[nsp-sec] slow distributed ssh scan
Marc Kneppers
Marc.Kneppers at TELUS.COM
Fri Nov 4 10:58:54 EDT 2011
Hey Mike,
I picked up the same stuff last week, from 3 additional IPs:
AS | IP | AS Name
39306 | 89.47.60.22 | OPTICBRIDGE-RO-AS Optic Bridge SRL
56048 | 218.205.201.150 | CMNET-BEIJING-AP China Mobile Communicaitons
Corporation
4847 | 1.202.90.78 | CNIX-AP China Networks Inter-Exchange
MArc
TELUS
ASN 852
On 11-10-28 3:13 PM, "Mike Tancsa" <mike at sentex.net> wrote:
>----------- nsp-security Confidential --------
>
>
>I will submit to the scanner list for the next few days, but these guys
>started to show up again just recently. Seems to be coordinated as the
>user ids are sequential and the time gap is stretched out per host to try
>and get in under the radar.
>
>e.g. here are some logs from one box with an open ssh port. Note the
>sequential usernames
>
>Oct 28 07:56:41 freebsd-legacy kernel: Oct 28 07:56:41 freebsd-legacy
>sshd[78477]: error: PAM: authentication error for illegal user santa from
>88.191.89.25
>Oct 28 07:56:46 freebsd-legacy kernel: Oct 28 07:56:46 freebsd-legacy
>sshd[78378]: error: PAM: authentication error for illegal user sandro
>from 211.144.82.8
>Oct 28 07:58:44 freebsd-legacy kernel: Oct 28 07:58:44 freebsd-legacy
>sshd[88505]: error: PAM: authentication error for illegal user sap from
>122.255.96.45
>Oct 28 08:03:25 freebsd-legacy kernel: Oct 28 08:03:25 freebsd-legacy
>sshd[3607]: error: PAM: authentication error for illegal user sas from
>58.63.241.209
>Oct 28 08:05:40 freebsd-legacy kernel: Oct 28 08:05:40 freebsd-legacy
>sshd[7393]: error: PAM: authentication error for illegal user sc from
>69.162.70.2
>Oct 28 08:06:03 freebsd-legacy kernel: Oct 28 08:06:03 freebsd-legacy
>sshd[8062]: error: PAM: authentication error for illegal user sasha from
>74.52.189.50
>Oct 28 08:08:05 freebsd-legacy kernel: Oct 28 08:08:05 freebsd-legacy
>sshd[11701]: error: PAM: authentication error for illegal user scanner
>from 219.240.36.108
>Oct 28 08:11:57 freebsd-legacy kernel: Oct 28 08:11:57 freebsd-legacy
>sshd[32109]: error: PAM: authentication error for illegal user schneider
>from 88.191.99.23
>Oct 28 08:13:40 freebsd-legacy kernel: Oct 28 08:13:40 freebsd-legacy
>sshd[36636]: error: PAM: authentication error for illegal user scott from
>59.106.144.134
>Oct 28 08:15:43 freebsd-legacy kernel: Oct 28 08:15:43 freebsd-legacy
>sshd[43267]: error: PAM: authentication error for illegal user scp from
>xs.5460.net
>Oct 28 08:17:09 freebsd-legacy kernel: Oct 28 08:17:09 freebsd-legacy
>sshd[47499]: error: PAM: authentication error for illegal user sean from
>61.31.204.90
>Oct 28 08:17:55 freebsd-legacy kernel: Oct 28 08:17:55 freebsd-legacy
>sshd[49553]: error: PAM: authentication error for illegal user sean from
>190.152.145.53
>Oct 28 08:18:42 freebsd-legacy kernel: Oct 28 08:18:42 freebsd-legacy
>sshd[51498]: error: PAM: authentication error for illegal user sean from
>82.130.143.216
>
>However, the one IP will try multiple hosts on various subnets inside my
>AS. e.g. santa attacker below
>
> StartTime Flgs Proto SrcAddr Sport Dir
> DstAddr Dport TotPkts TotBytes State
>10-28 09:43:10.741 M * tcp 88.191.89.25.53765 ->
>64.7.135.135.22 78 14665 FIN
>10-28 09:45:21.068 M * tcp 88.191.89.25.39550 ->
>64.7.129.32.22 93 15695 FIN
>10-28 09:48:48.976 M * tcp 88.191.89.25.42568 ->
>67.43.129.219.22 58 10294 FIN
>10-28 09:49:28.579 M s tcp 88.191.89.25.57529 ->
>205.211.164.254.22 45 6807 FIN
>10-28 09:49:45.135 M tcp 88.191.89.25.59270 ->
>64.7.128.103.22 28 5023 FIN
>10-28 09:51:40.926 M s tcp 88.191.89.25.43367 ->
>64.7.138.134.22 48 7013 FIN
>10-28 09:56:23.831 M * tcp 88.191.89.25.50360 ->
>205.211.164.75.22 56 10158 FIN
>10-28 09:59:26.462 M * tcp 88.191.89.25.49015 ->
>64.7.132.125.22 15 1159 CON
>10-28 09:59:29.799 M tcp 88.191.89.25.35128 ->
>64.7.128.208.22 29 5017 FIN
>10-28 09:59:31.806 M tcp 88.191.89.25.49015 ->
>64.7.132.125.22 9 618 FIN
>10-28 10:03:21.790 M tcp 88.191.89.25.35218 ->
>64.7.141.9.22 27 4957 FIN
>10-28 10:05:53.026 e tcp 88.191.89.25.58677 ->
>67.43.128.4.22 12 2656 FIN
>10-28 10:06:03.376 M * tcp 88.191.89.25.59640 ->
>64.7.132.126.22 15 1159 CON
>10-28 10:06:08.717 M tcp 88.191.89.25.59640 ->
>64.7.132.126.22 9 618 FIN
>10-28 10:06:23.170 M * tcp 88.191.89.25.36298 ->
>64.7.132.124.22 15 1159 CON
>10-28 10:06:28.513 M tcp 88.191.89.25.36298 ->
>64.7.132.124.22 9 618 FIN
>10-28 10:06:54.224 e tcp 88.191.89.25.54443 ->
>98.159.240.9.22 12 2656 FIN
>10-28 10:10:27.789 M * tcp 88.191.89.25.44765 ->
>64.7.138.7.22 84 15293 FIN
>10-28 10:13:42.574 M * tcp 88.191.89.25.44895 ->
>64.7.153.130.22 15 1159 CON
>10-28 10:13:46.966 M tcp 88.191.89.25.52883 ->
>64.7.128.103.22 27 4957 FIN
>10-28 10:13:47.925 M tcp 88.191.89.25.44895 ->
>64.7.153.130.22 9 618 FIN
>10-28 10:15:04.575 e tcp 88.191.89.25.37669 ->
>67.43.128.4.22 12 2656 FIN
>10-28 10:16:53.905 M * tcp 88.191.89.25.43061 ->
>205.211.164.75.22 56 10158 FIN
>10-28 10:17:25.705 M * tcp 88.191.89.25.34660 ->
>64.7.132.126.22 15 1159 CON
>10-28 10:17:31.050 M tcp 88.191.89.25.34660 ->
>64.7.132.126.22 9 618 FIN
>10-28 10:18:17.909 e tcp 88.191.89.25.59002 ->
>98.159.240.9.22 12 2656 FIN
>10-28 10:21:08.392 M * tcp 88.191.89.25.57038 ->
>64.7.132.127.22 15 1159 CON
>10-28 10:21:13.736 M tcp 88.191.89.25.57038 ->
>64.7.132.127.22 9 618 FIN
>10-28 10:21:30.161 e tcp 88.191.89.25.33019 ->
>98.159.240.8.22 12 2656 FIN
>10-28 10:25:04.345 M s tcp 88.191.89.25.52821 ->
>64.7.149.254.22 48 7013 FIN
>10-28 10:25:30.826 M * tcp 88.191.89.25.33485 ->
>64.7.138.7.22 84 15293 FIN
>
>Bulk mode; whois.cymru.com [2011-10-28 21:10:31 +0000]
>2514 | 203.141.158.120 | Oct 28 09:16:36 GMT | INFOSPHERE NTT PC
>Communications, Inc.
>2527 | 202.213.205.172 | Oct 28 16:43:17 GMT | SO-NET So-net
>Entertainment Corporation
>3215 | 194.2.25.13 | Oct 28 16:15:13 GMT | AS3215 France Telecom
>- Orange
>3215 | 217.128.151.181 | Oct 28 08:49:03 GMT | AS3215 France Telecom
>- Orange
>3215 | 62.161.44.45 | Oct 28 09:51:51 GMT | AS3215 France Telecom
>- Orange
>3242 | 151.1.183.216 | Oct 28 16:54:02 GMT | ASN-ITNET ITnet S.r.l.
>3269 | 79.4.167.152 | Oct 28 08:59:52 GMT | ASN-IBSNAZ Telecom
>Italia S.p.a.
>3269 | 79.48.7.10 | Oct 28 16:21:55 GMT | ASN-IBSNAZ Telecom
>Italia S.p.a.
>3320 | 62.225.155.90 | Oct 28 18:16:14 GMT | DTAG Deutsche Telekom
>AG
>3352 | 217.127.66.216 | Oct 28 16:31:06 GMT | TELEFONICA-DATA-ESPANA
>TELEFONICA DE ESPANA
>3352 | 80.26.69.233 | Oct 28 09:35:33 GMT | TELEFONICA-DATA-ESPANA
>TELEFONICA DE ESPANA
>3462 | 114.32.173.14 | Oct 28 18:15:47 GMT | HINET Data
>Communication Business Group
>3462 | 114.32.226.22 | Oct 28 08:21:19 GMT | HINET Data
>Communication Business Group
>3462 | 114.32.50.243 | Oct 28 17:28:55 GMT | HINET Data
>Communication Business Group
>3462 | 210.241.238.236 | Oct 28 07:44:05 GMT | HINET Data
>Communication Business Group
>3462 | 59.120.72.33 | Oct 28 17:01:02 GMT | HINET Data
>Communication Business Group
>3786 | 211.234.100.205 | Oct 28 07:46:37 GMT | LGDACOM LG DACOM
>Corporation
>3839 | 161.200.90.2 | Oct 28 09:21:47 GMT | ERX-CHULANET
>Chulalongkorn University
>4134 | 202.100.80.21 | Oct 28 16:58:52 GMT | CHINANET-BACKBONE
>No.31,Jin-rong Street
>4134 | 220.180.230.134 | Oct 28 09:35:53 GMT | CHINANET-BACKBONE
>No.31,Jin-rong Street
>4134 | 221.232.155.6 | Oct 28 17:55:04 GMT | CHINANET-BACKBONE
>No.31,Jin-rong Street
>4134 | 58.63.241.209 | Oct 28 08:03:25 GMT | CHINANET-BACKBONE
>No.31,Jin-rong Street
>4134 | 61.164.35.17 | Oct 28 08:30:09 GMT | CHINANET-BACKBONE
>No.31,Jin-rong Street
>4538 | 202.120.52.130 | Oct 28 17:54:29 GMT | ERX-CERNET-BKB China
>Education and Research Network Center
>4538 | 210.42.35.1 | Oct 28 16:57:42 GMT | ERX-CERNET-BKB China
>Education and Research Network Center
>4621 | 202.28.37.63 | Oct 28 08:33:53 GMT | UNSPECIFIED UNINET-TH
>4716 | 210.238.91.147 | Oct 28 07:44:52 GMT | POWEREDCOM KDDI
>CORPORATION
>4766 | 121.166.70.252 | Oct 28 07:37:50 GMT | KIXS-AS-KR Korea
>Telecom
>4766 | 61.78.62.43 | Oct 28 17:40:21 GMT | KIXS-AS-KR Korea
>Telecom
>4808 | 218.247.244.13 | Oct 28 16:47:19 GMT | CHINA169-BJ CNCGROUP
>IP network China169 Beijing Province Network
>4812 | 222.73.41.52 | Oct 28 19:32:27 GMT | CHINANET-SH-AP China
>Telecom (Group)
>4837 | 124.160.72.149 | Oct 28 07:52:58 GMT | CHINA169-BACKBONE
>CNCGROUP China169 Backbone
>4837 | 60.28.199.166 | Oct 28 09:14:59 GMT | CHINA169-BACKBONE
>CNCGROUP China169 Backbone
>4847 | 122.70.141.250 | Oct 28 17:00:29 GMT | CNIX-AP China Networks
>Inter-Exchange
>4847 | 211.144.82.8 | Oct 28 07:56:46 GMT | CNIX-AP China Networks
>Inter-Exchange
>4847 | 219.234.88.247 | Oct 28 08:21:47 GMT | CNIX-AP China Networks
>Inter-Exchange
>4847 | 60.195.249.67 | Oct 28 19:56:16 GMT | CNIX-AP China Networks
>Inter-Exchange
>7132 | 65.70.247.20 | Oct 28 18:19:48 GMT | SBIS-AS - AT&T
>Internet Services
>8167 | 201.25.53.34 | Oct 28 10:06:14 GMT | TELESC -
>Telecomunicacoes de Santa Catarina SA
>8167 | 201.67.157.178 | Oct 28 08:52:55 GMT | TELESC -
>Telecomunicacoes de Santa Catarina SA
>8426 | 212.49.222.82 | Oct 28 18:16:53 GMT | CLARANET-AS ClaraNET
>LTD
>8717 | 212.36.7.246 | Oct 28 08:43:12 GMT | SPECTRUMNET Spectrum
>NET Jsc
>8820 | 82.139.199.57 | Oct 28 08:23:23 GMT | TAL-DE TAL.DE Klaus
>Internet Service GmbH
>8990 | 212.92.13.110 | Oct 28 16:25:37 GMT | AHRT-AS _ANTENNA
>HUNGARIA_ Magyar Musorszoro es Radiohirkozlesi
>9304 | 118.142.4.27 | Oct 28 09:52:42 GMT | HUTCHISON-AS-AP
>Hutchison Global Communications
>9318 | 219.240.36.108 | Oct 28 08:08:05 GMT | HANARO-AS Hanaro
>Telecom Inc.
>9370 | 59.106.144.134 | Oct 28 08:13:40 GMT | SAKURA-B SAKURA
>Internet Inc.
>9371 | 219.94.144.230 | Oct 28 16:19:27 GMT | SAKURA-C SAKURA
>Internet Inc.
>9812 | 211.167.110.2 | Oct 28 17:58:02 GMT | CNNIC-CN-COLNET
>Oriental Cable Network Co., Ltd.
>9924 | 61.31.204.90 | Oct 28 07:48:31 GMT | TFN-TW Taiwan Fixed
>Network, Telco and Network Service Provider.
>9931 | 61.19.45.119 | Oct 28 09:04:30 GMT | CAT-AP The
>Communication Authoity of Thailand, CAT
>11664 | 200.80.163.74 | Oct 28 20:31:33 GMT | Techtel LMDS
>Comunicaciones Interactivas S.A.
>12322 | 82.228.250.163 | Oct 28 10:05:25 GMT | PROXAD Free SAS
>12322 | 88.191.89.25 | Oct 28 07:56:41 GMT | PROXAD Free SAS
>12322 | 88.191.99.23 | Oct 28 08:11:57 GMT | PROXAD Free SAS
>12338 | 82.130.143.216 | Oct 28 08:18:42 GMT | EUSKALTEL Euskaltel
>S.A.
>12670 | 195.167.225.173 | Oct 28 18:35:35 GMT | Completel Autonomous
>System in France
>12874 | 89.97.247.147 | Oct 28 07:32:50 GMT | FASTWEB Fastweb SpA
>14259 | 200.63.96.126 | Oct 28 08:41:24 GMT | Gtd Internet S.A.
>14307 | 68.78.199.247 | Oct 28 08:24:23 GMT | ASN-ROCNET - ROCK
>SERVICES, INC.
>14420 | 190.152.145.53 | Oct 28 07:49:12 GMT | CORPORACION NACIONAL
>DE TELECOMUNICACIONES - CNT EP
>14522 | 200.25.180.75 | Oct 28 18:22:50 GMT | Satnet
>15763 | 85.22.60.6 | Oct 28 20:15:17 GMT | ASDOKOM DOKOM
>Gesellschaft fuer Telekommunikation mbH
>17408 | 202.133.244.64 | Oct 28 08:42:34 GMT | ABOVE-AS-AP AboveNet
>Communications Taiwan
>17431 | 219.234.88.247 | Oct 28 08:21:47 GMT | TONET Beijing TONEK
>Information Technology Development Company
>17431 | 60.195.249.67 | Oct 28 19:56:16 GMT | TONET Beijing TONEK
>Information Technology Development Company
>17621 | 220.248.102.254 | Oct 28 07:36:19 GMT | CNCGROUP-SH China
>Unicom Shanghai network
>17816 | 58.254.143.204 | Oct 28 07:48:09 GMT | CHINA169-GZ China
>Unicom IP network China169 Guangdong province
>17964 | 218.247.244.13 | Oct 28 16:47:19 GMT | DXTNET Beijing
>Dian-Xin-Tong Network Technologies Co., Ltd.
>17981 | 202.131.87.70 | Oct 28 17:51:32 GMT | CAMBOTECH-KH-AS ISP
>Cambodia
>18881 | 200.175.53.196 | Oct 28 09:42:39 GMT | Global Village Telecom
>19089 | 189.14.99.226 | Oct 28 08:47:29 GMT | Dedalus.com S/C Ltda
>21309 | 213.174.167.15 | Oct 28 19:22:59 GMT | CASAWEB-AS ACANTHO SPA
>21844 | 74.52.189.50 | Oct 28 08:06:03 GMT | THEPLANET-AS -
>ThePlanet.com Internet Services, Inc.
>21844 | 75.125.255.98 | Oct 28 09:53:56 GMT | THEPLANET-AS -
>ThePlanet.com Internet Services, Inc.
>24961 | 217.79.182.38 | Oct 28 18:18:20 GMT | FIBREONE-AS fibre one
>networks GmbH, Duesseldorf
>27257 | 67.55.95.132 | Oct 28 16:45:24 GMT | WEBAIR-INTERNET -
>Webair Internet Development Company Inc.
>32613 | 72.55.179.219 | Oct 28 17:14:50 GMT | IWEB-AS - iWeb
>Technologies Inc.
>33070 | 72.3.142.26 | Oct 28 08:32:44 GMT | RMH-14 - Rackspace
>Hosting
>33942 | 83.139.194.70 | Oct 28 07:34:28 GMT | AGACTEL-AS AGACTEL
>S.p.a.
>38322 | 122.255.96.164 | Oct 28 07:34:54 GMT | P1NETWORKS-MY-AP
>Packet One Networks Sdn Bhd, Internet Services Provider
>38322 | 122.255.96.45 | Oct 28 07:58:44 GMT | P1NETWORKS-MY-AP
>Packet One Networks Sdn Bhd, Internet Services Provider
>39906 | 81.92.159.194 | Oct 28 08:38:49 GMT | COPROSYS CoProSys a.s.
>43711 | 87.229.7.163 | Oct 28 18:36:17 GMT | SZERVERNET-HU-AS
>Szervernet Ltd.
>45204 | 180.149.92.22 | Oct 28 09:41:15 GMT | GEMNET-MN GEMNET LLC
>46475 | 69.162.65.138 | Oct 28 07:42:09 GMT | LIMESTONENETWORKS -
>Limestone Networks, Inc.
>46475 | 69.162.70.2 | Oct 28 07:40:50 GMT | LIMESTONENETWORKS -
>Limestone Networks, Inc.
>55462 | 122.70.144.168 | Oct 28 18:19:30 GMT | NETNET Beijing
>ZhongDianXinDa Communication Technology Co., Ltd.
>55545 | 203.158.6.110 | Oct 28 17:18:16 GMT | SUT-AS-AP Suranaree
>University of Technology
>
>
> ---Mike
>
>--
>-------------------
>Mike Tancsa, tel +1 519 651 3400
>Sentex Communications, mike at sentex.net
>Providing Internet services since 1994 www.sentex.net
>Cambridge, Ontario Canada http://www.tancsa.com/
>
>
>_______________________________________________
>nsp-security mailing list
>nsp-security at puck.nether.net
>https://puck.nether.net/mailman/listinfo/nsp-security
>
>Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>community. Confidentiality is essential for effective Internet security
>counter-measures.
>_______________________________________________
More information about the nsp-security
mailing list