Incidents
Weird SSH attack last night and this morning (still ongoing) May 07 2008 12:27PM
Gary Baribault (gary baribault net) (6 replies)
Re: Weird SSH attack last night and this morning (still ongoing) May 14 2008 08:25AM
Mick Pollard (lists lunix com au) (1 replies)
Re: Weird SSH attack last night and this morning (still ongoing) May 14 2008 11:05PM
Gary Baribault (gary baribault net) (1 replies)
Re: Weird SSH attack last night and this morning (still ongoing) May 15 2008 09:41PM
Valdis Kletnieks vt edu
Re: Weird SSH attack last night and this morning (still ongoing) May 07 2008 06:01PM
Brent Kearney (brentk birs ca)
RE: Weird SSH attack last night and this morning (still ongoing) May 07 2008 05:53PM
Erin Carroll (amoeba amoebazone com) (1 replies)
Re: Weird SSH attack last night and this morning (still ongoing) May 07 2008 06:17PM
Valdis Kletnieks vt edu
Re: Weird SSH attack last night and this morning (still ongoing) May 07 2008 05:36PM
Blaine Fleming (groups digital-z com)
Re: Weird SSH attack last night and this morning (still ongoing) May 07 2008 05:04PM
Robert Taylor (rjamestaylor gmail com) (1 replies)
RE: Weird SSH attack last night and this morning (still ongoing) May 07 2008 06:15PM
Erin Carroll (amoeba amoebazone com) (1 replies)
Re: Weird SSH attack last night and this morning (still ongoing) May 07 2008 06:23PM
Robert Taylor (rjamestaylor gmail com) (1 replies)
RE: Weird SSH attack last night and this morning (still ongoing) May 07 2008 06:27PM
Erin Carroll (amoeba amoebazone com)
I've been there. Sleep is good.

Though you did remind me with your null attack comment to get off my butt
and capture the packets to see if it's a specific hole trying to be
exploited and not just a brute force password run.

--
Erin Carroll
Moderator, SecurityFocus pen-test mailing list
amoeba (at) amoebazone (dot) com [email concealed]
"Do Not Taunt Happy-Fun Ball"

-----Original Message-----
From: Robert Taylor [mailto:rjamestaylor (at) gmail (dot) com [email concealed]]
Sent: Wednesday, May 07, 2008 11:24 AM
To: Erin Carroll
Cc: 'Gary Baribault'; incidents (at) securityfocus (dot) com [email concealed]
Subject: Re: Weird SSH attack last night and this morning (still ongoing)

Good points.

I plead exhaustion for missing the key differentiator of this attack :
one attempt at root (likely the null password attack, as a guess).
Reason for my tiredness? I'm a third shift admin.

Thank you for the clarification.

On May 7, 2008, at 1:15 PM, Erin Carroll wrote:

> Robert,
>
> I agree that this kind of traffic/attack is extremely common. The only
> notable thing about this one is the very slow attack interval
> perceived by
> the individual targets. Instead of hammering away at a single target
> it
> looks like a botnet which is cycling through a large list of targets
> to
> spread the attack around and more likely sneak in under the radar.
> That way
> the botnet can leverage its size to run thousands of attacks
> simultaneously
> but limit the risk of alerting the individual targets since each
> destination
> is hit with attempts in a small trickle. This method of attack is
> not so
> common.
>
> It's easy to see or be alerted on the defense side of hundreds or
> thousands
> of failed attempts but a couple an hour from all different IP's?
> Fairly easy
> to imagine this slipping past most automated defense or threshold-
> based
> protections alerts for organizations. Fail2ban, denyhosts, and other
> ways of
> automating response need the threshold to be reached to blackhole/
> null the
> attacker source. This attack pattern seems explicitly designed to
> bypass
> those types of controls which is what makes it interesting.
>
>
> --
> Erin Carroll
> Moderator, SecurityFocus pen-test mailing list
> amoeba (at) amoebazone (dot) com [email concealed]
> "Do Not Taunt Happy-Fun Ball"
>
>
>
>
>
>
> -----Original Message-----
> From: Robert Taylor [mailto:rjamestaylor (at) gmail (dot) com [email concealed]]
> Sent: Wednesday, May 07, 2008 10:04 AM
> To: Gary Baribault
> Cc: incidents (at) securityfocus (dot) com [email concealed]
> Subject: Re: Weird SSH attack last night and this morning (still
> ongoing)
>
> It's extremely common to have these scans.
>
>
http://robotterror.com/site/wiki/mitigating_brute_force_password_attacks
_wit
> h_pam_abl
>
> That's a link to my blog. I'm a Linux System Admin at a major hosting
> company; this is something I see nightly. Usually, though, I see hits
> on the order of thousands per hour before I get worried.
>
>
> On May 7, 2008, at 7:27 AM, Gary Baribault wrote:
>
>> I don't know what is going on last night and this morning ... I have
>> three Linux servers facing the Internet, two on cable modems and
>> another on a static IP/commercial connection and this last one is a
>> gateway to a Web/FTP/SMTP/Pop3/NTP Linux based system.
>>
>> I have DenyHosts installed on all three and have blocked about 75
>> attempts .. from known compromised adresses .. The log shows
>> (obviously) that there where even more attempts from adresses that
>> are unknown to DenyHosts but there was only one login attemps per
>> adress and it was with the Root account .. which is obviously
>> blocked in my sshd config ..
>>
>> Of the three machines, one of them only had about 10 attempts, but
>> the other two had about 200 attempts .. all of them with only 1 try
>> with the user Root ..
>>
>> Is any one else seing this? or am I being targeted? This is still
>> going on now .. and it started arround 10:00 last night GMT+4
>>
>> --
>> Gary Baribault
>> Courriel: gary (at) baribault (dot) net [email concealed]
>> GPG Key: 0x4346F013
>> GPG Fingerprint: BCE8 2E6B EB39 9B23 6904 1DF4 C4E6 2CF7 4346 F013
>>
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus