[nsp-sec] slow distributed ssh scan
Mike Tancsa
mike at sentex.net
Fri Nov 4 16:47:07 EDT 2011
On 11/4/2011 4:34 PM, Smith, Donald wrote:
> Mike in the username choice did you see anything indicating a preference for one cultures common names? The reason I asked is at least one kit out there harvested new names to try from the local /etc/password file. We (sans) saw it but never found the kit. We could tell that hosts bruteforcing other hosts were picking up Finish, German, English names and the hosts they were scanning from were located in the right areas to have picked up those names from the /etc/password file. But I never saw the tool kit so still kind of looking for it. This is of course a logical step. And building your dictionary that way helps with ips close to you somewhat.
>
> Most other tools have either a very small dictionary or use just a few canned users (root, apache, ...) well known accounts. Of course Bruteforcing just root means that kit doesn't need a set of good privilege escalation exploits :)
Hi,
On the one host I just sampled, there are certainly many Slavic and
Germanic names in there, but a lot of anglo ones as well and then
various application role accounts. Attached is the list of the names
tried. There are some mixed in there which are probably not part of the
network, but the pattern is pretty clear. Not sure why they would not
randomize it.
---Mike
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: brute-force-as11647-2011.txt.gz
Type: application/gzip
Size: 17081 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20111104/22c1aa28/attachment-0001.gz>
More information about the nsp-security
mailing list