[nsp-sec] slow distributed ssh scan
Mike Tancsa
mike at sentex.net
Fri Oct 28 17:13:33 EDT 2011
I will submit to the scanner list for the next few days, but these guys started to show up again just recently. Seems to be coordinated as the user ids are sequential and the time gap is stretched out per host to try and get in under the radar.
e.g. here are some logs from one box with an open ssh port. Note the sequential usernames
Oct 28 07:56:41 freebsd-legacy kernel: Oct 28 07:56:41 freebsd-legacy sshd[78477]: error: PAM: authentication error for illegal user santa from 88.191.89.25
Oct 28 07:56:46 freebsd-legacy kernel: Oct 28 07:56:46 freebsd-legacy sshd[78378]: error: PAM: authentication error for illegal user sandro from 211.144.82.8
Oct 28 07:58:44 freebsd-legacy kernel: Oct 28 07:58:44 freebsd-legacy sshd[88505]: error: PAM: authentication error for illegal user sap from 122.255.96.45
Oct 28 08:03:25 freebsd-legacy kernel: Oct 28 08:03:25 freebsd-legacy sshd[3607]: error: PAM: authentication error for illegal user sas from 58.63.241.209
Oct 28 08:05:40 freebsd-legacy kernel: Oct 28 08:05:40 freebsd-legacy sshd[7393]: error: PAM: authentication error for illegal user sc from 69.162.70.2
Oct 28 08:06:03 freebsd-legacy kernel: Oct 28 08:06:03 freebsd-legacy sshd[8062]: error: PAM: authentication error for illegal user sasha from 74.52.189.50
Oct 28 08:08:05 freebsd-legacy kernel: Oct 28 08:08:05 freebsd-legacy sshd[11701]: error: PAM: authentication error for illegal user scanner from 219.240.36.108
Oct 28 08:11:57 freebsd-legacy kernel: Oct 28 08:11:57 freebsd-legacy sshd[32109]: error: PAM: authentication error for illegal user schneider from 88.191.99.23
Oct 28 08:13:40 freebsd-legacy kernel: Oct 28 08:13:40 freebsd-legacy sshd[36636]: error: PAM: authentication error for illegal user scott from 59.106.144.134
Oct 28 08:15:43 freebsd-legacy kernel: Oct 28 08:15:43 freebsd-legacy sshd[43267]: error: PAM: authentication error for illegal user scp from xs.5460.net
Oct 28 08:17:09 freebsd-legacy kernel: Oct 28 08:17:09 freebsd-legacy sshd[47499]: error: PAM: authentication error for illegal user sean from 61.31.204.90
Oct 28 08:17:55 freebsd-legacy kernel: Oct 28 08:17:55 freebsd-legacy sshd[49553]: error: PAM: authentication error for illegal user sean from 190.152.145.53
Oct 28 08:18:42 freebsd-legacy kernel: Oct 28 08:18:42 freebsd-legacy sshd[51498]: error: PAM: authentication error for illegal user sean from 82.130.143.216
However, the one IP will try multiple hosts on various subnets inside my AS. e.g. santa attacker below
StartTime Flgs Proto SrcAddr Sport Dir DstAddr Dport TotPkts TotBytes State
10-28 09:43:10.741 M * tcp 88.191.89.25.53765 -> 64.7.135.135.22 78 14665 FIN
10-28 09:45:21.068 M * tcp 88.191.89.25.39550 -> 64.7.129.32.22 93 15695 FIN
10-28 09:48:48.976 M * tcp 88.191.89.25.42568 -> 67.43.129.219.22 58 10294 FIN
10-28 09:49:28.579 M s tcp 88.191.89.25.57529 -> 205.211.164.254.22 45 6807 FIN
10-28 09:49:45.135 M tcp 88.191.89.25.59270 -> 64.7.128.103.22 28 5023 FIN
10-28 09:51:40.926 M s tcp 88.191.89.25.43367 -> 64.7.138.134.22 48 7013 FIN
10-28 09:56:23.831 M * tcp 88.191.89.25.50360 -> 205.211.164.75.22 56 10158 FIN
10-28 09:59:26.462 M * tcp 88.191.89.25.49015 -> 64.7.132.125.22 15 1159 CON
10-28 09:59:29.799 M tcp 88.191.89.25.35128 -> 64.7.128.208.22 29 5017 FIN
10-28 09:59:31.806 M tcp 88.191.89.25.49015 -> 64.7.132.125.22 9 618 FIN
10-28 10:03:21.790 M tcp 88.191.89.25.35218 -> 64.7.141.9.22 27 4957 FIN
10-28 10:05:53.026 e tcp 88.191.89.25.58677 -> 67.43.128.4.22 12 2656 FIN
10-28 10:06:03.376 M * tcp 88.191.89.25.59640 -> 64.7.132.126.22 15 1159 CON
10-28 10:06:08.717 M tcp 88.191.89.25.59640 -> 64.7.132.126.22 9 618 FIN
10-28 10:06:23.170 M * tcp 88.191.89.25.36298 -> 64.7.132.124.22 15 1159 CON
10-28 10:06:28.513 M tcp 88.191.89.25.36298 -> 64.7.132.124.22 9 618 FIN
10-28 10:06:54.224 e tcp 88.191.89.25.54443 -> 98.159.240.9.22 12 2656 FIN
10-28 10:10:27.789 M * tcp 88.191.89.25.44765 -> 64.7.138.7.22 84 15293 FIN
10-28 10:13:42.574 M * tcp 88.191.89.25.44895 -> 64.7.153.130.22 15 1159 CON
10-28 10:13:46.966 M tcp 88.191.89.25.52883 -> 64.7.128.103.22 27 4957 FIN
10-28 10:13:47.925 M tcp 88.191.89.25.44895 -> 64.7.153.130.22 9 618 FIN
10-28 10:15:04.575 e tcp 88.191.89.25.37669 -> 67.43.128.4.22 12 2656 FIN
10-28 10:16:53.905 M * tcp 88.191.89.25.43061 -> 205.211.164.75.22 56 10158 FIN
10-28 10:17:25.705 M * tcp 88.191.89.25.34660 -> 64.7.132.126.22 15 1159 CON
10-28 10:17:31.050 M tcp 88.191.89.25.34660 -> 64.7.132.126.22 9 618 FIN
10-28 10:18:17.909 e tcp 88.191.89.25.59002 -> 98.159.240.9.22 12 2656 FIN
10-28 10:21:08.392 M * tcp 88.191.89.25.57038 -> 64.7.132.127.22 15 1159 CON
10-28 10:21:13.736 M tcp 88.191.89.25.57038 -> 64.7.132.127.22 9 618 FIN
10-28 10:21:30.161 e tcp 88.191.89.25.33019 -> 98.159.240.8.22 12 2656 FIN
10-28 10:25:04.345 M s tcp 88.191.89.25.52821 -> 64.7.149.254.22 48 7013 FIN
10-28 10:25:30.826 M * tcp 88.191.89.25.33485 -> 64.7.138.7.22 84 15293 FIN
Bulk mode; whois.cymru.com [2011-10-28 21:10:31 +0000]
2514 | 203.141.158.120 | Oct 28 09:16:36 GMT | INFOSPHERE NTT PC Communications, Inc.
2527 | 202.213.205.172 | Oct 28 16:43:17 GMT | SO-NET So-net Entertainment Corporation
3215 | 194.2.25.13 | Oct 28 16:15:13 GMT | AS3215 France Telecom - Orange
3215 | 217.128.151.181 | Oct 28 08:49:03 GMT | AS3215 France Telecom - Orange
3215 | 62.161.44.45 | Oct 28 09:51:51 GMT | AS3215 France Telecom - Orange
3242 | 151.1.183.216 | Oct 28 16:54:02 GMT | ASN-ITNET ITnet S.r.l.
3269 | 79.4.167.152 | Oct 28 08:59:52 GMT | ASN-IBSNAZ Telecom Italia S.p.a.
3269 | 79.48.7.10 | Oct 28 16:21:55 GMT | ASN-IBSNAZ Telecom Italia S.p.a.
3320 | 62.225.155.90 | Oct 28 18:16:14 GMT | DTAG Deutsche Telekom AG
3352 | 217.127.66.216 | Oct 28 16:31:06 GMT | TELEFONICA-DATA-ESPANA TELEFONICA DE ESPANA
3352 | 80.26.69.233 | Oct 28 09:35:33 GMT | TELEFONICA-DATA-ESPANA TELEFONICA DE ESPANA
3462 | 114.32.173.14 | Oct 28 18:15:47 GMT | HINET Data Communication Business Group
3462 | 114.32.226.22 | Oct 28 08:21:19 GMT | HINET Data Communication Business Group
3462 | 114.32.50.243 | Oct 28 17:28:55 GMT | HINET Data Communication Business Group
3462 | 210.241.238.236 | Oct 28 07:44:05 GMT | HINET Data Communication Business Group
3462 | 59.120.72.33 | Oct 28 17:01:02 GMT | HINET Data Communication Business Group
3786 | 211.234.100.205 | Oct 28 07:46:37 GMT | LGDACOM LG DACOM Corporation
3839 | 161.200.90.2 | Oct 28 09:21:47 GMT | ERX-CHULANET Chulalongkorn University
4134 | 202.100.80.21 | Oct 28 16:58:52 GMT | CHINANET-BACKBONE No.31,Jin-rong Street
4134 | 220.180.230.134 | Oct 28 09:35:53 GMT | CHINANET-BACKBONE No.31,Jin-rong Street
4134 | 221.232.155.6 | Oct 28 17:55:04 GMT | CHINANET-BACKBONE No.31,Jin-rong Street
4134 | 58.63.241.209 | Oct 28 08:03:25 GMT | CHINANET-BACKBONE No.31,Jin-rong Street
4134 | 61.164.35.17 | Oct 28 08:30:09 GMT | CHINANET-BACKBONE No.31,Jin-rong Street
4538 | 202.120.52.130 | Oct 28 17:54:29 GMT | ERX-CERNET-BKB China Education and Research Network Center
4538 | 210.42.35.1 | Oct 28 16:57:42 GMT | ERX-CERNET-BKB China Education and Research Network Center
4621 | 202.28.37.63 | Oct 28 08:33:53 GMT | UNSPECIFIED UNINET-TH
4716 | 210.238.91.147 | Oct 28 07:44:52 GMT | POWEREDCOM KDDI CORPORATION
4766 | 121.166.70.252 | Oct 28 07:37:50 GMT | KIXS-AS-KR Korea Telecom
4766 | 61.78.62.43 | Oct 28 17:40:21 GMT | KIXS-AS-KR Korea Telecom
4808 | 218.247.244.13 | Oct 28 16:47:19 GMT | CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network
4812 | 222.73.41.52 | Oct 28 19:32:27 GMT | CHINANET-SH-AP China Telecom (Group)
4837 | 124.160.72.149 | Oct 28 07:52:58 GMT | CHINA169-BACKBONE CNCGROUP China169 Backbone
4837 | 60.28.199.166 | Oct 28 09:14:59 GMT | CHINA169-BACKBONE CNCGROUP China169 Backbone
4847 | 122.70.141.250 | Oct 28 17:00:29 GMT | CNIX-AP China Networks Inter-Exchange
4847 | 211.144.82.8 | Oct 28 07:56:46 GMT | CNIX-AP China Networks Inter-Exchange
4847 | 219.234.88.247 | Oct 28 08:21:47 GMT | CNIX-AP China Networks Inter-Exchange
4847 | 60.195.249.67 | Oct 28 19:56:16 GMT | CNIX-AP China Networks Inter-Exchange
7132 | 65.70.247.20 | Oct 28 18:19:48 GMT | SBIS-AS - AT&T Internet Services
8167 | 201.25.53.34 | Oct 28 10:06:14 GMT | TELESC - Telecomunicacoes de Santa Catarina SA
8167 | 201.67.157.178 | Oct 28 08:52:55 GMT | TELESC - Telecomunicacoes de Santa Catarina SA
8426 | 212.49.222.82 | Oct 28 18:16:53 GMT | CLARANET-AS ClaraNET LTD
8717 | 212.36.7.246 | Oct 28 08:43:12 GMT | SPECTRUMNET Spectrum NET Jsc
8820 | 82.139.199.57 | Oct 28 08:23:23 GMT | TAL-DE TAL.DE Klaus Internet Service GmbH
8990 | 212.92.13.110 | Oct 28 16:25:37 GMT | AHRT-AS _ANTENNA HUNGARIA_ Magyar Musorszoro es Radiohirkozlesi
9304 | 118.142.4.27 | Oct 28 09:52:42 GMT | HUTCHISON-AS-AP Hutchison Global Communications
9318 | 219.240.36.108 | Oct 28 08:08:05 GMT | HANARO-AS Hanaro Telecom Inc.
9370 | 59.106.144.134 | Oct 28 08:13:40 GMT | SAKURA-B SAKURA Internet Inc.
9371 | 219.94.144.230 | Oct 28 16:19:27 GMT | SAKURA-C SAKURA Internet Inc.
9812 | 211.167.110.2 | Oct 28 17:58:02 GMT | CNNIC-CN-COLNET Oriental Cable Network Co., Ltd.
9924 | 61.31.204.90 | Oct 28 07:48:31 GMT | TFN-TW Taiwan Fixed Network, Telco and Network Service Provider.
9931 | 61.19.45.119 | Oct 28 09:04:30 GMT | CAT-AP The Communication Authoity of Thailand, CAT
11664 | 200.80.163.74 | Oct 28 20:31:33 GMT | Techtel LMDS Comunicaciones Interactivas S.A.
12322 | 82.228.250.163 | Oct 28 10:05:25 GMT | PROXAD Free SAS
12322 | 88.191.89.25 | Oct 28 07:56:41 GMT | PROXAD Free SAS
12322 | 88.191.99.23 | Oct 28 08:11:57 GMT | PROXAD Free SAS
12338 | 82.130.143.216 | Oct 28 08:18:42 GMT | EUSKALTEL Euskaltel S.A.
12670 | 195.167.225.173 | Oct 28 18:35:35 GMT | Completel Autonomous System in France
12874 | 89.97.247.147 | Oct 28 07:32:50 GMT | FASTWEB Fastweb SpA
14259 | 200.63.96.126 | Oct 28 08:41:24 GMT | Gtd Internet S.A.
14307 | 68.78.199.247 | Oct 28 08:24:23 GMT | ASN-ROCNET - ROCK SERVICES, INC.
14420 | 190.152.145.53 | Oct 28 07:49:12 GMT | CORPORACION NACIONAL DE TELECOMUNICACIONES - CNT EP
14522 | 200.25.180.75 | Oct 28 18:22:50 GMT | Satnet
15763 | 85.22.60.6 | Oct 28 20:15:17 GMT | ASDOKOM DOKOM Gesellschaft fuer Telekommunikation mbH
17408 | 202.133.244.64 | Oct 28 08:42:34 GMT | ABOVE-AS-AP AboveNet Communications Taiwan
17431 | 219.234.88.247 | Oct 28 08:21:47 GMT | TONET Beijing TONEK Information Technology Development Company
17431 | 60.195.249.67 | Oct 28 19:56:16 GMT | TONET Beijing TONEK Information Technology Development Company
17621 | 220.248.102.254 | Oct 28 07:36:19 GMT | CNCGROUP-SH China Unicom Shanghai network
17816 | 58.254.143.204 | Oct 28 07:48:09 GMT | CHINA169-GZ China Unicom IP network China169 Guangdong province
17964 | 218.247.244.13 | Oct 28 16:47:19 GMT | DXTNET Beijing Dian-Xin-Tong Network Technologies Co., Ltd.
17981 | 202.131.87.70 | Oct 28 17:51:32 GMT | CAMBOTECH-KH-AS ISP Cambodia
18881 | 200.175.53.196 | Oct 28 09:42:39 GMT | Global Village Telecom
19089 | 189.14.99.226 | Oct 28 08:47:29 GMT | Dedalus.com S/C Ltda
21309 | 213.174.167.15 | Oct 28 19:22:59 GMT | CASAWEB-AS ACANTHO SPA
21844 | 74.52.189.50 | Oct 28 08:06:03 GMT | THEPLANET-AS - ThePlanet.com Internet Services, Inc.
21844 | 75.125.255.98 | Oct 28 09:53:56 GMT | THEPLANET-AS - ThePlanet.com Internet Services, Inc.
24961 | 217.79.182.38 | Oct 28 18:18:20 GMT | FIBREONE-AS fibre one networks GmbH, Duesseldorf
27257 | 67.55.95.132 | Oct 28 16:45:24 GMT | WEBAIR-INTERNET - Webair Internet Development Company Inc.
32613 | 72.55.179.219 | Oct 28 17:14:50 GMT | IWEB-AS - iWeb Technologies Inc.
33070 | 72.3.142.26 | Oct 28 08:32:44 GMT | RMH-14 - Rackspace Hosting
33942 | 83.139.194.70 | Oct 28 07:34:28 GMT | AGACTEL-AS AGACTEL S.p.a.
38322 | 122.255.96.164 | Oct 28 07:34:54 GMT | P1NETWORKS-MY-AP Packet One Networks Sdn Bhd, Internet Services Provider
38322 | 122.255.96.45 | Oct 28 07:58:44 GMT | P1NETWORKS-MY-AP Packet One Networks Sdn Bhd, Internet Services Provider
39906 | 81.92.159.194 | Oct 28 08:38:49 GMT | COPROSYS CoProSys a.s.
43711 | 87.229.7.163 | Oct 28 18:36:17 GMT | SZERVERNET-HU-AS Szervernet Ltd.
45204 | 180.149.92.22 | Oct 28 09:41:15 GMT | GEMNET-MN GEMNET LLC
46475 | 69.162.65.138 | Oct 28 07:42:09 GMT | LIMESTONENETWORKS - Limestone Networks, Inc.
46475 | 69.162.70.2 | Oct 28 07:40:50 GMT | LIMESTONENETWORKS - Limestone Networks, Inc.
55462 | 122.70.144.168 | Oct 28 18:19:30 GMT | NETNET Beijing ZhongDianXinDa Communication Technology Co., Ltd.
55545 | 203.158.6.110 | Oct 28 17:18:16 GMT | SUT-AS-AP Suranaree University of Technology
---Mike
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
More information about the nsp-security
mailing list