[nsp-sec] SSH scanners are back
Paul Dokas
dokas at oitsec.umn.edu
Fri Jan 22 11:07:59 EST 2010
Joel Rosenblatt wrote:
> ----------- nsp-security Confidential --------
>
>
>
> ------------------------------------------------------------------------
>
> Hi,
>
> Attached is our list of overnight scanners - 1036
We noticed the scanning behavior yesterday morning and removed this host
from the network:
217 | 134.84.165.145 | 22/tcp 2010-01-21 06:55:00 GMT-0500 2010-01-21 07:35:00 GMT-0500 66248 | UMN-AGS-NET-AS - University of Minnesota
It was a newly installed Linux machine with an account with a terrible
password. Here's the sequence of events that lead up to the scanning
activity:
The host was under a brute force SSH scan from 169.230.130.22 (cytobank.ucsf.edu)
2010-01-21 05:31:11.354 3.136 TCP 169.230.130.22:41148 -> 134.84.165.145:22 ...... 0 12 1168 3 2979 97 1
2010-01-21 05:31:13.781 2.816 TCP 169.230.130.22:41496 -> 134.84.165.145:22 ...... 0 12 1152 4 3272 96 1
2010-01-21 05:31:14.355 2.752 TCP 134.84.165.145:22 -> 169.230.130.22:41496 ...... 0 14 2399 5 6973 171 1
2010-01-21 05:31:14.360 2.880 TCP 169.230.130.22:41496 -> 134.84.165.145:22 ...... 0 12 1152 4 3200 96 1
2010-01-21 05:31:17.023 3.200 TCP 134.84.165.145:22 -> 169.230.130.22:41816 ...... 0 14 2399 4 5997 171 1
2010-01-21 05:31:17.195 3.264 TCP 169.230.130.22:41816 -> 134.84.165.145:22 ...... 0 12 1152 3 2823 96 1
2010-01-21 05:31:17.476 3.136 TCP 169.230.130.22:41816 -> 134.84.165.145:22 ...... 0 11 1100 3 2806 100 1
2010-01-21 05:31:19.752 2.688 TCP 169.230.130.22:42191 -> 134.84.165.145:22 ...... 0 12 1152 4 3428 96 1
2010-01-21 05:31:20.430 2.624 TCP 169.230.130.22:42191 -> 134.84.165.145:22 ...... 0 12 1152 4 3512 96 1
Then the scanning stopped and someone in Macedonia logged into the machine:
2010-01-21 05:33:24.654 2.560 TCP 77.29.243.197:1997 -> 134.84.165.145:22 ...... 0 22 1702 8 5318 77 1
2010-01-21 05:33:24.654 2.304 TCP 134.84.165.145:22 -> 77.29.243.197:1997 ...... 16 15 2548 6 8847 169 1
2010-01-21 05:33:25.219 7.680 TCP 77.29.243.197:1997 -> 134.84.165.145:22 ...... 0 26 1994 3 2077 76 1
2010-01-21 05:33:30.855 0.896 TCP 77.29.243.197:1997 -> 134.84.165.145:22 ...... 0 4 292 4 2607 73 1
2010-01-21 05:33:30.855 0.448 TCP 134.84.165.145:22 -> 77.29.243.197:1997 ...... 16 2 744 4 13285 372 1
2010-01-21 05:33:50.733 5.760 TCP 77.29.243.197:1997 -> 134.84.165.145:22 ...... 0 20 1060 3 1472 53 1
2010-01-21 05:33:50.970 7.296 TCP 77.29.243.197:1997 -> 134.84.165.145:22 ...... 0 25 1290 3 1414 51 1
There were several download (HTTP and FTP) from several places including 213.131.252.251,
208.68.107.168 (thea.eggheads.org) and a sourceforge mirror. We did find eggdrop running
on the machine.
The host attached to Undernet
2010-01-21 05:46:26.802 0.128 TCP 208.83.20.130:6667 -> 134.84.165.145:40248 ...... 0 2 138 15 8625 69 1
2010-01-21 05:46:27.294 0.128 TCP 208.83.20.130:6667 -> 134.84.165.145:40248 ...... 0 2 138 15 8625 69 1
2010-01-21 05:47:25.753 0.128 TCP 208.83.20.130:6667 -> 134.84.165.145:40248 ...... 0 2 138 15 8625 69 1
2010-01-21 05:47:26.040 0.320 TCP 134.84.165.145:40248 -> 208.83.20.130:6667 ...... 0 3 148 9 3700 49 1
2010-01-21 05:47:26.171 0.128 TCP 208.83.20.130:6667 -> 134.84.165.145:40248 ...... 0 2 138 15 8625 69 1
2010-01-21 05:48:07.830 0.000 TCP 208.83.20.130:6667 -> 134.84.165.145:40248 ...... 0 1 101 0 0 101 1
2010-01-21 05:48:08.073 0.000 TCP 208.83.20.130:6667 -> 134.84.165.145:40248 ...... 0 1 101 0 0 101 1
And it started scanning
2010-01-21 05:52:13.082 0.000 TCP 134.84.165.145:61197 -> 129.0.32.35:22 ...... 0 1 48 0 0 48 1
2010-01-21 05:52:13.082 0.000 TCP 134.84.165.145:61197 -> 129.0.32.44:22 ...... 0 1 48 0 0 48 1
2010-01-21 05:52:13.082 0.000 TCP 134.84.165.145:61197 -> 129.0.32.19:22 ...... 0 1 48 0 0 48 1
2010-01-21 05:52:13.082 0.000 TCP 134.84.165.145:61197 -> 129.0.33.65:22 ...... 0 1 48 0 0 48 1
2010-01-21 05:52:13.082 0.000 TCP 134.84.165.145:61197 -> 129.0.32.21:22 ...... 0 1 48 0 0 48 1
2010-01-21 05:52:13.082 0.000 TCP 134.84.165.145:61197 -> 129.0.32.16:22 ...... 0 1 48 0 0 48 1
2010-01-21 05:52:13.082 0.000 TCP 134.84.165.145:61197 -> 129.0.32.22:22 ...... 0 1 48 0 0 48 1
2010-01-21 05:52:13.082 0.000 TCP 134.84.165.145:61197 -> 129.0.32.37:22 ...... 0 1 48 0 0 48 1
2010-01-21 05:52:13.082 0.000 TCP 134.84.165.145:61197 -> 129.0.32.31:22 ...... 0 1 48 0 0 48 1
2010-01-21 05:52:13.082 0.000 TCP 134.84.165.145:61197 -> 129.0.32.42:22 ...... 0 1 48 0 0 48 1
2010-01-21 05:52:13.082 0.000 TCP 134.84.165.145:61197 -> 129.0.32.32:22 ...... 0 1 48 0 0 48 1
2010-01-21 05:52:13.082 0.000 TCP 134.84.165.145:61197 -> 129.0.33.68:22 ...... 0 1 48 0 0 48 1
2010-01-21 05:52:13.082 0.000 TCP 134.84.165.145:61197 -> 129.0.32.38:22 ...... 0 1 48 0 0 48 1
2010-01-21 05:52:13.082 0.000 TCP 134.84.165.145:61197 -> 129.0.32.26:22 ...... 0 1 48 0 0 48 1
2010-01-21 05:52:13.082 0.000 TCP 134.84.165.145:61197 -> 129.0.32.41:22 ...... 0 1 48 0 0 48 1
Paul
--
Paul Dokas dokas at oitsec.umn.edu
======================================================================
Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla."
More information about the nsp-security
mailing list