[nsp-sec] DFN-CERT#42614 - Distributed SSH Probes

Joel Rosenblatt joel at columbia.edu
Wed Apr 22 06:15:06 EDT 2009 

Hi,

No really .. this was number of attempts against root from last night

This is a list of usernames abused in SSH attack attempts.

root*           : 1281169

Joel Rosenblatt

Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel


--On Tuesday, April 21, 2009 11:51 AM -0400 Mike Tancsa <mike at sentex.net> wrote:

> ----------- nsp-security Confidential --------
>
>
> Did anyone else notice their distributed ssh scans stop on the 19th at about 23:00 gmt ?
>
> (Times below are EDT)
>
> My last log entries are below... and nothing since.  Our IDS had been playing a game of cat and mouse with their IPs, but there were always some new ones..
> Now nada.
>
>
> Apr 19 17:44:11 vinyl4 sshd[49954]: Invalid user channon from 200.140.159.133
> Apr 19 17:59:38 vinyl4 sshd[51557]: Invalid user chantal from 190.24.226.18
> Apr 19 17:59:47 vinyl4 sshd[51643]: Invalid user chantal from 201.34.164.34
> Apr 19 17:59:47 vinyl4 sshd[51642]: Invalid user chantal from 201.34.164.34
> Apr 19 17:59:47 vinyl4 sshd[51645]: Invalid user chantal from 201.34.164.34
> Apr 19 17:59:47 vinyl4 sshd[51644]: Invalid user chantal from 201.34.164.34
> Apr 19 18:08:56 vinyl4 sshd[52731]: Invalid user chantel from 202.64.189.170
> Apr 19 18:08:58 vinyl4 sshd[52756]: Invalid user chantel from 85.17.36.42
> Apr 19 18:08:58 vinyl4 sshd[52755]: Invalid user chantel from 85.17.36.42
> Apr 19 18:08:58 vinyl4 sshd[52757]: Invalid user chantel from 85.17.36.42
> Apr 19 18:08:58 vinyl4 sshd[52758]: Invalid user chantel from 85.17.36.42
> Apr 19 18:12:40 vinyl4 sshd[53277]: Invalid user chantel from 212.180.69.98
> Apr 19 18:12:40 vinyl4 sshd[53282]: Invalid user chantel from 212.180.69.98
> Apr 19 18:12:40 vinyl4 sshd[53279]: Invalid user chantel from 212.180.69.98
> Apr 19 18:12:40 vinyl4 sshd[53278]: Invalid user chantel from 212.180.69.98
> Apr 19 18:21:07 vinyl4 sshd[54465]: Invalid user chanton from 62.212.74.149
> Apr 19 18:21:22 vinyl4 sshd[54540]: Invalid user chanton from 200.139.80.139
> Apr 19 18:21:22 vinyl4 sshd[54538]: Invalid user chanton from 200.139.80.139
> Apr 19 18:21:22 vinyl4 sshd[54541]: Invalid user chanton from 200.139.80.139
> Apr 19 18:21:22 vinyl4 sshd[54539]: Invalid user chanton from 200.139.80.139
> Apr 19 18:27:41 vinyl4 sshd[55375]: Invalid user chanton from 65.160.236.155
> Apr 19 18:27:41 vinyl4 sshd[55377]: Invalid user chanton from 65.160.236.155
> Apr 19 18:27:41 vinyl4 sshd[55378]: Invalid user chanton from 65.160.236.155
> Apr 19 18:27:41 vinyl4 sshd[55379]: Invalid user chanton from 65.160.236.155
> Apr 19 18:30:33 vinyl4 sshd[55804]: Invalid user chanton from 201.40.169.52
> Apr 19 18:30:33 vinyl4 sshd[55805]: Invalid user chanton from 201.40.169.52
> Apr 19 18:30:35 vinyl4 sshd[55807]: Invalid user chanton from 201.40.169.52
> Apr 19 18:30:37 vinyl4 sshd[55806]: Invalid user chanton from 201.40.169.52
>
> At 03:00 PM 4/20/2009, Kevin Oberman wrote:
>> ----------- nsp-security Confidential --------
>>
>> > Date: Mon, 13 Apr 2009 09:35:12 -0400
>> > From: Tim Wilde <twilde at cymru.com>
>> > Sender: nsp-security-bounces at puck.nether.net
>> >
>> > ----------- nsp-security Confidential --------
>> >
>> > -----BEGIN PGP SIGNED MESSAGE-----
>> > Hash: SHA1
>> >
>> > Klaus Moeller wrote:
>> > > ----------- nsp-security Confidential --------
>> > >
>> > > Hi all,
>> > >
>> > > For the last 3 days, several hosts in our constituency are under a
>> > > distributed account probe against their SSH servers.
>> > >
>> > > Since most of the hosts probing the SSH servers will likely be
>> > > compromised by weak account passwords too, I'm posting the list
>> > > below. All timestampts are UTC+2:00.
>> > >
>> > > Hints for the C&C as well as the tool used for the account probe
>> > > will be greatly appreciated.
>> >
>> > Klaus and Team,
>> >
>> > Thanks everyone for the insights and lists of IPs!  Just a quick
>> > reminder, SSH bruteforce is one of the easiest categories of the Daily
>> > Reports project that you can contribute data to.  If you have your SSH
>> > logs available to pull this information out of, you can submit it by
>> > following the instructions here:
>> >
>> >       https://www.cymru.com/nsp-sec/dailyreports/bruteforce.html
>> >
>> > There's even a link to a script by our very own John Kristoff that will
>> > automatically parse a number of common authentication log file formats
>> > and output data suitable for submission.  Data submitted here will get
>> > distributed to all Daily Reports / ASN Alert subscribers on NSP-SEC,
>> > automagically.  If you have any questions or want to verify that your
>> > newly submitted data is getting through, please don't hesitate to ask.
>> > Thanks!
>>
>> I should note that John's script was written for old-fashioned brute
>> force attacks and not the current "slow" attacks. It requires that the
>> log contain at least 10 failures from a single source before it
>> triggers. At the rate that the current probes are coming in, very few
>> systems are likely to hit in that time.
>>
>> I wrote my own script to do this and set it for 4 keyboard-interactive
>> failures. Since we don't allow keyboard-interactive logins, this is
>> pretty safe. (Two would probably be safe.)
>>
>> I now have a list of attempts going back for the past week that I will
>> submit and I am including my quick perl script, but it is specific to my
>> systems (FreeBSD) and operations (no keyboard-interactive logins), so I
>> am not sure if it will be terribly useful. It assumes that the data is
>> grepped from the logs and placed in $DATADIR with the name
>> 'bad_guys.XXX'. (I use the name of the system from which the data was
>> collected for XXX.)
>>
>> "My" version also goes on to add the addresses to our black-hole.
>>
>># !/usr/local/bin/perl
>>
>> use strict;
>> use Time::ParseDate;
>> use POSIX;
>>
>> my ($addr, @bad_guys, @bad_guys2, $count, $DATADIR, $time);
>>
>> $DATADIR = "/home/oberman";
>>
>># This will exclude blocking my home address!
>> @bad_guys = `grep "keyboard" $DATADIR/bad_guys.* | grep -v 67.164.102.6`;
>># Specific to ESnet
>> @bad_guys = grep !/198\.12[4589]\./, @bad_guys;
>>
>> open BAD, ">/tmp/bad-guys-$$";
>>### if ($#bad_guys >= 0) {print STDERR "Addresses blocked:\n";}
>> foreach (@bad_guys) {
>>   /.+ from (\S+)/;
>>   print BAD "$1\n";
>> }
>> close BAD;
>> @bad_guys2 =`sort /tmp/bad-guys-$$ | uniq`;
>> unlink '/tmp/bad-guys-$$';
>># Remove entries without at least 4 attempts in a day
>> foreach $addr (@bad_guys2) {
>>   $count = grep /$addr/, @bad_guys;
>>   if ($count < 4) {
>>     @bad_guys = grep !/$addr/, @bad_guys;
>>     $addr = "";
>>   }
>> }
>># Format data for Team Cymru
>> foreach (@bad_guys) {
>>   /:?(\S{3}  ?\d{1,2} \S+) .+from (\S+) port/;
>>   $time = parsedate($1);
>>   $time = strftime('%F %T', gmtime($time));
>>   print "$2 $time ssh\n"
>> }
>> exit;
>> --
>> R. Kevin Oberman, Network Engineer
>> Energy Sciences Network (ESnet)
>> Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
>> E-mail: oberman at es.net                  Phone: +1 510 486-8634
>> Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet
>> security counter-measures.
>> _______________________________________________
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>



Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel

More information about the nsp-security mailing list