[nsp-sec] distributed ssh scanners again
Mike Tancsa
mike at sentex.net
Wed Nov 3 02:16:44 EDT 2010
At 01:41 AM 11/3/2010, Mike Tancsa wrote:
>----------- nsp-security Confidential --------
>
>Starting at around 19:15 GMT -400, about 250 different hosts started
>to bruteforce ssh scan through my AS trying just the root account
>via ssh. They would hit a dozen or so different web servers in my
>network once per IP so as not to set off individual alarms on each
>host. Sorry, the times are all GMT -400 (New York time)
Here is an example argus record of one of the hosts that illustrates
the behaviour. As you can see in a short period of time, it hits a
number of hosts in my network and then sleeps 45min to an hr before
trying again on more hosts. The IPs in its lists all have or had ssh
running at some point.
StartTime Proto SrcAddr Sport Dir
DstAddr Dport TotPkts TotBytes State
11-02
20:33:14.616 tcp 208.124.238.246.24733 ->
67.43.128.1.22 23 3732 FSPA_
11-02
20:33:14.624 tcp 208.124.238.246.23193 ->
67.43.128.113.22 23 3804 FSPA_
11-02
20:33:14.650 tcp 208.124.238.246.11358 ->
67.43.128.162.22 23 3732 FSPA_
11-02
20:33:14.683 tcp 208.124.238.246.16407 ->
67.43.128.4.22 23 3732 FSPA_
11-02
20:33:14.697 tcp 208.124.238.246.13542 ->
67.43.128.81.22 23 3804 FSPA_
11-02
20:33:14.747 tcp 208.124.238.246.19182 ->
67.43.129.176.22 23 4079 FSPA_
11-02
20:33:15.009 tcp 208.124.238.246.29968 ->
67.43.129.181.22 23 4079 FSPA_
11-02
20:33:15.042 tcp 208.124.238.246.25563 ->
67.43.129.183.22 23 4079 FSPA_
11-02
20:33:17.759 tcp 208.124.238.246.22906 ->
67.43.129.177.22 23 4079 FSPA_
11-02
20:33:17.817 tcp 208.124.238.246.21266 ->
67.43.129.178.22 23 4079 FSPA_
11-02
20:33:17.911 tcp 208.124.238.246.14086 ->
67.43.129.179.22 23 4079 FSPA_
11-02
20:33:17.975 tcp 208.124.238.246.3565 ->
67.43.129.180.22 23 4079 FSPA_
11-02
20:33:18.022 tcp 208.124.238.246.15727 ->
67.43.129.182.22 23 4079 FSPA_
11-02
20:33:18.074 tcp 208.124.238.246.2331 ->
67.43.129.205.22 23 3732 FSPA_
11-02
20:33:18.411 tcp 208.124.238.246.26009 ->
67.43.131.10.22 23 3695 FSPA_
11-02
20:33:18.487 tcp 208.124.238.246.15567 ->
67.43.131.4.22 23 3695 FSPA_
11-02
20:33:21.359 tcp 208.124.238.246.29445 ->
67.43.130.186.22 1 74 S_
11-02
20:33:21.366 tcp 208.124.238.246.7226 ->
67.43.130.250.22 1 74 S_
11-02
20:33:21.414 tcp 208.124.238.246.22687 ->
67.43.131.2.22 1 74 S_
11-02
20:33:21.419 tcp 208.124.238.246.4334 ->
67.43.131.231.22 1 74 S_
11-02
20:33:21.449 tcp 208.124.238.246.19428 ->
67.43.131.3.22 1 74 S_
11-02
20:33:21.510 tcp 208.124.238.246.5905 ->
67.43.131.5.22 1 74 S_
11-02
20:33:27.348 tcp 208.124.238.246.29445 ->
67.43.130.186.22 1 74 S_
11-02
20:33:27.358 tcp 208.124.238.246.7226 ->
67.43.130.250.22 1 74 S_
11-02
20:33:27.401 tcp 208.124.238.246.17218 ->
67.43.131.1.22 1 74 S_
11-02
20:33:27.421 tcp 208.124.238.246.22687 ->
67.43.131.2.22 1 74 S_
11-02
20:33:27.421 tcp 208.124.238.246.4334 ->
67.43.131.231.22 1 74 S_
11-02
20:33:27.446 tcp 208.124.238.246.19428 ->
67.43.131.3.22 1 74 S_
11-02
20:33:27.488 tcp 208.124.238.246.5905 ->
67.43.131.5.22 1 74 S_
11-02
20:33:39.347 tcp 208.124.238.246.29445 ->
67.43.130.186.22 1 74 S_
11-02
20:33:39.358 tcp 208.124.238.246.7226 ->
67.43.130.250.22 1 74 S_
11-02
20:33:39.380 tcp 208.124.238.246.17218 ->
67.43.131.1.22 1 74 S_
11-02
20:33:39.421 tcp 208.124.238.246.22687 ->
67.43.131.2.22 1 74 S_
11-02
20:33:39.421 tcp 208.124.238.246.4334 ->
67.43.131.231.22 1 74 S_
11-02
20:33:39.469 tcp 208.124.238.246.19428 ->
67.43.131.3.22 1 74 S_
11-02
20:33:39.598 tcp 208.124.238.246.5905 ->
67.43.131.5.22 1 74 S_
11-02
20:34:03.359 tcp 208.124.238.246.29445 ->
67.43.130.186.22 1 74 S_
11-02
20:34:03.359 tcp 208.124.238.246.7226 ->
67.43.130.250.22 1 74 S_
11-02
20:34:03.395 tcp 208.124.238.246.17218 ->
67.43.131.1.22 1 74 S_
11-02
20:34:03.421 tcp 208.124.238.246.22687 ->
67.43.131.2.22 1 74 S_
11-02
20:34:03.421 tcp 208.124.238.246.4334 ->
67.43.131.231.22 1 74 S_
11-02
20:34:03.453 tcp 208.124.238.246.19428 ->
67.43.131.3.22 1 74 S_
11-02
20:34:03.480 tcp 208.124.238.246.5905 ->
67.43.131.5.22 1 74 S_
11-02
21:14:22.810 tcp 208.124.238.246.7762 ->
64.7.128.103.22 24 3798 FSPA_
11-02
21:14:22.822 tcp 208.124.238.246.6636 ->
64.7.128.104.22 23 3695 FSPA_
11-02
21:14:22.842 tcp 208.124.238.246.15287 ->
64.7.128.198.22 23 3804 FSPA_
11-02
21:14:22.842 tcp 208.124.238.246.14271 ->
64.7.128.177.22 25 3936 FSPA_
11-02
21:14:22.842 tcp 208.124.238.246.27668 ->
64.7.128.208.22 23 3732 FSPA_
11-02
21:14:22.842 tcp 208.124.238.246.18006 ->
64.7.128.98.22 23 3804 FSPA_
11-02
21:14:22.842 tcp 208.124.238.246.14580 ->
64.7.128.117.22 24 3627 FSPA_
11-02
21:14:22.842 tcp 208.124.238.246.10910 ->
64.7.129.33.22 25 3936 FSPA_
11-02
21:14:22.854 tcp 208.124.238.246.11416 ->
64.7.132.122.22 23 3695 FSPA_
11-02
21:14:22.854 tcp 208.124.238.246.22340 ->
64.7.132.124.22 23 3695 FSPA_
11-02
21:14:22.858 tcp 208.124.238.246.2727 ->
64.7.132.210.22 25 3936 FSPA_
11-02
21:14:22.858 tcp 208.124.238.246.28249 ->
64.7.132.41.22 23 3804 FSPA_
11-02
21:14:22.858 tcp 208.124.238.246.18533 ->
64.7.132.125.22 23 3695 FSPA_
11-02
21:14:22.858 tcp 208.124.238.246.14624 ->
64.7.132.126.22 23 3695 FSPA_
11-02
21:14:22.862 tcp 208.124.238.246.12134 ->
64.7.132.127.22 23 3695 FSPA_
11-02
21:14:22.862 tcp 208.124.238.246.14425 ->
64.7.134.118.22 28 3703 FSPA_
11-02
21:14:23.009 tcp 208.124.238.246.11531 ->
64.7.135.41.22 17 2908 SPA_S
11-02
21:14:23.009 tcp 208.124.238.246.25834 ->
64.7.136.161.22 26 3738 FSPA_
11-02
21:14:23.009 tcp 208.124.238.246.8795 ->
64.7.134.15.22 23 3699 FSPA_
11-02
21:14:23.009 tcp 208.124.238.246.22447 ->
64.7.135.135.22 24 3798 FSPA_
11-02
21:14:23.014 tcp 208.124.238.246.2891 ->
64.7.141.9.22 23 3804 FSPA_
11-02
21:14:23.014 tcp 208.124.238.246.26174 ->
64.7.136.193.22 24 3798 FSPA_
11-02
21:14:23.014 tcp 208.124.238.246.22300 ->
64.7.137.145.22 32 4656 FSPA_
11-02
21:14:23.014 tcp 208.124.238.246.17207 ->
64.7.152.176.22 24 3870 FSPA_
11-02
21:14:23.014 tcp 208.124.238.246.7419 ->
64.7.149.254.22 23 3732 FSPA_
11-02
21:14:23.014 tcp 208.124.238.246.13169 ->
64.7.143.130.22 23 3691 FSPA_
11-02
21:14:23.014 tcp 208.124.238.246.19846 ->
64.7.152.158.22 28 4045 FSPA_
11-02
21:14:23.014 tcp 208.124.238.246.3584 ->
64.7.152.127.22 28 3894 FSPA_
11-02
21:14:23.014 tcp 208.124.238.246.14482 ->
64.7.149.66.22 23 3732 FSPA_
11-02
21:14:23.020 tcp 208.124.238.246.9286 ->
64.7.135.137.22 24 3798 FSPA_
11-02
21:14:23.020 tcp 208.124.238.246.6421 ->
64.7.134.45.22 20 3410 SPA_S
11-02
21:14:23.020 tcp 208.124.238.246.10453 ->
64.7.152.188.22 24 3757 FSPA_
11-02
21:14:23.020 tcp 208.124.238.246.18013 ->
64.7.153.13.22 23 4079 FSPA_
11-02
21:14:23.068 tcp 208.124.238.246.2686 ->
64.7.153.17.22 23 3695 FSPA_
11-02
21:14:23.068 tcp 208.124.238.246.19116 ->
64.7.153.2.22 23 3732 FSPA_
11-02
21:14:23.068 tcp 208.124.238.246.23752 ->
64.7.153.130.22 23 3695 FSPA_
11-02
21:14:23.068 tcp 208.124.238.246.12404 ->
64.7.153.15.22 24 3814 FSPA_
11-02
21:14:23.068 tcp 208.124.238.246.28118 ->
64.7.153.49.22 23 3732 FSPA_
11-02
21:14:23.110 tcp 208.124.238.246.13056 ->
64.7.153.7.22 23 3732 FSPA_
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet since 1994 www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike
More information about the nsp-security
mailing list