Incidents
Distributed Bruteforce against SSH May 12 2008 03:27PM
Gary Baribault (gary baribault net) (2 replies)
RE: Distributed Bruteforce against SSH May 12 2008 06:01PM
Keith T. Morgan (keith morgan terradon com) (1 replies)
Re: Distributed Bruteforce against SSH May 12 2008 07:53PM
Tim Kennedy (tim timkennedy net)
RE: Distributed Bruteforce against SSH May 12 2008 05:36PM
Keith T. Morgan (keith morgan terradon com)
Yep. I've been seeing them too. What's interesting is that the botnet is sharing "state" information regarding where the collective botnet is in the dictionary. This will completely bypass fail2ban since each subsequent dictionary word is tried from a different host.

I experimented a bit by blocking huge swaths of the internet at the firewall, and watching. For example, I dropped everything inbound except for 66.0.0.0/8, 67.0.0.0/8 and 68.0.0.0/8. Sure enough, eventually, the next attempt came through. And it used the next sequential username in the dictionary (as captured on a logically nearby host).

When I opened things up again, the dictionary attack simply sped up, in the proper word sequence, coming from more hosts.

> -----Original Message-----
> From: Gary Baribault [mailto:gary (at) baribault (dot) net [email concealed]]
> Sent: Monday, May 12, 2008 11:28 AM
> To: incidents (at) securityfocus (dot) com [email concealed]
> Subject: Distributed Bruteforce against SSH
>
>
> I guess what I reported last week was the warmup round ..
> Where now getting thousands of attemped logins with the
> standars dictionary of potential login names.
>
> As I stated, I'm not interested in avoiding these attacks, so
> please don't sugges that I change the SSH port, my machines
> are safe enough ..
>
> For those who missed it, I have three servers on the
> Internet, two cable modems and one static and again, two of
> them are getting about 100 attacks per hour but instead of
> using Root for every attempt, we are now seeing the standars
> alphabetical list of users.
>
> What wories me is all of the Linux/Unix servers out there
> (and I guess to a lesser degree Windows boxes with an SSH
> Daemon) that have many normal remote users who are allowed
> remote access with SSH and have weak passwords.
>
> This attack seems to be aimed at them, and will certainly succeed.
>
> See a sample of one of my logs below
>
> Gary B
>
> messages:May 11 21:59:39 salle sshd[5493]: Invalid user
> a'marie from 213.251.185.54 messages:May 11 21:59:39 salle
> sshd[5493]: Failed keyboard-interactive/pam for invalid user
> a'marie from 213.251.185.54 port 33943 ssh2 messages:May 11
> 22:01:34 salle sshd[5519]: Invalid user aaliyah from
> 62.206.228.188 messages:May 11 22:01:34 salle sshd[5519]:
> Failed keyboard-interactive/pam for invalid user aaliyah from
> 62.206.228.188 port 49207 ssh2 messages:May 11 22:03:11 salle
> sshd[5524]: Invalid user aaralyn from 212.220.166.26
> messages:May 11 22:03:11 salle sshd[5524]: Failed
> keyboard-interactive/pam for invalid user aaralyn from
> 212.220.166.26 port 1408 ssh2 messages:May 11 22:04:05 salle
> sshd[5528]: Invalid user aaron from 83.151.29.86 messages:May
> 11 22:04:05 salle sshd[5528]: Failed keyboard-interactive/pam
> for invalid user aaron from 83.151.29.86 port 55756 ssh2
> messages:May 11 22:05:34 salle sshd[5533]: Invalid user abbie
> from 70.43.165.34 messages:May 11 22:05:34 salle sshd[5533]:
> Failed keyboard-interactive/pam for invalid user abbie from
> 70.43.165.34 port 48681 ssh2 messages:May 11 22:06:41 salle
> sshd[5537]: Invalid user abbott from 194.204.62.2
> messages:May 11 22:06:41 salle sshd[5537]: Failed
> keyboard-interactive/pam for invalid user abbott from
> 194.204.62.2 port 7799 ssh2 messages:May 11 22:08:33 salle
> sshd[5543]: Invalid user abdukrahman from 62.206.22.124
> messages:May 11 22:08:34 salle sshd[5543]: Failed
> keyboard-interactive/pam for invalid user abdukrahman from
> 62.206.22.124 port 50525 ssh2 messages:May 11 22:12:11 salle
> sshd[5558]: Invalid user abdulrahman from 196.211.191.58
> messages:May 11 22:12:12 salle sshd[5558]: Failed
> keyboard-interactive/pam for invalid user abdulrahman from
> 196.211.191.58 port 58081 ssh2 messages:May 11 22:12:55 salle
> sshd[5562]: Invalid user abe from 217.172.164.130
> messages:May 11 22:12:55 salle sshd[5562]: Failed
> keyboard-interactive/pam for invalid user abe from
> 217.172.164.130 port 56462 ssh2 messages:May 11 22:13:53
> salle sshd[5566]: Invalid user abel from 80.68.94.169
> messages:May 11 22:13:54 salle sshd[5566]: Failed
> keyboard-interactive/pam for invalid user abel from
> 80.68.94.169 port 2229 ssh2 messages:May 11 22:15:47 salle
> sshd[5592]: Invalid user abia from 86.49.7.207 messages:May
> 11 22:15:47 salle sshd[5592]: Failed keyboard-interactive/pam
> for invalid user abia from 86.49.7.207 port 1407 ssh2
> messages:May 11 22:16:32 salle sshd[5595]: Invalid user abiba
> from 200.117.122.206 messages:May 11 22:16:33 salle
> sshd[5595]: Failed keyboard-interactive/pam for invalid user
> abiba from 200.117.122.206 port 53258 ssh2 messages:May 11
> 22:18:02 salle sshd[5599]: Invalid user abie from
> 208.189.14.194 messages:May 11 22:18:02 salle sshd[5599]:
> Failed keyboard-interactive/pam for invalid user abie from
> 208.189.14.194 port 36420 ssh2 messages:May 11 22:18:24 salle
> sshd[5602]: Invalid user abigail from 69.128.70.86
> messages:May 11 22:18:25 salle sshd[5602]: Failed
> keyboard-interactive/pam for invalid user abigail from
> 69.128.70.86 port 3154 ssh2 messages:May 11 22:19:53 salle
> sshd[5605]: Invalid user abner from 62.147.203.49
> messages:May 11 22:19:53 salle sshd[5605]: Failed
> keyboard-interactive/pam for invalid user abner from
> 62.147.203.49 port 38321 ssh2 messages:May 11 22:20:17 salle
> sshd[5608]: Invalid user abra from 61.29.122.140 messages:May
> 11 22:20:17 salle sshd[5609]: input_userauth_request: invalid
> user abra messages:May 11 22:20:17 salle sshd[5608]: Failed
> keyboard-interactive/pam for invalid user abra from
> 61.29.122.140 port 53367 ssh2 messages:May 11 22:20:57 salle
> sshd[5612]: Invalid user abra from 200.166.58.108
> messages:May 11 22:20:58 salle sshd[5612]: Failed
> keyboard-interactive/pam for invalid user abra from
> 200.166.58.108 port 41499 ssh2 messages:May 11 22:21:28 salle
> sshd[5615]: Invalid user abraham from 82.193.22.18
> messages:May 11 22:21:28 salle sshd[5616]:
> input_userauth_request: invalid user abraham messages:May 11
> 22:21:28 salle sshd[5615]: Failed keyboard-interactive/pam
> for invalid user abraham from 82.193.22.18 port 33116 ssh2
> messages:May 11 22:22:36 salle sshd[5619]: Invalid user abram
> from 66.159.198.155 messages:May 11 22:22:37 salle
> sshd[5619]: Failed keyboard-interactive/pam for invalid user
> abram from 66.159.198.155 port 45869 ssh2 messages:May 11
> 22:22:53 salle sshd[5622]: Invalid user abram from
> 89.110.144.212 messages:May 11 22:22:53 salle sshd[5623]:
> input_userauth_request: invalid user abram messages:May 11
> 22:22:53 salle sshd[5622]: Failed keyboard-interactive/pam
> for invalid user abram from 89.110.144.212 port 35527 ssh2
> messages:May 11 22:23:29 salle sshd[5625]: Invalid user
> abrianna from 204.13.164.75 messages:May 11 22:23:29 salle
> sshd[5625]: Failed keyboard-interactive/pam for invalid user
> abrianna from 204.13.164.75 port 36896 ssh2 messages:May 11
> 22:24:22 salle sshd[5629]: Invalid user abrienda from
> 87.234.200.80 messages:May 11 22:24:22 salle sshd[5629]:
> Failed keyboard-interactive/pam for invalid user abrienda
> from 87.234.200.80 port 17603 ssh2 messages:May 11 22:25:04
> salle sshd[5632]: Invalid user abrienda from 168.234.199.84
> messages:May 11 22:25:04 salle sshd[5632]: Failed
> keyboard-interactive/pam for invalid user abrienda from
> 168.234.199.84 port 47504 ssh2 messages:May 11 22:25:52 salle
> sshd[5635]: Invalid user abril from 83.246.96.70 messages:May
> 11 22:25:52 salle sshd[5635]: Failed keyboard-interactive/pam
> for invalid user abril from 83.246.96.70 port 48594 ssh2
> messages:May 11 22:25:55 salle sshd[5638]: Invalid user abril
> from 62.2.99.174 messages:May 11 22:25:56 salle sshd[5638]:
> Failed keyboard-interactive/pam for invalid user abril from
> 62.2.99.174 port 1424 ssh2 messages:May 11 22:27:00 salle
> sshd[5642]: Invalid user absolom from 200.117.122.206
> messages:May 11 22:27:01 salle sshd[5642]: Failed
> keyboard-interactive/pam for invalid user absolom from
> 200.117.122.206 port 45918 ssh2 messages:May 11 22:27:15
> salle sshd[5645]: Invalid user abu from 85.14.219.67
> messages:May 11 22:27:15 salle sshd[5645]: Failed
> keyboard-interactive/pam for invalid user abu from
> 85.14.219.67 port 38085 ssh2 messages:May 11 22:28:48 salle
> sshd[5649]: Invalid user acacia from 64.83.58.161
> messages:May 11 22:28:48 salle sshd[5649]: Failed
> keyboard-interactive/pam for invalid user acacia from
> 64.83.58.161 port 39750 ssh2 messages:May 11 22:30:48 salle
> sshd[5675]: Invalid user ace from 61.29.122.140 messages:May
> 11 22:30:48 salle sshd[5676]: input_userauth_request: invalid
> user ace messages:May 11 22:30:48 salle sshd[5675]: Failed
> keyboard-interactive/pam for invalid user ace from
> 61.29.122.140 port 60660 ssh2 messages:May 11 22:32:25 salle
> sshd[5680]: Invalid user acton from 217.98.80.5 messages:May
> 11 22:32:25 salle sshd[5680]: Failed keyboard-interactive/pam
> for invalid user acton from 217.98.80.5 port 10497 ssh2
> messages:May 11 22:32:57 salle sshd[5683]: Invalid user acton
> from 88.198.47.143 messages:May 11 22:32:57 salle sshd[5683]:
> Failed keyboard-interactive/pam for invalid user acton from
> 88.198.47.143 port 39369 ssh2 messages:May 11 22:33:21 salle
> sshd[5686]: Invalid user ada from 200.74.136.246 messages:May
> 11 22:33:21 salle sshd[5686]: Failed keyboard-interactive/pam
> for invalid user ada from 200.74.136.246 port 35651 ssh2
> messages:May 11 22:33:51 salle sshd[5689]: Invalid user ada
> from 69.15.102.215 messages:May 11 22:33:51 salle sshd[5689]:
> Failed keyboard-interactive/pam for invalid user ada from
> 69.15.102.215 port 50657 ssh2 messages:May 11 22:34:57 salle
> sshd[5693]: Invalid user adah from 216.197.204.76
> messages:May 11 22:34:57 salle sshd[5693]: Failed
> keyboard-interactive/pam for invalid user adah from
> 216.197.204.76 port 43581 ssh2 messages:May 11 22:35:17 salle
> sshd[5696]: Invalid user adair from 76.160.167.251
> messages:May 11 22:35:17 salle sshd[5696]: Failed
> keyboard-interactive/pam for invalid user adair from
> 76.160.167.251 port 50495 ssh2 messages:May 11 22:38:36 salle
> sshd[5715]: Invalid user adamina from 201.21.210.151
> messages:May 11 22:38:36 salle sshd[5716]:
> input_userauth_request: invalid user adamina messages:May 11
> 22:38:37 salle sshd[5715]: Failed keyboard-interactive/pam
> for invalid user adamina from 201.21.210.151 port 34881 ssh2
> messages:May 11 22:38:54 salle sshd[5718]: Invalid user
> adamina from 133.6.61.76 messages:May 11 22:38:54 salle
> sshd[5718]: Failed keyboard-interactive/pam for invalid user
> adamina from 133.6.61.76 port 44428 ssh2 messages:May 11
> 22:39:29 salle sshd[5721]: Invalid user adamma from
> 212.51.52.244 messages:May 11 22:39:29 salle sshd[5721]:
> Failed keyboard-interactive/pam for invalid user adamma from
> 212.51.52.244 port 41180 ssh2 messages:May 11 22:39:51 salle
> sshd[5724]: Invalid user adamma from 83.244.156.204
> messages:May 11 22:39:51 salle sshd[5724]: Failed
> keyboard-interactive/pam for invalid user adamma from
> 83.244.156.204 port 50954 ssh2 messages:May 11 22:41:02 salle
> sshd[5735]: Invalid user adara from 88.198.47.143
> messages:May 11 22:41:02 salle sshd[5735]: Failed
> keyboard-interactive/pam for invalid user adara from
> 88.198.47.143 port 33031 ssh2 messages:May 11 22:42:28 salle
> sshd[5738]: Invalid user addison from 62.2.211.46
> messages:May 11 22:42:28 salle sshd[5738]: Failed
> keyboard-interactive/pam for invalid user addison from
> 62.2.211.46 port 29580 ssh2
>
>
>
>
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus