[nsp-sec] SSH scanners are back
Mike Tancsa
mike at sentex.net
Fri Jan 22 10:48:14 EST 2010
At 10:10 AM 1/22/2010, Joel Rosenblatt wrote:
>----------- nsp-security Confidential --------
>
>
>Hi,
>
>Attached is our list of overnight scanners - 1036
Interesting, mine are cranked up as well. But seems to be a different
program in that its back to trying 3 or 4 per bot at much longer
intervals than blast from last week. Complete list (853) sent off to
bruteforce at cymru.com
e.g. typically 30 min between infected IP
Jan 21 23:00:33 freebsd-current sshd[66573]: Failed
keyboard-interactive/pam for invalid user master2 from 69.250.227.138
port 35597 ssh2
Jan 21 23:34:47 freebsd-current sshd[34766]: Failed
keyboard-interactive/pam for invalid user michael from 69.250.227.138
port 55509 ssh2
and the pattern looks like
Jan 21 13:45:19 freebsd-current sshd[88364]: Invalid user didier from
194.78.164.90
Jan 21 13:46:20 freebsd-current sshd[92464]: Invalid user digital
from 87.106.46.96
Jan 21 13:46:46 freebsd-current sshd[94117]: Invalid user dilip from
135.196.243.201
Jan 21 13:47:12 freebsd-current sshd[95324]: Invalid user dima from
81.214.127.110
Jan 21 13:48:59 freebsd-current sshd[1037]: Invalid user dino from 94.89.16.49
Jan 21 13:50:47 freebsd-current sshd[7098]: Invalid user dio from
200.80.238.234
Jan 21 13:50:52 freebsd-current sshd[7620]: Invalid user diradmin
from 200.249.245.2
Jan 21 13:54:35 freebsd-current sshd[33957]: Invalid user dns from
200.46.125.39
Jan 21 13:55:00 freebsd-current sshd[36989]: Invalid user dnscache
from 67.213.79.82
Jan 21 13:57:17 freebsd-current sshd[56552]: Invalid user dominique
from 79.174.66.93
Jan 21 13:57:58 freebsd-current sshd[63896]: Invalid user domino from
79.174.66.93
Jan 21 13:58:45 freebsd-current sshd[70920]: Invalid user don from 222.221.12.9
Jan 21 13:58:46 freebsd-current sshd[71027]: Invalid user don from
189.19.205.20
Jan 21 13:59:11 freebsd-current sshd[76163]: Invalid user donato from
189.114.94.10
Jan 21 14:00:02 freebsd-current sshd[85666]: Invalid user dong from
86.105.177.4
Jan 21 14:00:04 freebsd-current sshd[88390]: Invalid user donna from
207.250.220.196
Jan 21 14:00:58 freebsd-current sshd[93935]: Invalid user donna from
189.108.202.34
Jan 21 14:02:12 freebsd-current sshd[2790]: Invalid user dorian from
83.208.25.192
Jan 21 14:02:41 freebsd-current sshd[5233]: Invalid user doris from
87.106.48.110
Jan 21 14:03:08 freebsd-current sshd[6078]: Invalid user doug from
61.222.216.248
Jan 21 14:04:00 freebsd-current sshd[8107]: Invalid user doug from
201.248.97.136
Jan 21 14:06:00 freebsd-current sshd[14614]: Invalid user dovecot
from 217.91.147.134
Jan 21 14:06:18 freebsd-current sshd[16241]: Invalid user download1
from 195.228.0.37
Jan 21 14:06:50 freebsd-current sshd[18342]: Invalid user downloads
from 174.142.116.10
Jan 21 14:07:14 freebsd-current sshd[20746]: Invalid user dr from 70.240.52.20
Jan 21 14:08:02 freebsd-current sshd[27726]: Invalid user dragon from
87.206.242.97
Jan 21 14:08:39 freebsd-current sshd[34605]: Invalid user dromero
from 88.209.222.61
Jan 21 14:08:39 freebsd-current sshd[34324]: Invalid user dream from
200.204.104.177
Jan 21 14:09:04 freebsd-current sshd[36625]: Invalid user drop from
113.17.144.159
Jan 21 14:10:31 freebsd-current sshd[51530]: Invalid user drweb from
66.156.64.237
Jan 21 14:10:52 freebsd-current sshd[55189]: Invalid user dsmith from
216.156.152.199
Jan 21 14:11:35 freebsd-current sshd[62035]: Invalid user dsmith from
58.223.237.6
Jan 21 14:12:21 freebsd-current sshd[67513]: Invalid user dspam from
211.138.112.49
Jan 21 14:12:44 freebsd-current sshd[70396]: Invalid user dt from 222.221.12.12
Jan 21 14:13:37 freebsd-current sshd[77739]: Invalid user duane from
201.221.29.21
Jan 21 14:13:54 freebsd-current sshd[79450]: Invalid user dubai from
195.251.18.132
Jan 21 14:14:16 freebsd-current sshd[81265]: Invalid user dummy from
61.220.43.18
Jan 21 14:15:17 freebsd-current sshd[90720]: Invalid user dummy from
194.78.138.227
A quick sample of the last 30 from today
# grep -i illegal /var/log/auth.log | tail -30 | awk '{print "nc
"$15" 22 < /dev/null &"}'
nc accmx.aim-cc.com 22 < /dev/null
nc 113.100.129.150 22 < /dev/null
nc 164.77.68.42 22 < /dev/null
nc 173.25.145.135 22 < /dev/null
nc 89.163.145.213 22 < /dev/null
nc 76.167.231.157 22 < /dev/null
nc 1779.ovz5.hc.ru 22 < /dev/null
nc 190.108.18.182 22 < /dev/null
nc 200.175.156.174 22 < /dev/null
nc 70.182.53.194 22 < /dev/null
nc 80.35.69.95 22 < /dev/null
nc 87.106.59.8 22 < /dev/null
nc 119.113.6.135 22 < /dev/null
nc 81.210.113.66 22 < /dev/null
nc 82.207.120.179 22 < /dev/null
nc 212.170.203.72 22 < /dev/null
nc 80.154.33.136 22 < /dev/null
nc 85.126.145.125 22 < /dev/null
nc 79.148.99.56 22 < /dev/null
nc 145.236.96.30 22 < /dev/null
nc 221.11.21.45 22 < /dev/null
nc 87.216.212.30 22 < /dev/null
nc 211.138.14.251 22 < /dev/null
nc 84.40.139.54 22 < /dev/null
nc 70.52.195.87 22 < /dev/null
nc 211.138.112.49 22 < /dev/null
nc 216.16.249.29 22 < /dev/null
nc 200.75.62.150 22 < /dev/null
nc 219.143.71.250 22 < /dev/null
nc 200.123.183.90 22 < /dev/null
26 of them respond to the world... Looks to be mostly Linux boxes
based on the banner
SSH-2.0-OpenSSH_4.3p2 Debian-9
SSH-2.0-OpenSSH_4.2
SSH-2.0-OpenSSH_4.7
SSH-1.99-OpenSSH_3.9p1
SSH-2.0-OpenSSH_5.1
SSH-2.0-OpenSSH_4.6
SSH-1.99-OpenSSH_3.9p1
SSH-2.0-OpenSSH_5.1p1 Debian-7
SSH-1.99-OpenSSH_4.2
SSH-2.0-OpenSSH_3.8.1p1 Debian-8.sarge.4
SSH-2.0-OpenSSH_3.9p1 Debian-1ubuntu2.3
SSH-2.0-OpenSSH_5.0
SSH-2.0-OpenSSH_4.7
SSH-2.0-OpenSSH_5.0
SSH-2.0-OpenSSH_3.8.1
SSH-2.0-OpenSSH_4.6
SSH-1.99-OpenSSH_4.4
SSH-1.99-OpenSSH_4.2
SSH-1.99-OpenSSH_4.1
SSH-1.99-OpenSSH_4.2
SSH-1.99-OpenSSH_4.1
SSH-1.99-OpenSSH_4.2
SSH-2.0-OpenSSH_4.6
SSH-1.99-OpenSSH_4.1
SSH-1.99-OpenSSH_4.4
SSH-1.99-OpenSSH_3.8p1
SSH-1.99-OpenSSH_4.1
---Mike
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet since 1994 www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike
More information about the nsp-security
mailing list