[nsp-sec] SSH brute force, co-ordinated, sort of.

Hicks, Howard Howard.Hicks at CenturyLink.com
Tue Sep 6 19:39:31 EDT 2011 

Ack AS209 - Thanks for putting the crosshairs on this one.

--

Howard Hicks

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
> bounces at puck.nether.net] On Behalf Of Scott A. McIntyre
> Sent: Sunday, September 04, 2011 5:26 PM
> To: NSP-Sec
> Subject: [nsp-sec] SSH brute force, co-ordinated, sort of.
>
> ----------- nsp-security Confidential --------
>
> Hi all,
>
> I'm experimenting with a bit of data in my Splunk setup and wanted to
> share it with The Rest Of You.
>
> These IPs will be appearing in the daily-reports from Team Cymru for SSH
> bruteforce attacks later today/tomorrow ($timezone dependent), but there
> was something different about this subset.
>
> Each of the below IPs performed the same username/password attempts
> against a honeypot within about a 15 to 20 minute window.
>
> Not all were at the same time, at the most 6 unique IPs were trying the
> same user/pass combination within that 15 minute window.  The smallest
> number was 4 systems.
>
> Whilst it's entirely possible this is mere coincidence, caused by
> remotely compromised systems firing off the same scripts at roughly the
> same time, I'd have expected MORE than 6 systems hitting our honeypot at
> the same time-ish, and certainly greater consistency in the attack
> pattern overall.
>
> I have exact timestamps for anyone who wants them, but given how the
> data is aggregated it was easier to present a list of all the affected
> ASNs and IPs first.  The time range is 0800+1000 04 September through
> 0800+1000 05 September though, and I'm guessing many/most of these won't
> be dynamic hosts anyway.
>
> It might be interesting to find out if there's something
> different/special about the kits used from these sources.
>
> Happy hunting,
>
> Scott A. McIntyre
> AS1221 Telstra
>
>
> 209     | 63.236.7.20      | ASN-QWEST - Qwest Communications Company, LLC
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________

This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.

More information about the nsp-security mailing list