s. After the 20 minutes it goes away for 8 hours.
Does it look anything like this? http://www.k-otik.com/exploits/08202004.brutessh2.c.php
It appears to be a straight dictionary attack, with the attempts cycling though usernames like root, user, test, john, henry, george, frank, alan, adam, server, backup, account, master, sybase, oracle, web, data, webmaster, noc, cip51, cip52, cosmin, pamela, jane, adm, irc, apache, operator, mysql, www-data, matt, www, wwwrun, cyrus, horde, iceuser, rolo, patrick, nobody.
It spends most of its time trying to login as root.
The requests are mostly coming from Russia, with a couple of other IP's from other countries.
The device they are attempting to log into is not advertised in anyway, so was probably picked up during a normal port scan.
For the moment I've limited connections to the box for SSH to only be accepted over IPSec, so that's the end of the login attempts.
Other things you can do are: * run SSH on an alternate port * restrict access only to trusted IPs * turn off password authentication and use key-based instead. The incidents mailing list[1] and http://isc.sans.org/ are good places to watch out for other people reporting this kind of thing. I think it's been going on for a couple of months now. cheers, Jamie [1] http://www.securityfocus.com/popups/forums/incidents/intro.shtml -- James Riden / j.riden(a)massey.ac.nz / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/
participants (6)
-
Chris Hodgetts
-
James Riden
-
Juha Saarinen
-
Philip D'Ath
-
Russell Fulton
-
Simon Byrnand