[nsp-sec] slow distributed ssh scan
Nick Hale
nspsec at rtfmnewbie.com
Mon Nov 7 15:53:52 EST 2011
I'm seeing something very similar happening on some of my systems.... The attachment contains IPs and bogus accounts they're trying to hit.
Obviously this attachment contains only one servers worth of data.
As you can see, the usernames are mostly sequential (minus the occasional one-off of administrator or backup... generic accounts). I've been watching
this for a few days and they seem to go through the same set of account names on a cycle.
-NH
On 11/4/2011 17:08, Smith, Donald wrote:
> ----------- nsp-security Confidential --------
>
> Yes I see some Alglo, and of course common system accounts but this one does appear to be primarily Slavic, Germanic, Latin...
>
> So I suspect this is the steal usernames from the password file after compromise. If they ever figure out routing and bgp we could really be in trouble as targeting by AS/username combos would be even more effective.
>
> Something like this as is italian and we should use the italian username set ... :(
>
>
>
> (coffee != sleep) & (!coffee == sleep)
> Donald.Smith at qwest.com
> ________________________________________
> From: Mike Tancsa [mike at sentex.net]
> Sent: Friday, November 04, 2011 2:47 PM
> To: Smith, Donald
> Cc: Marc Kneppers; Nsp-Security
> Subject: Re: [nsp-sec] slow distributed ssh scan
>
> On 11/4/2011 4:34 PM, Smith, Donald wrote:
>> Mike in the username choice did you see anything indicating a preference for one cultures common names? The reason I asked is at least one kit out there harvested new names to try from the local /etc/password file. We (sans) saw it but never found the kit. We could tell that hosts bruteforcing other hosts were picking up Finish, German, English names and the hosts they were scanning from were located in the right areas to have picked up those names from the /etc/password file. But I never saw the tool kit so still kind of looking for it. This is of course a logical step. And building your dictionary that way helps with ips close to you somewhat.
>>
>> Most other tools have either a very small dictionary or use just a few canned users (root, apache, ...) well known accounts. Of course Bruteforcing just root means that kit doesn't need a set of good privilege escalation exploits :)
>
> Hi,
> On the one host I just sampled, there are certainly many Slavic and
> Germanic names in there, but a lot of anglo ones as well and then
> various application role accounts. Attached is the list of the names
> tried. There are some mixed in there which are probably not part of the
> network, but the pattern is pretty clear. Not sure why they would not
> randomize it.
>
> ---Mike
>
>
>
>
> --
> -------------------
> Mike Tancsa, tel +1 519 651 3400
> Sentex Communications, mike at sentex.net
> Providing Internet services since 1994 www.sentex.net
> Cambridge, Ontario Canada http://www.tancsa.com/
>
> This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly
> prohibited and may be unlawful. If you have received this communication
> in error, please immediately notify the sender by reply e-mail and destroy
> all copies of the communication and any attachments.
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: slowssh.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20111107/a09640b6/attachment-0001.txt>
More information about the nsp-security
mailing list