Incidents
Weird SSH attack last night and this morning (still ongoing) May 07 2008 12:27PM
Gary Baribault (gary baribault net) (6 replies)
Re: Weird SSH attack last night and this morning (still ongoing) May 14 2008 08:25AM
Mick Pollard (lists lunix com au) (1 replies)
Re: Weird SSH attack last night and this morning (still ongoing) May 14 2008 11:05PM
Gary Baribault (gary baribault net) (1 replies)
Re: Weird SSH attack last night and this morning (still ongoing) May 15 2008 09:41PM
Valdis Kletnieks vt edu
Re: Weird SSH attack last night and this morning (still ongoing) May 07 2008 06:01PM
Brent Kearney (brentk birs ca)
RE: Weird SSH attack last night and this morning (still ongoing) May 07 2008 05:53PM
Erin Carroll (amoeba amoebazone com) (1 replies)
Re: Weird SSH attack last night and this morning (still ongoing) May 07 2008 06:17PM
Valdis Kletnieks vt edu
Re: Weird SSH attack last night and this morning (still ongoing) May 07 2008 05:36PM
Blaine Fleming (groups digital-z com)
Re: Weird SSH attack last night and this morning (still ongoing) May 07 2008 05:04PM
Robert Taylor (rjamestaylor gmail com) (1 replies)
RE: Weird SSH attack last night and this morning (still ongoing) May 07 2008 06:15PM
Erin Carroll (amoeba amoebazone com) (1 replies)
Re: Weird SSH attack last night and this morning (still ongoing) May 07 2008 06:23PM
Robert Taylor (rjamestaylor gmail com) (1 replies)
Good points.

I plead exhaustion for missing the key differentiator of this attack :
one attempt at root (likely the null password attack, as a guess).
Reason for my tiredness? I'm a third shift admin.

Thank you for the clarification.

On May 7, 2008, at 1:15 PM, Erin Carroll wrote:

> Robert,
>
> I agree that this kind of traffic/attack is extremely common. The only
> notable thing about this one is the very slow attack interval
> perceived by
> the individual targets. Instead of hammering away at a single target
> it
> looks like a botnet which is cycling through a large list of targets
> to
> spread the attack around and more likely sneak in under the radar.
> That way
> the botnet can leverage its size to run thousands of attacks
> simultaneously
> but limit the risk of alerting the individual targets since each
> destination
> is hit with attempts in a small trickle. This method of attack is
> not so
> common.
>
> It's easy to see or be alerted on the defense side of hundreds or
> thousands
> of failed attempts but a couple an hour from all different IP's?
> Fairly easy
> to imagine this slipping past most automated defense or threshold-
> based
> protections alerts for organizations. Fail2ban, denyhosts, and other
> ways of
> automating response need the threshold to be reached to blackhole/
> null the
> attacker source. This attack pattern seems explicitly designed to
> bypass
> those types of controls which is what makes it interesting.
>
>
> --
> Erin Carroll
> Moderator, SecurityFocus pen-test mailing list
> amoeba (at) amoebazone (dot) com [email concealed]
> "Do Not Taunt Happy-Fun Ball"
>
>
>
>
>
>
> -----Original Message-----
> From: Robert Taylor [mailto:rjamestaylor (at) gmail (dot) com [email concealed]]
> Sent: Wednesday, May 07, 2008 10:04 AM
> To: Gary Baribault
> Cc: incidents (at) securityfocus (dot) com [email concealed]
> Subject: Re: Weird SSH attack last night and this morning (still
> ongoing)
>
> It's extremely common to have these scans.
>
> http://robotterror.com/site/wiki/mitigating_brute_force_password_attacks
_wit
> h_pam_abl
>
> That's a link to my blog. I'm a Linux System Admin at a major hosting
> company; this is something I see nightly. Usually, though, I see hits
> on the order of thousands per hour before I get worried.
>
>
> On May 7, 2008, at 7:27 AM, Gary Baribault wrote:
>
>> I don't know what is going on last night and this morning ... I have
>> three Linux servers facing the Internet, two on cable modems and
>> another on a static IP/commercial connection and this last one is a
>> gateway to a Web/FTP/SMTP/Pop3/NTP Linux based system.
>>
>> I have DenyHosts installed on all three and have blocked about 75
>> attempts .. from known compromised adresses .. The log shows
>> (obviously) that there where even more attempts from adresses that
>> are unknown to DenyHosts but there was only one login attemps per
>> adress and it was with the Root account .. which is obviously
>> blocked in my sshd config ..
>>
>> Of the three machines, one of them only had about 10 attempts, but
>> the other two had about 200 attempts .. all of them with only 1 try
>> with the user Root ..
>>
>> Is any one else seing this? or am I being targeted? This is still
>> going on now .. and it started arround 10:00 last night GMT+4
>>
>> --
>> Gary Baribault
>> Courriel: gary (at) baribault (dot) net [email concealed]
>> GPG Key: 0x4346F013
>> GPG Fingerprint: BCE8 2E6B EB39 9B23 6904 1DF4 C4E6 2CF7 4346 F013
>>
>

[ reply ]
RE: Weird SSH attack last night and this morning (still ongoing) May 07 2008 06:27PM
Erin Carroll (amoeba amoebazone com)


 

Privacy Statement
Copyright 2010, SecurityFocus