[nsp-sec] slow distributed ssh scan
Smith, Donald
Donald.Smith at CenturyLink.com
Fri Nov 4 16:34:10 EDT 2011
Mike in the username choice did you see anything indicating a preference for one cultures common names? The reason I asked is at least one kit out there harvested new names to try from the local /etc/password file. We (sans) saw it but never found the kit. We could tell that hosts bruteforcing other hosts were picking up Finish, German, English names and the hosts they were scanning from were located in the right areas to have picked up those names from the /etc/password file. But I never saw the tool kit so still kind of looking for it. This is of course a logical step. And building your dictionary that way helps with ips close to you somewhat.
Most other tools have either a very small dictionary or use just a few canned users (root, apache, ...) well known accounts. Of course Bruteforcing just root means that kit doesn't need a set of good privilege escalation exploits :)
(coffee != sleep) & (!coffee == sleep)
Donald.Smith at qwest.com
________________________________________
From: nsp-security-bounces at puck.nether.net [nsp-security-bounces at puck.nether.net] On Behalf Of Mike Tancsa [mike at sentex.net]
Sent: Friday, November 04, 2011 12:18 PM
To: Marc Kneppers
Cc: Nsp-Security
Subject: Re: [nsp-sec] slow distributed ssh scan
----------- nsp-security Confidential --------
On 11/4/2011 10:58 AM, Marc Kneppers wrote:
> Hey Mike,
>
> I picked up the same stuff last week, from 3 additional IPs:
>
> AS | IP | AS Name
> 39306 | 89.47.60.22 | OPTICBRIDGE-RO-AS Optic Bridge SRL
> 56048 | 218.205.201.150 | CMNET-BEIJING-AP China Mobile Communicaitons
> Corporation
> 4847 | 1.202.90.78 | CNIX-AP China Networks Inter-Exchange
Hi Mark,
Mine seem to have just stopped on the 29th for the most part. Looking at the tail end of the logs, it might be due getting to the end of their list as opposed to someone shutting them down :( Havent seen them since in any numbers
Oct 28 23:36:25 freebsd-current sshd[69662]: Invalid user zabbix from 89.97.247.147
Oct 28 23:38:14 freebsd-current sshd[75486]: Invalid user zhang from 211.144.82.8
Oct 28 23:39:11 freebsd-current sshd[85022]: Invalid user zope from 213.174.167.15
Oct 28 23:39:16 freebsd-current sshd[85517]: Invalid user zxin10 from 118.142.4.27
Of the ones that have come back, they seem to be trying to login directly as root to other hosts (seemingly) picked at random inside my AS
---Mike
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
More information about the nsp-security
mailing list