[nsp-sec] DFN-CERT#42614 - Distributed SSH Probes

[Kevin Oberman]

> Date: Mon, 13 Apr 2009 09:35:12 -0400
> From: Tim Wilde <twilde at cymru.com>
> Sender: nsp-security-bounces at puck.nether.net
> 
> ----------- nsp-security Confidential --------
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Klaus Moeller wrote:
> > ----------- nsp-security Confidential --------
> > 
> > Hi all,
> > 
> > For the last 3 days, several hosts in our constituency are under a 
> > distributed account probe against their SSH servers. 
> > 
> > Since most of the hosts probing the SSH servers will likely be 
> > compromised by weak account passwords too, I'm posting the list 
> > below. All timestampts are UTC+2:00.
> > 
> > Hints for the C&C as well as the tool used for the account probe 
> > will be greatly appreciated.
> 
> Klaus and Team,
> 
> Thanks everyone for the insights and lists of IPs!  Just a quick
> reminder, SSH bruteforce is one of the easiest categories of the Daily
> Reports project that you can contribute data to.  If you have your SSH
> logs available to pull this information out of, you can submit it by
> following the instructions here:
> 
> 	https://www.cymru.com/nsp-sec/dailyreports/bruteforce.html
> 
> There's even a link to a script by our very own John Kristoff that will
> automatically parse a number of common authentication log file formats
> and output data suitable for submission.  Data submitted here will get
> distributed to all Daily Reports / ASN Alert subscribers on NSP-SEC,
> automagically.  If you have any questions or want to verify that your
> newly submitted data is getting through, please don't hesitate to ask.
> Thanks!

I should note that John's script was written for old-fashioned brute
force attacks and not the current "slow" attacks. It requires that the
log contain at least 10 failures from a single source before it
triggers. At the rate that the current probes are coming in, very few
systems are likely to hit in that time.

I wrote my own script to do this and set it for 4 keyboard-interactive
failures. Since we don't allow keyboard-interactive logins, this is
pretty safe. (Two would probably be safe.) 

I now have a list of attempts going back for the past week that I will
submit and I am including my quick perl script, but it is specific to my
systems (FreeBSD) and operations (no keyboard-interactive logins), so I
am not sure if it will be terribly useful. It assumes that the data is
grepped from the logs and placed in $DATADIR with the name
'bad_guys.XXX'. (I use the name of the system from which the data was
collected for XXX.)

"My" version also goes on to add the addresses to our black-hole.

#!/usr/local/bin/perl

use strict;
use Time::ParseDate;
use POSIX;

my ($addr, @bad_guys, @bad_guys2, $count, $DATADIR, $time);

$DATADIR = "/home/oberman";

# This will exclude blocking my home address!
@bad_guys = `grep "keyboard" $DATADIR/bad_guys.* | grep -v 67.164.102.6`;
# Specific to ESnet
@bad_guys = grep !/198\.12[4589]\./, @bad_guys;

open BAD, ">/tmp/bad-guys-$$";
### if ($#bad_guys >= 0) {print STDERR "Addresses blocked:\n";}
foreach (@bad_guys) {
  /.+ from (\S+)/;
  print BAD "$1\n";
}
close BAD;
@bad_guys2 =`sort /tmp/bad-guys-$$ | uniq`;
unlink '/tmp/bad-guys-$$';
# Remove entries without at least 4 attempts in a day
foreach $addr (@bad_guys2) {
  $count = grep /$addr/, @bad_guys;
  if ($count < 4) {
    @bad_guys = grep !/$addr/, @bad_guys;
    $addr = "";
  }
}
# Format data for Team Cymru
foreach (@bad_guys) {
  /:?(\S{3}  ?\d{1,2} \S+) .+from (\S+) port/;
  $time = parsedate($1);
  $time = strftime('%F %T', gmtime($time));
  print "$2 $time ssh\n"
}
exit;
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net			Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751