[nsp-sec] DFN-CERT#42614 - Distributed SSH Probes

Mike Tancsa mike at sentex.net
Tue Apr 21 11:51:48 EDT 2009 

Did anyone else notice their distributed ssh scans stop on the 19th 
at about 23:00 gmt ?

(Times below are EDT)

My last log entries are below... and nothing since.  Our IDS had been 
playing a game of cat and mouse with their IPs, but there were always 
some new ones.. Now nada.


Apr 19 17:44:11 vinyl4 sshd[49954]: Invalid user channon from 200.140.159.133
Apr 19 17:59:38 vinyl4 sshd[51557]: Invalid user chantal from 190.24.226.18
Apr 19 17:59:47 vinyl4 sshd[51643]: Invalid user chantal from 201.34.164.34
Apr 19 17:59:47 vinyl4 sshd[51642]: Invalid user chantal from 201.34.164.34
Apr 19 17:59:47 vinyl4 sshd[51645]: Invalid user chantal from 201.34.164.34
Apr 19 17:59:47 vinyl4 sshd[51644]: Invalid user chantal from 201.34.164.34
Apr 19 18:08:56 vinyl4 sshd[52731]: Invalid user chantel from 202.64.189.170
Apr 19 18:08:58 vinyl4 sshd[52756]: Invalid user chantel from 85.17.36.42
Apr 19 18:08:58 vinyl4 sshd[52755]: Invalid user chantel from 85.17.36.42
Apr 19 18:08:58 vinyl4 sshd[52757]: Invalid user chantel from 85.17.36.42
Apr 19 18:08:58 vinyl4 sshd[52758]: Invalid user chantel from 85.17.36.42
Apr 19 18:12:40 vinyl4 sshd[53277]: Invalid user chantel from 212.180.69.98
Apr 19 18:12:40 vinyl4 sshd[53282]: Invalid user chantel from 212.180.69.98
Apr 19 18:12:40 vinyl4 sshd[53279]: Invalid user chantel from 212.180.69.98
Apr 19 18:12:40 vinyl4 sshd[53278]: Invalid user chantel from 212.180.69.98
Apr 19 18:21:07 vinyl4 sshd[54465]: Invalid user chanton from 62.212.74.149
Apr 19 18:21:22 vinyl4 sshd[54540]: Invalid user chanton from 200.139.80.139
Apr 19 18:21:22 vinyl4 sshd[54538]: Invalid user chanton from 200.139.80.139
Apr 19 18:21:22 vinyl4 sshd[54541]: Invalid user chanton from 200.139.80.139
Apr 19 18:21:22 vinyl4 sshd[54539]: Invalid user chanton from 200.139.80.139
Apr 19 18:27:41 vinyl4 sshd[55375]: Invalid user chanton from 65.160.236.155
Apr 19 18:27:41 vinyl4 sshd[55377]: Invalid user chanton from 65.160.236.155
Apr 19 18:27:41 vinyl4 sshd[55378]: Invalid user chanton from 65.160.236.155
Apr 19 18:27:41 vinyl4 sshd[55379]: Invalid user chanton from 65.160.236.155
Apr 19 18:30:33 vinyl4 sshd[55804]: Invalid user chanton from 201.40.169.52
Apr 19 18:30:33 vinyl4 sshd[55805]: Invalid user chanton from 201.40.169.52
Apr 19 18:30:35 vinyl4 sshd[55807]: Invalid user chanton from 201.40.169.52
Apr 19 18:30:37 vinyl4 sshd[55806]: Invalid user chanton from 201.40.169.52

At 03:00 PM 4/20/2009, Kevin Oberman wrote:
>----------- nsp-security Confidential --------
>
> > Date: Mon, 13 Apr 2009 09:35:12 -0400
> > From: Tim Wilde <twilde at cymru.com>
> > Sender: nsp-security-bounces at puck.nether.net
> >
> > ----------- nsp-security Confidential --------
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Klaus Moeller wrote:
> > > ----------- nsp-security Confidential --------
> > >
> > > Hi all,
> > >
> > > For the last 3 days, several hosts in our constituency are under a
> > > distributed account probe against their SSH servers.
> > >
> > > Since most of the hosts probing the SSH servers will likely be
> > > compromised by weak account passwords too, I'm posting the list
> > > below. All timestampts are UTC+2:00.
> > >
> > > Hints for the C&C as well as the tool used for the account probe
> > > will be greatly appreciated.
> >
> > Klaus and Team,
> >
> > Thanks everyone for the insights and lists of IPs!  Just a quick
> > reminder, SSH bruteforce is one of the easiest categories of the Daily
> > Reports project that you can contribute data to.  If you have your SSH
> > logs available to pull this information out of, you can submit it by
> > following the instructions here:
> >
> >       https://www.cymru.com/nsp-sec/dailyreports/bruteforce.html
> >
> > There's even a link to a script by our very own John Kristoff that will
> > automatically parse a number of common authentication log file formats
> > and output data suitable for submission.  Data submitted here will get
> > distributed to all Daily Reports / ASN Alert subscribers on NSP-SEC,
> > automagically.  If you have any questions or want to verify that your
> > newly submitted data is getting through, please don't hesitate to ask.
> > Thanks!
>
>I should note that John's script was written for old-fashioned brute
>force attacks and not the current "slow" attacks. It requires that the
>log contain at least 10 failures from a single source before it
>triggers. At the rate that the current probes are coming in, very few
>systems are likely to hit in that time.
>
>I wrote my own script to do this and set it for 4 keyboard-interactive
>failures. Since we don't allow keyboard-interactive logins, this is
>pretty safe. (Two would probably be safe.)
>
>I now have a list of attempts going back for the past week that I will
>submit and I am including my quick perl script, but it is specific to my
>systems (FreeBSD) and operations (no keyboard-interactive logins), so I
>am not sure if it will be terribly useful. It assumes that the data is
>grepped from the logs and placed in $DATADIR with the name
>'bad_guys.XXX'. (I use the name of the system from which the data was
>collected for XXX.)
>
>"My" version also goes on to add the addresses to our black-hole.
>
>#!/usr/local/bin/perl
>
>use strict;
>use Time::ParseDate;
>use POSIX;
>
>my ($addr, @bad_guys, @bad_guys2, $count, $DATADIR, $time);
>
>$DATADIR = "/home/oberman";
>
># This will exclude blocking my home address!
>@bad_guys = `grep "keyboard" $DATADIR/bad_guys.* | grep -v 67.164.102.6`;
># Specific to ESnet
>@bad_guys = grep !/198\.12[4589]\./, @bad_guys;
>
>open BAD, ">/tmp/bad-guys-$$";
>### if ($#bad_guys >= 0) {print STDERR "Addresses blocked:\n";}
>foreach (@bad_guys) {
>   /.+ from (\S+)/;
>   print BAD "$1\n";
>}
>close BAD;
>@bad_guys2 =`sort /tmp/bad-guys-$$ | uniq`;
>unlink '/tmp/bad-guys-$$';
># Remove entries without at least 4 attempts in a day
>foreach $addr (@bad_guys2) {
>   $count = grep /$addr/, @bad_guys;
>   if ($count < 4) {
>     @bad_guys = grep !/$addr/, @bad_guys;
>     $addr = "";
>   }
>}
># Format data for Team Cymru
>foreach (@bad_guys) {
>   /:?(\S{3}  ?\d{1,2} \S+) .+from (\S+) port/;
>   $time = parsedate($1);
>   $time = strftime('%F %T', gmtime($time));
>   print "$2 $time ssh\n"
>}
>exit;
>--
>R. Kevin Oberman, Network Engineer
>Energy Sciences Network (ESnet)
>Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
>E-mail: oberman at es.net                  Phone: +1 510 486-8634
>Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751
>
>
>_______________________________________________
>nsp-security mailing list
>nsp-security at puck.nether.net
>https://puck.nether.net/mailman/listinfo/nsp-security
>
>Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>community. Confidentiality is essential for effective Internet 
>security counter-measures.
>_______________________________________________

More information about the nsp-security mailing list