[nsp-sec] SSH scanners looking for "temporary"?

Smith, Donald Donald.Smith at qwest.com
Wed Sep 10 10:39:37 EDT 2008 

We have seen ssh scanners that grabbed the password file from any system
they compromised and added the accounts from that to it's bruteforce
user list. I had not seen that in a coordinated distributed ssh
bruteforcing before.
Notice that in your list only 124.178.235.109 attempted more then once
to guess a username and password using tmp once and temporary once.

I suspect if you if you cut out the ips and sorted them you would find
most of the ips only attempted one or two password guesses.

This short awk script should to that for you:)

cat syslog_file_name |grep 'Invalid user'   | awk '{print $10}' | sort |
uniq -c | sort -nr

If you wanted to get time stamps and ips sorted ready for cymru's whois
this should work.

$ cat syslog_file_name | grep 'Invalid user'  | awk '{print
$1,$2,$3,$10}' | sort -k4,4 | uniq -f 3 -c | sort -nr

It will give you results like this:

      2 Sep 10 08:25:55 124.178.235.109
      1 Sep 10 08:48:34 58.196.4.2

Security through obscurity WORKS against some worms and ssh attacks:)
Donald.Smith at qwest.com giac 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Bill Owens
> Sent: Wednesday, September 10, 2008 6:50 AM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] SSH scanners looking for "temporary"?
> 
> ----------- nsp-security Confidential --------
> 
> I know that nobody really cares about SSH scanners, but there 
> was a strange pattern this morning that I've never seen before:
> 
> Sep 10 08:25:02 cookiemonster sshd[57483]: Invalid user tmp 
> from 200.68.45.66
> Sep 10 08:25:55 cookiemonster sshd[57487]: Invalid user tmp 
> from 124.178.235.109
> Sep 10 08:26:39 cookiemonster sshd[57491]: Invalid user tmp 
> from 196.212.123.58
> Sep 10 08:27:33 cookiemonster sshd[57496]: Invalid user tmp 
> from 62.60.136.250
> Sep 10 08:28:06 cookiemonster sshd[57503]: Invalid user tmp 
> from 190.34.172.5
> Sep 10 08:29:15 cookiemonster sshd[66171]: Invalid user tmp 
> from 190.5.195.98
> Sep 10 08:29:48 cookiemonster sshd[67213]: Invalid user tmp 
> from 62.38.151.143
> Sep 10 08:30:06 cookiemonster sshd[67216]: Invalid user tmp 
> from 91.116.191.42
> Sep 10 08:30:43 cookiemonster sshd[67220]: Invalid user tmp 
> from 213.83.30.141
> Sep 10 08:32:40 cookiemonster sshd[67232]: Invalid user temp 
> from 211.94.209.17
> Sep 10 08:33:23 cookiemonster sshd[67238]: Invalid user temp 
> from 213.136.105.130
> Sep 10 08:33:58 cookiemonster sshd[67245]: Invalid user temp 
> from 213.23.55.162
> Sep 10 08:34:47 cookiemonster sshd[72628]: Invalid user temp 
> from 83.236.179.50
> Sep 10 08:37:10 cookiemonster sshd[72635]: Invalid user temp 
> from 62.72.101.154
> Sep 10 08:38:08 cookiemonster sshd[72640]: Invalid user 
> temporary from 85.39.252.226
> Sep 10 08:39:08 cookiemonster sshd[72648]: Invalid user 
> temporary from 121.241.211.63
> Sep 10 08:39:28 cookiemonster sshd[72651]: Invalid user 
> temporary from 83.17.126.94
> Sep 10 08:39:57 cookiemonster sshd[77963]: Invalid user 
> temporary from 124.178.235.109
> Sep 10 08:41:24 cookiemonster sshd[77991]: Invalid user 
> temporary from 212.14.40.1
> Sep 10 08:41:51 cookiemonster sshd[77994]: Invalid user 
> temporary from 64.72.87.100
> Sep 10 08:43:09 cookiemonster sshd[78443]: Invalid user 
> temporary from 80.153.123.179
> Sep 10 08:44:34 cookiemonster sshd[81270]: Invalid user 
> christelle from 212.91.188.165
> Sep 10 08:45:25 cookiemonster sshd[81276]: Invalid user 
> christelle from 213.98.2.49
> Sep 10 08:45:48 cookiemonster sshd[81282]: Invalid user 
> christelle from 12.206.87.124
> Sep 10 08:48:34 cookiemonster sshd[86248]: Invalid user 
> christelle from 58.196.4.2
> 
> That's EDT (GMT-4). I've not run across an SSH user called 
> 'temporary' or the other variants, is there some installer 
> somewhere that sets that up and leaves it? 
> Bill.
> - - -
> Bill Owens
> Director, Advanced Technology and Networks
> NYSERNet, Inc.
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
> 
> 


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.

More information about the nsp-security mailing list