[Dshield] Distributed SSH brute force

[Håkon Alstadheim]

Andreas Maus wrote:
> Hi *!
>
> Since yesterday ~21:00 CEST (GMT+2) I've seen (*sigh* again)
> several ssh brute force attempts for user root in a
> distributed fashion (one attempt per IP) from several
> hosts - almost all of them from western europe (.nl,.de,.at,.ch,...)
>
>   
I'm also seeing them. First there is one connect that shows up like this:

"May  7 16:13:26 alstadheim sshd[15073]: Did not receive identification 
string from 203.128.254.45"

Then I get a slew of login attempts from a whole array of machines.

Look for SSH-SCOUT in <http://www.alstadheim.priv.no/cgi-bin/blacklist>. 
The "SSH-SCOUT" tag is an addtition today, so older entries will not 
have that mark. The scouts that have NIL in the "firewall-hits" column 
are the pure scouts, which never show up after that first hit. The other 
machines do not show up in my blacklist, because there is only one 
"misspelled" password from each.

I expect there is a faint chance of false positives on the scouts, but 
as I am the only one logging in at my server, I can say that the current 
list contains no false positives.
> I'm wondering if anyone knows what these guys are trying to do
> if they succeed. Installing a binary to do more distributed brute force
> attempts? Something else ?
>
> Ah and by the way - while struggeling with abuse handling - is there
> an advice to persuade the guys and girls handling the abuse requests
> that there _is_ a problem on their servers?
> (Common quote: "So someony mistyped your hostname/IP address. So what?"
> *grml* )
>   
Don't know. I used to try reporting them through dshield (in the old 
days when they were running attacks from a single address, i would block 
them automatically in my firewall). Never had much luck. Never a 
response, and lately I have not been able to get the dshield site to 
even accept my efforts to start a "fightback".

-- 
Håkon Alstadheim
47 35 39 38