[nsp-sec] Sudden jump in ssh slow-scan activity

Mike Tancsa mike at sentex.net
Mon Jan 18 13:51:59 EST 2010 

At 12:38 PM 1/18/2010, Kevin Oberman wrote:
>----------- nsp-security Confidential --------
>
>After a long quiet period, either because there were no attempts or
>because all of the bots involved had been blocked at our edge, we
>started seeing a very heavy attack on our systems on Saturday. We have
>seen the probes from over 2000 source IPs (all reported to Cymru for
>daily reports). While the number of attempts for most user names is
>small, usually between 5 and 10, 'root' gets hundreds of attempts, none
>of which will ever work since we don't allow ssh to root (nor does
>OpenSSH, by default).
>
>I assume that we are not alone in being subject to these attacks. Are
>others seeing them?

Yes, they were hitting one of my customer servers enough that it set 
off alarms on Sunday and <shakes fist at sky>interrupted my pleasant 
slumber!</end shaking fist>

I sent off 1500 different IP addresses to the daily reports as 
well.  Apart from root,

[vinyl3]# bzgrep -i illegal /var/log/auth.log.0.bz2 | awk '{print 
$13}' | sort | uniq -c | sort -nr | wc
     1479    2958   16865
[vinyl3]# bzgrep -i illegal /var/log/auth.log.0.bz2 | awk '{print 
$13}' | sort | uniq -c | sort -nr | head -20
  267 admin
   97 test
   96 ftp
   86 backup
   78 info
   78 administrator
   73 guest
   72 alex
   67 mike
   62 max
   57 ivan
   54 ftpuser
   52 mark
   52 john
   52 cyrus
   51 dan
   46 eric
   46 demo
   46 chris
   45 brian
[vinyl3]#

         ---Mike




>--
>R. Kevin Oberman, Network Engineer
>Energy Sciences Network (ESnet)
>Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
>E-mail: oberman at es.net                  Phone: +1 510 486-8634
>Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751
>
>
>_______________________________________________
>nsp-security mailing list
>nsp-security at puck.nether.net
>https://puck.nether.net/mailman/listinfo/nsp-security
>
>Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>community. Confidentiality is essential for effective Internet 
>security counter-measures.
>_______________________________________________

--------------------------------------------------------------------
Mike Tancsa,                                      tel +1 519 651 3400
Sentex Communications,                            mike at sentex.net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada                         www.sentex.net/mike

More information about the nsp-security mailing list