[nsp-sec] Sudden jump in ssh slow-scan activity
Jason Gardiner
gardiner at direcpath.com
Mon Jan 18 13:44:43 EST 2010
>> I assume that we are not alone in being subject to these attacks. Are
>> others seeing them?
>
> Ditto here. I am seeing the same methods used against 20+ networks
> I am monitoring in Oregon, Washington, and Alaska. There was a major
> uptick in attempts starting on Saturday. SSH probing is constant of
> course, but this is an escalation of knob turning. An example from
> one tiny server in Salem Oregon this morning:
Affirmative. My script, AKA "Project Vengeance" has picked up a
substantial increase in the past several days.
The permutations in the name list are growing substantially, too. I
almost never see tries against root any more.
Invalid user courtney1 from 80.55.63.250
Invalid user courtney12 from 80.55.63.250
Invalid user courtney123 from 80.55.63.250
Invalid user courtney1234 from 80.55.63.250
Invalid user courtney12345 from 80.55.63.250
Invalid user courtney123456 from 80.55.63.250
Invalid user courtney1234567 from 80.55.63.250
Invalid user courtney12345678 from 80.55.63.250
Invalid user courtney123456789 from 80.55.63.250
Invalid user brooklyn1 from 80.55.63.250
Invalid user brooklyn12 from 80.55.63.250
Invalid user brooklyn123 from 80.55.63.250
Invalid user brooklyn1234 from 80.55.63.250
Invalid user brooklyn12345 from 80.55.63.250
Invalid user brooklyn123456 from 80.55.63.250
Invalid user brooklyn1234567 from 80.55.63.250
Invalid user brooklyn12345678 from 80.55.63.250
Invalid user brooklyn123456789 from 80.55.63.250
I am toying with setting up a honeypot so I can see what happens after a
name match is made. Anyone else doing this?
Thanks,
--
Jason Gardiner
Director Network Engineering
DirecPath, LLC
o. 404.961.7024
c. 404.557.4007
__________ Information from ESET NOD32 Antivirus, version of virus signature database 4784 (20100118) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
More information about the nsp-security
mailing list