[nsp-sec] coordinated ssh brute force scanning
Kevin Oberman
oberman at es.net
Fri Nov 6 18:40:13 EST 2009
> Date: Fri, 06 Nov 2009 15:34:06 -0500
> From: Mike Tancsa <mike at sentex.net>
> Sender: nsp-security-bounces at puck.nether.net
>
> ----------- nsp-security Confidential --------
>
>
> IP addresses below are part of a seemingly
> coordinated net doing a bruteforce scan targeting
> 64.7.128.98. (Sample of the username pattern
> below). Each IP is well spaced apart so as not to trigger any rate limiters.
>
> Should this just go to bruteforce at cymru.com in the future ?
Over the past couple of weeks I have been seeing two separate and, I
suspect, independent sets of 'slow' ssh brute force attacks. I don't
know if the same group is behind both, but they do 'look' a bit
different.
The first is the old standby...attempts on a series of common user
names, moving in alphabetical order from a large number of attacking
hosts. While lots of accounts are used, the number of attempts at 'root'
is several times that of other accounts.
The second and more recent is a similar attack, but the only account
attacked is 'root'. The two sets stop and start independently with the
root attacks. the last series ran for exactly 7 hours starting at 08:00
UTC and ending at 15:00 UTC.
the heavy emphasis on root makes some sense as breaking into root is the
ultimate gol, but it is also a rather long shot since root login is
normally not allowed in a default OpenSSH configuration, so cracking it
is a pretty long shot.
I have been detecting over 100 different hosts in this attack every day
of the past week as I sen these to our RTBH every day at the same time I
send them to brute force.
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
More information about the nsp-security
mailing list