[nsp-sec] slow distributed ssh scan
Mike Tancsa
mike at sentex.net
Mon Nov 7 17:02:36 EST 2011
On 11/7/2011 3:53 PM, Nick Hale wrote:
> I'm seeing something very similar happening on some of my systems.... The attachment contains IPs and bogus accounts they're trying to hit.
> Obviously this attachment contains only one servers worth of data.
>
> As you can see, the usernames are mostly sequential (minus the occasional one-off of administrator or backup... generic accounts). I've been watching
> this for a few days and they seem to go through the same set of account names on a cycle.
Here is another customer server I was about to add ossec on that had the same or similar scan. For some reason, they have a rather odd acct they try
yyyyyyyyyyyyyyyyyyyysistemas
Oct 28 14:14:05 gate2 sshd[1311]: Invalid user yyyyyyyyyyyyyyyyyyyysistemas from 219.240.36.108
Oct 28 14:14:48 gate2 sshd[1318]: Invalid user yyyyyyyyyyyyyyyyyyyysistemas from 217.128.151.181
Oct 28 14:20:42 gate2 sshd[1363]: Invalid user yyyyyyyyyyyyyyyyyyyysistemas from 210.241.238.236
List of names generated by
grep "Failed keyboard-interactive" /var/log/auth.log | awk '{print $11 " from " $13}' > /tmp/acct.txt
Donald, if you want the full logs, let me know I can share that privately if its useful
Offending IP report below generated from today's hits. Note, the times are EST (GMT-4, sorry)
Bulk mode; whois.cymru.com [2011-11-07 21:57:56 +0000]
852 | 204.191.10.18 | 2011-11-07 00:08:19 EST | ASN852 - Telus Advanced Communications
1239 | 65.161.248.26 | 2011-11-07 00:00:16 EST | SPRINTLINK - Sprint
1659 | 203.72.59.6 | 2011-11-07 01:04:15 EST | ERX-TANET-ASN1 Tiawan Academic Network (TANet) Information Center
1955 | 193.225.84.1 | 2011-11-07 00:45:09 EST | HBONE-AS HUNGARNET
2514 | 203.141.158.120 | 2011-11-07 01:17:59 EST | INFOSPHERE NTT PC Communications, Inc.
2828 | 207.238.196.3 | 2011-11-07 01:38:05 EST | XO-AS15 - XO Communications
2856 | 217.33.64.203 | 2011-11-07 00:08:59 EST | BT-UK-AS BTnet UK Regional network
3215 | 194.2.25.13 | 2011-11-07 00:31:15 EST | AS3215 France Telecom - Orange
3215 | 81.252.31.172 | 2011-11-07 00:42:00 EST | AS3215 France Telecom - Orange
3269 | 79.4.167.152 | 2011-11-07 00:01:28 EST | ASN-IBSNAZ Telecom Italia S.p.a.
3269 | 79.48.7.10 | 2011-11-07 00:07:38 EST | ASN-IBSNAZ Telecom Italia S.p.a.
3320 | 62.225.155.90 | 2011-11-07 00:00:49 EST | DTAG Deutsche Telekom AG
3352 | 213.97.211.74 | 2011-11-07 01:42:52 EST | TELEFONICA-DATA-ESPANA TELEFONICA DE ESPANA
3352 | 80.24.95.85 | 2011-11-07 00:20:16 EST | TELEFONICA-DATA-ESPANA TELEFONICA DE ESPANA
3352 | 80.26.69.233 | 2011-11-07 01:09:56 EST | TELEFONICA-DATA-ESPANA TELEFONICA DE ESPANA
3462 | 114.32.173.14 | 2011-11-07 00:03:29 EST | HINET Data Communication Business Group
3462 | 114.32.226.22 | 2011-11-07 00:50:16 EST | HINET Data Communication Business Group
3462 | 114.32.50.243 | 2011-11-07 00:21:52 EST | HINET Data Communication Business Group
3462 | 210.241.235.133 | 2011-11-07 00:05:41 EST | HINET Data Communication Business Group
3462 | 210.241.238.236 | 2011-11-07 00:04:52 EST | HINET Data Communication Business Group
3462 | 59.120.72.33 | 2011-11-07 00:41:21 EST | HINET Data Communication Business Group
3462 | 61.221.28.243 | 2011-11-07 00:38:33 EST | HINET Data Communication Business Group
3786 | 211.234.100.205 | 2011-11-07 00:01:17 EST | LGDACOM LG DACOM Corporation
3816 | 190.254.11.218 | 2011-11-07 01:21:56 EST | COLOMBIA TELECOMUNICACIONES S.A. ESP
4134 | 118.122.178.65 | 2011-11-07 01:00:06 EST | CHINANET-BACKBONE No.31,Jin-rong Street
4134 | 119.145.144.60 | 2011-11-07 00:21:10 EST | CHINANET-BACKBONE No.31,Jin-rong Street
4134 | 119.145.148.100 | 2011-11-07 00:12:05 EST | CHINANET-BACKBONE No.31,Jin-rong Street
4134 | 122.227.129.113 | 2011-11-07 00:30:53 EST | CHINANET-BACKBONE No.31,Jin-rong Street
4134 | 202.102.2.155 | 2011-11-07 00:53:51 EST | CHINANET-BACKBONE No.31,Jin-rong Street
4134 | 202.109.129.166 | 2011-11-07 00:02:56 EST | CHINANET-BACKBONE No.31,Jin-rong Street
4134 | 202.109.202.62 | 2011-11-07 00:06:28 EST | CHINANET-BACKBONE No.31,Jin-rong Street
4134 | 218.77.120.135 | 2011-11-07 00:08:24 EST | CHINANET-BACKBONE No.31,Jin-rong Street
4134 | 219.139.45.120 | 2011-11-07 00:01:36 EST | CHINANET-BACKBONE No.31,Jin-rong Street
4134 | 220.162.244.251 | 2011-11-07 01:36:25 EST | CHINANET-BACKBONE No.31,Jin-rong Street
4134 | 221.232.155.6 | 2011-11-07 00:01:19 EST | CHINANET-BACKBONE No.31,Jin-rong Street
4134 | 61.132.91.134 | 2011-11-07 00:28:16 EST | CHINANET-BACKBONE No.31,Jin-rong Street
4134 | 61.164.35.17 | 2011-11-07 00:21:46 EST | CHINANET-BACKBONE No.31,Jin-rong Street
4230 | 200.183.172.2 | 2011-11-07 00:10:02 EST | Embratel
4230 | 200.249.149.60 | 2011-11-07 00:50:57 EST | Embratel
4230 | 200.251.31.2 | 2011-11-07 00:09:40 EST | Embratel
4538 | 202.120.52.130 | 2011-11-07 00:00:52 EST | ERX-CERNET-BKB China Education and Research Network Center
4538 | 202.202.43.121 | 2011-11-07 00:02:44 EST | ERX-CERNET-BKB China Education and Research Network Center
4538 | 210.42.35.1 | 2011-11-07 00:20:59 EST | ERX-CERNET-BKB China Education and Research Network Center
4725 | 202.33.8.49 | 2011-11-07 00:22:58 EST | ODN SOFTBANK TELECOM Corp.
4766 | 121.166.70.252 | 2011-11-07 00:07:10 EST | KIXS-AS-KR Korea Telecom
4766 | 222.122.186.201 | 2011-11-07 01:35:23 EST | KIXS-AS-KR Korea Telecom
4766 | 222.122.45.110 | 2011-11-07 00:14:18 EST | KIXS-AS-KR Korea Telecom
4766 | 61.78.62.43 | 2011-11-07 00:47:13 EST | KIXS-AS-KR Korea Telecom
4788 | 161.139.144.2 | 2011-11-07 00:10:04 EST | TMNET-AS-AP TM Net, Internet Service Provider
4808 | 218.247.244.13 | 2011-11-07 00:27:07 EST | CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network
4808 | 219.238.168.6 | 2011-11-07 01:38:11 EST | CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network
4808 | 59.108.108.100 | 2011-11-07 00:49:07 EST | CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network
4812 | 203.156.255.145 | 2011-11-07 01:26:20 EST | CHINANET-SH-AP China Telecom (Group)
4812 | 218.1.67.151 | 2011-11-07 00:01:47 EST | CHINANET-SH-AP China Telecom (Group)
4812 | 222.73.41.52 | 2011-11-07 00:21:12 EST | CHINANET-SH-AP China Telecom (Group)
4812 | 61.152.76.75 | 2011-11-07 00:52:50 EST | CHINANET-SH-AP China Telecom (Group)
4837 | 124.160.72.149 | 2011-11-07 00:08:45 EST | CHINA169-BACKBONE CNCGROUP China169 Backbone
4837 | 221.204.253.107 | 2011-11-07 00:30:47 EST | CHINA169-BACKBONE CNCGROUP China169 Backbone
4847 | 123.196.115.72 | 2011-11-07 00:43:41 EST | CNIX-AP China Networks Inter-Exchange
4847 | 219.234.88.247 | 2011-11-07 00:03:08 EST | CNIX-AP China Networks Inter-Exchange
4847 | 59.108.108.100 | 2011-11-07 00:49:07 EST | CNIX-AP China Networks Inter-Exchange
4847 | 60.195.249.67 | 2011-11-07 01:28:35 EST | CNIX-AP China Networks Inter-Exchange
5617 | 212.244.203.6 | 2011-11-07 00:13:10 EST | TPNET Telekomunikacja Polska S.A.
5617 | 83.14.240.10 | 2011-11-07 00:56:13 EST | TPNET Telekomunikacja Polska S.A.
6057 | 200.40.251.146 | 2011-11-07 01:39:49 EST | Administracion Nacional de Telecomunicaciones
6389 | 74.189.117.98 | 2011-11-07 00:31:59 EST | BELLSOUTH-NET-BLK - BellSouth.net Inc.
6568 | 190.129.9.36 | 2011-11-07 00:00:08 EST | Ag para el Desarrollo de la Sociedad de la Inf en Bolivia - ADSIB
6724 | 81.169.165.138 | 2011-11-07 00:44:41 EST | STRATO STRATO AG
7132 | 65.70.247.20 | 2011-11-07 00:27:06 EST | SBIS-AS - AT&T Internet Services
7132 | 99.13.226.154 | 2011-11-07 00:14:51 EST | SBIS-AS - AT&T Internet Services
8151 | 201.134.39.146 | 2011-11-07 00:04:26 EST | Uninet S.A. de C.V.
8167 | 201.25.53.34 | 2011-11-07 01:11:11 EST | TELESC - Telecomunicacoes de Santa Catarina SA
8220 | 212.78.187.120 | 2011-11-07 01:26:46 EST | COLT COLT Technology Services Group Limited
8612 | 82.85.95.20 | 2011-11-07 00:07:12 EST | TISCALI-IT Tiscali Italia S.P.A.
8877 | 78.142.42.42 | 2011-11-07 00:12:47 EST | POWERNET-AS PowerNet Ltd
8990 | 212.92.13.110 | 2011-11-07 00:52:25 EST | AHRT-AS _ANTENNA HUNGARIA_ Magyar Musorszoro es Radiohirkozlesi
9308 | 58.83.130.13 | 2011-11-07 01:47:06 EST | CHINA-ABITCOOL Abitcool(China) Inc.
9318 | 219.240.36.108 | 2011-11-07 00:31:21 EST | HANARO-AS Hanaro Telecom Inc.
9318 | 219.240.36.110 | 2011-11-07 00:26:15 EST | HANARO-AS Hanaro Telecom Inc.
9371 | 219.94.144.230 | 2011-11-07 00:16:03 EST | SAKURA-C SAKURA Internet Inc.
9812 | 211.167.110.2 | 2011-11-07 00:00:14 EST | CNNIC-CN-COLNET Oriental Cable Network Co., Ltd.
9885 | 203.110.245.243 | 2011-11-07 00:12:26 EST | RSMANI-NKN-IN C/0 National Informatics Centre
9889 | 123.100.77.67 | 2011-11-07 01:18:10 EST | MAXNET-NZ-AP Auckland
9930 | 161.139.192.2 | 2011-11-07 00:37:27 EST | TTNET-MY TIME DOTCOM BERHAD
10429 | 200.232.56.35 | 2011-11-07 00:13:16 EST | Telefonica Empresas SA
11172 | 148.244.65.25 | 2011-11-07 00:47:44 EST | Alestra, S. de R.L. de C.V.
11232 | 24.111.1.78 | 2011-11-07 01:58:02 EST | MIDCO-NET - Midcontinent Media, Inc.
11664 | 200.80.163.74 | 2011-11-07 00:03:14 EST | Techtel LMDS Comunicaciones Interactivas S.A.
12322 | 82.228.250.163 | 2011-11-07 00:35:00 EST | PROXAD Free SAS
12874 | 83.103.59.130 | 2011-11-07 00:42:35 EST | FASTWEB Fastweb SpA
12874 | 85.18.206.228 | 2011-11-07 00:07:20 EST | FASTWEB Fastweb SpA
12880 | 85.185.180.48 | 2011-11-07 00:23:27 EST | DCI-AS Information Technology Company (ITC)
14080 | 190.144.175.133 | 2011-11-07 01:27:46 EST | Telmex Colombia S.A.
14259 | 190.196.30.122 | 2011-11-07 00:50:58 EST | Gtd Internet S.A.
14259 | 200.63.96.126 | 2011-11-07 00:27:00 EST | Gtd Internet S.A.
14420 | 190.152.145.53 | 2011-11-07 00:40:42 EST | CORPORACION NACIONAL DE TELECOMUNICACIONES - CNT EP
15083 | 64.251.14.116 | 2011-11-07 00:18:59 EST | INFOLINK-MIA-US - Infolink
15180 | 200.162.106.197 | 2011-11-07 00:48:35 EST | Diveo do Brasil Telecomunicacoes Ltda
15915 | 213.195.75.188 | 2011-11-07 00:35:32 EST | IBERCOM WWW Ibercom SL
16171 | 217.75.15.8 | 2011-11-07 00:00:13 EST | STRENCOM Strencom AS Backbone
16237 | 217.115.199.40 | 2011-11-07 00:37:07 EST | NXS Nxs Internet BV
16237 | 217.148.89.89 | 2011-11-07 01:23:39 EST | NXS Nxs Internet BV
16735 | 201.48.233.194 | 2011-11-07 00:19:30 EST | Companhia de Telecomunicacoes do Brasil Central
17408 | 202.133.244.64 | 2011-11-07 00:04:00 EST | ABOVE-AS-AP AboveNet Communications Taiwan
17431 | 219.234.88.247 | 2011-11-07 00:03:08 EST | TONET Beijing TONEK Information Technology Development Company
17431 | 60.195.249.67 | 2011-11-07 01:28:35 EST | TONET Beijing TONEK Information Technology Development Company
17621 | 203.95.7.162 | 2011-11-07 01:00:35 EST | CNCGROUP-SH China Unicom Shanghai network
17621 | 210.51.25.156 | 2011-11-07 01:12:00 EST | CNCGROUP-SH China Unicom Shanghai network
17622 | 210.21.117.13 | 2011-11-07 01:48:29 EST | CNCGROUP-GZ China Unicom Guangzhou network
17772 | 211.147.221.42 | 2011-11-07 00:10:37 EST | CHINACOM CHINA COMMUNICATIONS SYSTEM Co.,Ltd.
17816 | 124.193.142.249 | 2011-11-07 00:02:38 EST | CHINA169-GZ China Unicom IP network China169 Guangdong province
17816 | 58.254.143.204 | 2011-11-07 00:17:45 EST | CHINA169-GZ China Unicom IP network China169 Guangdong province
17964 | 123.196.115.72 | 2011-11-07 00:43:41 EST | DXTNET Beijing Dian-Xin-Tong Network Technologies Co., Ltd.
17964 | 124.193.142.249 | 2011-11-07 00:02:38 EST | DXTNET Beijing Dian-Xin-Tong Network Technologies Co., Ltd.
17964 | 218.247.244.13 | 2011-11-07 00:27:07 EST | DXTNET Beijing Dian-Xin-Tong Network Technologies Co., Ltd.
17964 | 219.238.168.6 | 2011-11-07 01:38:11 EST | DXTNET Beijing Dian-Xin-Tong Network Technologies Co., Ltd.
17974 | 118.97.50.11 | 2011-11-07 00:03:41 EST | TELKOMNET-AS2-AP PT Telekomunikasi Indonesia
18245 | 211.147.221.42 | 2011-11-07 00:10:37 EST | FOUNDERBN CNNIC
18403 | 210.245.13.166 | 2011-11-07 00:20:28 EST | FPT-AS-AP The Corporation for Financing & Promoting Technology
18678 | 190.14.248.51 | 2011-11-07 01:42:38 EST | INTERNEXA S.A. E.S.P
18881 | 200.175.53.196 | 2011-11-07 01:24:11 EST | Global Village Telecom
19089 | 189.14.99.226 | 2011-11-07 00:37:09 EST | Dedalus.com S/C Ltda
20845 | 78.131.55.172 | 2011-11-07 00:00:31 EST | DIGICABLE DIGI Ltd.
21219 | 80.91.179.9 | 2011-11-07 01:26:08 EST | DATAGROUP PRIVATE JOINT STOCK COMPANY _DATAGROUP_
21309 | 213.174.167.15 | 2011-11-07 00:10:27 EST | CASAWEB-AS ACANTHO SPA
21844 | 70.84.233.162 | 2011-11-07 00:58:20 EST | THEPLANET-AS - ThePlanet.com Internet Services, Inc.
21844 | 74.52.42.194 | 2011-11-07 00:08:45 EST | THEPLANET-AS - ThePlanet.com Internet Services, Inc.
23201 | 190.128.226.86 | 2011-11-07 00:44:29 EST | Telecel S.A.
23844 | 119.254.5.83 | 2011-11-07 00:28:36 EST | BJ-GUANGHUAN-AP Beijing Guanghuan Xinwang Digital
24139 | 218.108.57.230 | 2011-11-07 00:33:48 EST | CNNIC-WASU-AP WASU TV & Communication Holding Co.,Ltd.
24154 | 210.202.196.250 | 2011-11-07 01:13:51 EST | APBT-AS-TW Asia Pacific Broadband Fixed Lines Co., Ltd.
24532 | 202.129.187.147 | 2011-11-07 01:09:50 EST | INET-AS-ID PT. Inet Global Indo
24961 | 217.79.182.38 | 2011-11-07 01:24:45 EST | FIBREONE-AS fibre one networks GmbH, Duesseldorf
26895 | 69.7.197.98 | 2011-11-07 00:16:17 EST | CIMCO1 - CIMCO Communications, Inc.
27257 | 67.55.95.132 | 2011-11-07 00:10:40 EST | WEBAIR-INTERNET - Webair Internet Development Company Inc.
27664 | 200.160.121.246 | 2011-11-07 00:54:11 EST | CTBC MultimÃdia
27699 | 189.19.13.239 | 2011-11-07 01:26:00 EST | TELECOMUNICACOES DE SAO PAULO S/A - TELESP
28573 | 189.7.113.10 | 2011-11-07 00:48:31 EST | NET Servicos de Comunicao S.A.
30689 | 72.252.248.111 | 2011-11-07 00:36:49 EST | FLOW-NET - FLOW
30970 | 195.32.96.7 | 2011-11-07 01:04:07 EST | TAONET-AS Main AS of TAONET
32613 | 72.55.174.11 | 2011-11-07 00:09:01 EST | IWEB-AS - iWeb Technologies Inc.
33392 | 64.117.46.243 | 2011-11-07 00:11:05 EST | DAUPHIN-TELECOM - Dauphin Telecom
33942 | 83.139.194.70 | 2011-11-07 00:15:31 EST | AGACTEL-AS AGACTEL S.p.a.
34534 | 85.88.195.35 | 2011-11-07 00:12:39 EST | PAVIANETWORK-AS Linea Com Srl
34984 | 212.252.120.11 | 2011-11-07 01:16:10 EST | TELLCOM-AS Tellcom Iletisim Hizmetleri
35705 | 195.95.198.190 | 2011-11-07 01:19:43 EST | PELICAN-ICT Pelican ICT Integrator
38322 | 122.255.96.163 | 2011-11-07 00:19:02 EST | P1NETWORKS-MY-AP Packet One Networks Sdn Bhd, Internet Services Provider
38322 | 122.255.96.164 | 2011-11-07 00:13:38 EST | P1NETWORKS-MY-AP Packet One Networks Sdn Bhd, Internet Services Provider
38322 | 122.255.96.45 | 2011-11-07 00:05:27 EST | P1NETWORKS-MY-AP Packet One Networks Sdn Bhd, Internet Services Provider
42109 | 91.103.30.98 | 2011-11-07 00:13:56 EST | ADC-AS ADC - Armenian Datacom Company
42957 | 82.193.36.98 | 2011-11-07 00:00:09 EST | INASSET-AS InAsset Srl
43391 | 91.191.170.146 | 2011-11-07 00:11:47 EST | NETDIREKT-TR Netdirekt A.S. Internet Backbone AS
45514 | 122.183.212.52 | 2011-11-07 00:20:51 EST | TELEMEDIA-SMB-AS-AP Bharti Airtel Ltd., TELEMEDIA Services, for SMB customers
45514 | 122.183.242.42 | 2011-11-07 01:34:56 EST | TELEMEDIA-SMB-AS-AP Bharti Airtel Ltd., TELEMEDIA Services, for SMB customers
46475 | 69.162.119.162 | 2011-11-07 00:00:22 EST | LIMESTONENETWORKS - Limestone Networks, Inc.
46475 | 69.162.70.2 | 2011-11-07 00:01:24 EST | LIMESTONENETWORKS - Limestone Networks, Inc.
48716 | 195.210.47.144 | 2011-11-07 00:46:35 EST | PS-AS PS Internet Company Ltd.
55462 | 122.70.144.168 | 2011-11-07 00:17:24 EST | NETNET Beijing ZhongDianXinDa Communication Technology Co., Ltd.
---Mike
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: acct.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20111107/8665fda3/attachment-0001.txt>
More information about the nsp-security
mailing list