[nsp-sec] SSH brute force, co-ordinated, sort of.
Scott A. McIntyre
scott at howyagoin.net
Sun Sep 4 18:26:16 EDT 2011
Hi all,
I'm experimenting with a bit of data in my Splunk setup and wanted to
share it with The Rest Of You.
These IPs will be appearing in the daily-reports from Team Cymru for SSH
bruteforce attacks later today/tomorrow ($timezone dependent), but there
was something different about this subset.
Each of the below IPs performed the same username/password attempts
against a honeypot within about a 15 to 20 minute window.
Not all were at the same time, at the most 6 unique IPs were trying the
same user/pass combination within that 15 minute window. The smallest
number was 4 systems.
Whilst it's entirely possible this is mere coincidence, caused by
remotely compromised systems firing off the same scripts at roughly the
same time, I'd have expected MORE than 6 systems hitting our honeypot at
the same time-ish, and certainly greater consistency in the attack
pattern overall.
I have exact timestamps for anyone who wants them, but given how the
data is aggregated it was easier to present a list of all the affected
ASNs and IPs first. The time range is 0800+1000 04 September through
0800+1000 05 September though, and I'm guessing many/most of these won't
be dynamic hosts anyway.
It might be interesting to find out if there's something
different/special about the kits used from these sources.
Happy hunting,
Scott A. McIntyre
AS1221 Telstra
209 | 63.236.7.20 | ASN-QWEST - Qwest Communications Company, LLC
852 | 204.191.10.18 | ASN852 - Telus Advanced Communications
1239 | 65.161.248.26 | SPRINTLINK - Sprint
1836 | 81.221.15.140 | GREEN green.ch AG The Internet Company
Autonomous System
2381 | 216.56.28.156 | WISCNET1-AS - WiscNet
2497 | 202.32.177.140 | IIJ Internet Initiative Japan Inc.
2856 | 217.33.64.203 | BT-UK-AS BTnet UK Regional network
3215 | 62.161.44.45 | AS3215 France Telecom - Orange
3303 | 195.8.108.18 | SWISSCOM Swisscom (Switzerland) Ltd
3320 | 62.225.155.90 | DTAG Deutsche Telekom AG
3352 | 217.127.66.216 | TELEFONICA-DATA-ESPANA TELEFONICA DE ESPANA
3352 | 80.35.52.65 | TELEFONICA-DATA-ESPANA TELEFONICA DE ESPANA
3462 | 203.69.69.41 | HINET Data Communication Business Group
3462 | 59.124.65.89 | HINET Data Communication Business Group
3786 | 121.254.234.134 | LGDACOM LG DACOM Corporation
3786 | 121.254.234.135 | LGDACOM LG DACOM Corporation
3931 | 209.23.116.221 | LOGICAL - Logical Net Corporation
4134 | 118.122.179.71 | CHINANET-BACKBONE No.31,Jin-rong Street
4134 | 119.145.144.60 | CHINANET-BACKBONE No.31,Jin-rong Street
4134 | 119.145.148.100 | CHINANET-BACKBONE No.31,Jin-rong Street
4134 | 202.100.80.21 | CHINANET-BACKBONE No.31,Jin-rong Street
4134 | 202.102.2.155 | CHINANET-BACKBONE No.31,Jin-rong Street
4134 | 202.109.202.62 | CHINANET-BACKBONE No.31,Jin-rong Street
4134 | 219.139.45.120 | CHINANET-BACKBONE No.31,Jin-rong Street
4134 | 220.179.64.23 | CHINANET-BACKBONE No.31,Jin-rong Street
4134 | 58.63.241.209 | CHINANET-BACKBONE No.31,Jin-rong Street
4134 | 61.155.95.83 | CHINANET-BACKBONE No.31,Jin-rong Street
4230 | 200.252.235.5 | Embratel
4780 | 61.59.101.16 | SEEDNET Digital United Inc.
4788 | 161.139.144.2 | TMNET-AS-AP TM Net, Internet Service Provider
4808 | 202.96.35.123 | CHINA169-BJ CNCGROUP IP network China169
Beijing Province Network
4812 | 218.1.67.151 | CHINANET-SH-AP China Telecom (Group)
4812 | 222.73.41.52 | CHINANET-SH-AP China Telecom (Group)
4837 | 60.28.199.166 | CHINA169-BACKBONE CNCGROUP China169 Backbone
4847 | 122.70.141.250 | CNIX-AP China Networks Inter-Exchange
4847 | 123.196.115.72 | CNIX-AP China Networks Inter-Exchange
4847 | 211.144.82.8 | CNIX-AP China Networks Inter-Exchange
4847 | 60.195.249.67 | CNIX-AP China Networks Inter-Exchange
5617 | 83.14.240.10 | TPNET Telekomunikacja Polska S.A.
5617 | 83.3.229.114 | TPNET Telekomunikacja Polska S.A.
6057 | 200.40.251.146 | Administracion Nacional de Telecomunicaciones
6147 | 190.40.2.40 | Telefonica del Peru S.A.A.
6724 | 81.169.131.95 | STRATO STRATO AG
6724 | 85.214.128.248 | STRATO STRATO AG
6724 | 85.214.148.26 | STRATO STRATO AG
6848 | 213.224.242.196 | TELENET-AS Telenet N.V.
6882 | 159.213.90.53 | RTRT-PEGASO Rete Telematica Regionale
Toscana - Italy
7132 | 99.13.226.154 | SBIS-AS - AT&T Internet Services
8018 | 208.85.184.173 | VEL-AS - Velocity Networks, Inc.
8151 | 201.134.39.146 | Uninet S.A. de C.V.
8167 | 201.24.73.194 | TELESC - Telecomunicacoes de Santa Catarina SA
8167 | 201.25.53.34 | TELESC - Telecomunicacoes de Santa Catarina SA
8447 | 80.122.236.11 | TELEKOM-AT A1 Telekom Austria AG
8594 | 195.162.49.23 | OMSKELECOM OJSC Rostelecom
8643 | 88.197.20.196 | ATHENANET Academic and Research Network in
the Region
8865 | 212.33.92.131 | BIAMAN-AS Politechnika Bialostocka
9304 | 118.142.4.27 | HUTCHISON-AS-AP Hutchison Global Communications
9308 | 59.151.19.80 | CHINA-ABITCOOL Abitcool(China) Inc.
9318 | 219.240.36.110 | HANARO-AS Hanaro Telecom Inc.
9811 | 122.115.35.242 | BJGY srit corp.,beijing.
9811 | 218.246.22.2 | BJGY srit corp.,beijing.
9891 | 202.183.165.67 | CSLOX-IDC-AS-AP CS LOXINFO Public Company
Limited.
9924 | 61.31.204.90 | TFN-TW Taiwan Fixed Network, Telco and
Network Service Provider.
9930 | 161.139.192.2 | TTNET-MY TIME DOTCOM BERHAD
11172 | 148.244.65.25 | Alestra, S. de R.L. de C.V.
11232 | 24.111.1.78 | MIDCO-NET - Midcontinent Media, Inc.
11664 | 200.80.163.74 | Techtel LMDS Comunicaciones Interactivas S.A.
11841 | 64.30.204.24 | LINKLINE - LinkLINE Communications, Inc.
12322 | 88.191.99.23 | PROXAD Free SAS
12476 | 94.75.66.196 | ASTER-CITY-CABLE-AS ASTER Sp. z.o.o.
12874 | 62.101.89.2 | FASTWEB Fastweb SpA
12874 | 83.103.59.130 | FASTWEB Fastweb SpA
12874 | 89.97.247.147 | FASTWEB Fastweb SpA
12880 | 85.185.180.48 | DCI-AS Information Technology Company (ITC)
13193 | 80.248.214.103 | ASN-NERIM Nerim SAS
13237 | 83.133.126.84 | LAMBDANET-AS European Backbone of LambdaNet
13333 | 206.193.225.164 | CCI-PA-AS-1 - Consolidated Communications, Inc.
13489 | 190.128.29.4 | EPM Telecomunicaciones S.A. E.S.P.
13489 | 201.232.69.113 | EPM Telecomunicaciones S.A. E.S.P.
14307 | 68.78.199.247 | ASN-ROCNET - ROCK SERVICES, INC.
15083 | 64.251.14.116 | INFOLINK-MIA-US - Infolink
15180 | 200.162.106.197 | Diveo do Brasil Telecomunicacoes Ltda
15525 | 83.240.154.46 | PTPRIMENET PT PRIME - Solucoes Empresariais
de Telecomunicacoes e Sistemas S.A.
15798 | 213.184.19.18 | OLMAN-EDU-AS OLMAN, Metropolitan Area
Network (educational AS)
15879 | 82.201.110.247 | ASN-IS IS Interned Services BV
16237 | 217.115.199.40 | NXS Nxs Internet BV
16237 | 217.148.89.89 | NXS Nxs Internet BV
16735 | 201.48.233.194 | Companhia de Telecomunicacoes do Brasil Central
16814 | 190.2.7.178 | NSS S.A.
16814 | 200.123.162.189 | NSS S.A.
17408 | 202.133.244.250 | ABOVE-AS-AP AboveNet Communications Taiwan
17429 | 122.115.35.242 | BGCTVNET BEIJING GEHUA CATV NETWORK CO.LTD
17431 | 60.195.249.67 | TONET Beijing TONEK Information Technology
Development Company
17621 | 210.51.25.156 | CNCGROUP-SH China Unicom Shanghai network
17622 | 210.21.117.13 | CNCGROUP-GZ China Unicom Guangzhou network
17670 | 202.80.209.15 | INFOKOM-AS PT. Infokom Elektrindo
17981 | 202.131.87.70 | CAMBOTECH-KH-AS ISP Cambodia
18479 | 189.14.99.226 | Plug-In Vanet Sistemas de Comunicao LTDA
18734 | 200.33.240.3 | Operbes, S.A. de C.V.
18881 | 200.175.53.196 | Global Village Telecom
20255 | 200.108.192.46 | Tecnowind S.A.
20485 | 62.33.217.1 | TRANSTELECOM JSC Company TransTeleCom
20676 | 87.193.246.26 | QSC-1 QSC AG
20746 | 80.241.231.7 | ASN-IDC IT Telecom S.p.A.
20845 | 78.131.55.172 | DIGICABLE DIGI Ltd.
21069 | 80.74.149.39 | ASN-METANET METANET AG, Switzerland
21448 | 195.69.95.226 | MWIL ==========================================
23033 | 208.115.97.174 | WOW - Wowrack.com
23201 | 190.128.226.86 | Telecel S.A.
23844 | 119.254.5.83 | BJ-GUANGHUAN-AP Beijing Guanghuan Xinwang
Digital
24154 | 210.202.196.250 | APBT-AS-TW Asia Pacific Broadband Fixed
Lines Co., Ltd.
24724 | 193.111.37.122 | ATMAN-FOREIGN-AS ATM S.A.
25540 | 79.141.1.78 | ALPHALINK-AS Alphalink ISP
27257 | 67.55.95.132 | WEBAIR-INTERNET - Webair Internet
Development Company Inc.
27761 | 190.184.22.65 | Cablenet S.A
28707 | 62.213.201.100 | KANGAROOT-AS Kangaroot BVBA
28753 | 84.16.234.145 | LEASEWEB-DE Leaseweb Germany GmbH
(previously netdirekt e. K.)
28889 | 80.66.45.84 | LINZNET-AS LinzNet Internet Service
Provider GmbH, Austria
29107 | 195.69.86.210 | SYNAPSE-AS _VAT _AK SATER_
31034 | 62.149.194.134 | ARUBA-ASN Aruba S.p.A. - Network
31042 | 89.216.115.97 | SERBIA-BROADBAND-AS Serbia BroadBand-Srpske
Kablovske mreze d.o.o.
31246 | 213.155.228.7 | NETBOX-AS SMART Comp. a.s.
33070 | 74.205.124.23 | RMH-14 - Rackspace Hosting
34081 | 84.33.192.45 | INCUBATEC-AS incubatec GmbH - Srl
34187 | 195.245.118.44 | RENOME-AS LLC Renome-Service
34534 | 85.88.195.35 | PAVIANETWORK-AS Pavia Network SPA
34932 | 217.195.176.186 | FUZION Fuzion is a Danish Internet Service
Provider
35705 | 195.95.198.190 | PELICAN-ICT Pelican ICT Integrator
39790 | 81.91.84.111 | WEB4U AS of Web4U
41783 | 217.26.18.179 | ITAEC-AS ITaEC LLC autonomous system
42109 | 91.103.30.98 | ADC-AS ADC - Armenian Datacom Company
42957 | 82.193.36.98 | INASSET-AS InAsset Srl
46475 | 69.162.65.138 | LIMESTONENETWORKS - Limestone Networks, Inc.
46475 | 69.162.70.2 | LIMESTONENETWORKS - Limestone Networks, Inc.
47880 | 92.60.66.31 | NML-AS New Media Labs di Luca Mercuri
55462 | 122.70.144.168 | NETNET Beijing ZhongDianXinDa Communication
Technology Co., Ltd.
More information about the nsp-security
mailing list