[Dshield] ssh attacks

jayjwa jayjwa at atr2.ath.cx
Wed Oct 13 17:28:16 GMT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Tue, 12 Oct 2004, Barton L. Phillips wrote:

+ In the last several days I have seen an increase in attempts to log into my
+ server via SSH. Previously I was only seeing the "test" and "guest" attempts
+ previously mentioned on this list. Here is an example of what I saw yesterday:

+ Failed logins from these:

+   george/password from 213.136.124.8: 2 Time(s)
+   glen/password from 66.15.2.200: 4 Time(s)
+   glennt/password from 66.15.2.200: 2 Time(s)
+   henry/password from 213.136.124.8: 2 Time(s)
+   horde/password from 213.136.124.8: 2 Time(s)
+   iceuser/password from 213.136.124.8: 2 Time(s)
+   irc/password from 213.136.124.8: 4 Time(s)
+   jane/password from 213.136.124.8: 2 Time(s)
+   john/password from 213.136.124.8: 2 Time(s)
+   johnz/password from 66.15.2.200: 10 Time(s)
+   master/password from 218.237.65.10: 2 Time(s)
+   matt/password from 218.237.65.10: 2 Time(s)
+   mysql/password from 218.237.65.10: 2 Time(s)
+   nobody/password from 218.237.65.10: 2 Time(s)
+   noc/password from 218.237.65.10: 2 Time(s)
+   operator/password from 213.136.124.8: 2 Time(s)
+   oracle/password from 218.237.65.10: 2 Time(s)
+   pamela/password from 218.237.65.10: 2 Time(s)
+   patrick/password from 213.136.124.8: 4 Time(s)
+   rolo/password from 213.136.124.8: 2 Time(s)
+   root/password from 213.136.124.8: 118 Time(s)
+   server/password from 213.136.124.8: 2 Time(s)

<snip more similar attempts>

Yes, I've notice this too. I had one guy from a Level3 IP try for over 12 
minutes with passwords/users similar to the ones above. I've seen myself: 
wwwrun, www, irc, iceuser, horde, rolo, cyrus, apache, nobody, operator, 
adm, root, guest, test, user, NULL, patrick, mysql, and www-data. Likely 
they're hoping to get lucky with an account that's left open to ssh access 
but shouldn't be, in the case of mysql, apache, www, etc. The "rolo" and 
"cyrus" ones I have no idea. You'd think they'd use something more 
popular; how many people do you know named "rolo"? On average, most of the 
attacking IPs are China, Korea, or Romainia.

While I was on IRC last night, I downloaded and saved the channel list. I 
then egrep'ed it for '.\.exe' and '.\.tgz'. Several matches for 
URL's/files turned up, and I downloaded them. They were, of course, 
rootkits and other exploits in binary form. The binaries where loaded with 
OSF, RST B, and another unknown Linux virus. One of the tools was an 
update to one of the earliest posted tools for ssh attacks on another 
list, the tool that works with the "ss" scanner, "vuln.txt" and then the 
actual ssh attack util. There were comments in one of the shell scripts 
about the tool having been improved, so it seems to me that the old batch 
of ssh attack tools have changed hands and been "improved" on by various 
people (which isn't hard if you understand even basic C)

I've only experienced one such of this kind of attack, the one from the 
Level3.com domain, which I reported. They never responded beyond an
auto-reply. Most attacks I've experienced have been of the earlier 
generation, less effective tools which only try the "guest"/"test", 
root, and NULL user combinations.

I've found that using DenyUser, AllowUser in sshd_config is a good idea. 
Placing

ssh: UNKNOWN

in hosts.deny also seems to cut down alot of them. Some people use key ssh 
login or move the daemon to a high port, out of harm's way. I myself have 
gotten alot of benefit out of running it under the added protection of 
xinetd.

  --- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFBbWW6x2m6tbYouFERAsmjAJ9nUicH41BL2J9SkiKQeGZZbXCQngCgiqrZ
bUK07qqKLZH3Hm+NzJ9DoDw=
=vB6O
-----END PGP SIGNATURE-----



More information about the list mailing list