[nsp-sec] Sudden jump in ssh slow-scan activity

Mike Tancsa mike at sentex.net
Wed Jan 20 19:36:56 EST 2010 

At 06:29 PM 1/20/2010, Smith, Donald wrote:

>Also these are just scanning. I am seeing data so I believe they are 
>bruteforcing too.

Mine were all bruteforcing.  Looking at the userids tried, they were 
coordinated in that they were increasing alphabetically.  Not sure 
why they would not go the extra step and randomize the userids chosen 
to at least make it more difficult to see the pattern/grouping


Jan 15 02:50:58 vinyl3 sshd[13811]: error: PAM: authentication error 
for illegal user apache from 58.60.106.24
Jan 15 02:50:58 vinyl3 sshd[13812]: error: PAM: authentication error 
for illegal user apache from 58.60.106.24
Jan 15 02:50:58 vinyl3 sshd[13813]: error: PAM: authentication error 
for illegal user apache from 58.60.106.24
Jan 15 02:50:58 vinyl3 sshd[13814]: error: PAM: authentication error 
for illegal user apache from 58.60.106.24
Jan 15 02:50:58 vinyl3 sshd[13816]: error: PAM: authentication error 
for illegal user apache from 58.60.106.24
Jan 15 02:50:58 vinyl3 sshd[13815]: error: PAM: authentication error 
for illegal user apache from 58.60.106.24
Jan 15 02:50:58 vinyl3 sshd[13818]: error: PAM: authentication error 
for illegal user apache from 58.60.106.24
Jan 15 02:50:58 vinyl3 sshd[13817]: error: PAM: authentication error 
for illegal user apache from 58.60.106.24
Jan 15 03:39:43 vinyl3 sshd[19622]: error: PAM: authentication error 
for illegal user apache2 from 200.13.253.122
Jan 15 03:39:43 vinyl3 sshd[19624]: error: PAM: authentication error 
for illegal user apache2 from 200.13.253.122
Jan 15 03:39:43 vinyl3 sshd[19625]: error: PAM: authentication error 
for illegal user apache2 from 200.13.253.122
Jan 15 03:39:43 vinyl3 sshd[19626]: error: PAM: authentication error 
for illegal user apache2 from 200.13.253.122
Jan 15 03:39:43 vinyl3 sshd[19629]: error: PAM: authentication error 
for illegal user apache2 from 200.13.253.122
Jan 15 03:39:43 vinyl3 sshd[19628]: error: PAM: authentication error 
for illegal user apache2 from 200.13.253.122
Jan 15 03:39:44 vinyl3 sshd[19630]: error: PAM: authentication error 
for illegal user apache2 from 200.13.253.122
Jan 15 03:39:44 vinyl3 sshd[19627]: error: PAM: authentication error 
for illegal user apache2 from 200.13.253.122
Jan 15 03:52:44 vinyl3 sshd[21055]: error: PAM: authentication error 
for illegal user apache2 from 80.169.105.159
Jan 15 03:52:44 vinyl3 sshd[21056]: error: PAM: authentication error 
for illegal user apache2 from 80.169.105.159
Jan 15 03:52:44 vinyl3 sshd[21058]: error: PAM: authentication error 
for illegal user apache2 from 80.169.105.159
Jan 15 03:52:44 vinyl3 sshd[21059]: error: PAM: authentication error 
for illegal user apache2 from 80.169.105.159
Jan 15 03:52:44 vinyl3 sshd[21062]: error: PAM: authentication error 
for illegal user apache2 from 80.169.105.159
Jan 15 04:04:43 vinyl3 sshd[22401]: error: PAM: authentication error 
for illegal user apache2 from 70-89-113-100-busname-wa.hfc.comcastbusiness.net
Jan 15 05:23:46 vinyl3 sshd[30690]: error: PAM: authentication error 
for illegal user build from 84.201.180.130
Jan 15 05:23:46 vinyl3 sshd[30689]: error: PAM: authentication error 
for illegal user build from 84.201.180.130
Jan 15 05:23:46 vinyl3 sshd[30691]: error: PAM: authentication error 
for illegal user build from 84.201.180.130
Jan 15 05:23:46 vinyl3 sshd[30692]: error: PAM: authentication error 
for illegal user build from 84.201.180.130
Jan 15 05:23:46 vinyl3 sshd[30693]: error: PAM: authentication error 
for illegal user build from 84.201.180.130
Jan 15 05:23:46 vinyl3 sshd[30696]: error: PAM: authentication error 
for illegal user build from 84.201.180.130
Jan 15 05:23:46 vinyl3 sshd[30699]: error: PAM: authentication error 
for illegal user build from 84.201.180.130
Jan 15 05:23:46 vinyl3 sshd[30701]: error: PAM: authentication error 
for illegal user build from 84.201.180.130

The counts are different than in the past.  Usually 3-4 tries per 
IP.  This is more. I see 60 bytes as well

# bzcat pflog.[2-3].bz2 | tcpdump -c2  -s0 -nr - -vvv host 84.201.180.130
reading from file -, link-type PFLOG (OpenBSD pflog file)
04:10:36.188890 IP (tos 0x0, ttl  52, id 37635, offset 0, flags [DF], 
proto: TCP (6), length: 60) 84.201.180.130.39130 > 64.7.153.13.22: S, 
cksum 0x102d (correct), 2925461768:2925461768(0) win 5840 <mss 
1402,sackOK,timestamp 1489608130 0,nop,wscale 0>
04:35:04.638566 IP (tos 0x0, ttl  52, id 51287, offset 0, flags [DF], 
proto: TCP (6), length: 60) 84.201.180.130.55380 > 67.43.129.176.22: 
S, cksum 0x50be (correct), 194629308:194629308(0) win 5840 <mss 
1402,sackOK,timestamp 1491076843 0,nop,wscale 0>

[vinyl3]# bzcat pflog.[2-3].bz2 | tcpdump -c2 -s0 -nr - -vvv  host 
58.60.106.24
reading from file -, link-type PFLOG (OpenBSD pflog file)
03:38:15.389334 IP (tos 0x0, ttl  46, id 61007, offset 0, flags [DF], 
proto: TCP (6), length: 60) 58.60.106.24.33953 > 67.43.129.178.22: S, 
cksum 0x1100 (correct), 473690542:473690542(0) win 5840 <mss 
1460,sackOK,timestamp 75702241 0,nop,wscale 0>
03:38:15.389373 IP (tos 0x0, ttl  45, id 10433, offset 0, flags [DF], 
proto: TCP (6), length: 60) 58.60.106.24.33972 > 67.43.129.182.22: S, 
cksum 0xcc3c (correct), 460470051:460470051(0) win 5840 <mss 
1460,sackOK,timestamp 75702242 0,nop,wscale 0>
[vinyl3]#



>(coffee != sleep) & (!coffee == sleep)
>Donald.Smith at qwest.com gcia
>
> > -----Original Message-----
> > From: nsp-security-bounces at puck.nether.net
> > [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> > Joel Rosenblatt
> > Sent: Monday, January 18, 2010 12:05 PM
> > To: Mike Tancsa; Kevin Oberman; nsp-security at puck.nether.net
> > Subject: Re: [nsp-sec] Sudden jump in ssh slow-scan activity
> >
> > ----------- nsp-security Confidential --------
> >
> >
>
>This communication is the property of Qwest and may contain confidential or
>privileged information. Unauthorized use of this communication is strictly
>prohibited and may be unlawful.  If you have received this communication
>in error, please immediately notify the sender by reply e-mail and destroy
>all copies of the communication and any attachments.

--------------------------------------------------------------------
Mike Tancsa,                                      tel +1 519 651 3400
Sentex Communications,                            mike at sentex.net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada                         www.sentex.net/mike

More information about the nsp-security mailing list