[Dshield] SSH bruteforce with logname "lp"

Johannes Ullrich jullrich at sans.org
Tue Jul 1 20:06:22 GMT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

is anybody interested in sharing ssh logs? it would be trivial to  
throw them into a database. I am more interested in the usernames that  
are used vs. the IPs. We already got the IPs (I would think) in  
DShield. However, there may be some who only probe ssh servers they  
know they exist and are not firewalled. would be interesting to find  
those.


- ---------
SANSFIRE 2008 - Washington DC; 42 courses, July 22-31; www.sans.org/  
info/26174









On Jul 1, 2008, at 1:55 PM, jayjwa wrote:

>
>
> On Mon, 30 Jun 2008, Shaun wrote:
>
> -> I'm seeing a large surge in SSH attempts this morning. Large, as  
> in,
> -> more than 10% of the hosts I've blocked for bruteforcing all year  
> are
> -> from today.
> ->
> -> They're coming from a variety of different sources (mostly APNIC,  
> no
> -> surprise), but all are using "lp" as their attempted login.  
> Haven't seen
> -> this particular pattern before. Curious whether anyone else is  
> getting
> -> the same thing, or if this is some sort of targeted attack.
>
> I'm not recording alot of hits to tcp/22, but my ssh is not there  
> anymore
> anyways. "lp" is sometimes a system account, maybe someone is  
> looking for
> system accounts left open. I've seen that, and other system  
> accounts, tried
> before.
>
>
> 2008-07-01T07:22:51-04:00 atr2 kernel: Ssh Scan: IN=ppp0 OUT= MAC=  
> SRC=76.76.18.11 DST=64.179.15.222 LEN=48 TOS=0x00 PREC=0x00 TTL=117  
> ID=45559 PROTO=TCP SPT=22485 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
> 2008-07-01T08:14:50-04:00 atr2 kernel: Ssh Scan: IN=ppp0 OUT= MAC=  
> SRC=24.118.246.112 DST=64.179.15.222 LEN=60 TOS=0x00 PREC=0x00  
> TTL=47 ID=34293 DF PROTO=TCP SPT=56344 DPT=22 WINDOW=5840 RES=0x00  
> SYN URGP=0
> 2008-07-01T08:14:53-04:00 atr2 kernel: Ssh Scan: IN=ppp0 OUT= MAC=  
> SRC=24.118.246.112 DST=64.179.15.222 LEN=60 TOS=0x00 PREC=0x00  
> TTL=47 ID=34294 DF PROTO=TCP SPT=56344 DPT=22 WINDOW=5840 RES=0x00  
> SYN URGP=0
> 2008-07-01T10:48:15-04:00 atr2 kernel: Ssh Scan: IN=ppp0 OUT= MAC=  
> SRC=211.245.23.143 DST=64.179.15.222 LEN=60 TOS=0x00 PREC=0x00  
> TTL=49 ID=26692 DF PROTO=TCP SPT=41670 DPT=22 WINDOW=5840 RES=0x00  
> SYN URGP=0
> 2008-07-01T10:48:18-04:00 atr2 kernel: Ssh Scan: IN=ppp0 OUT= MAC=  
> SRC=211.245.23.143 DST=64.179.15.222 LEN=60 TOS=0x00 PREC=0x00  
> TTL=49 ID=26693 DF PROTO=TCP SPT=41670 DPT=22 WINDOW=5840 RES=0x00  
> SYN URGP=0
>
>
>
> Ssh bruteforces have been going on a long time now. Maybe this is  
> 'attack
> history' week? ;) I captured what look to be some really old unicode  
> & webdav
> IIS exploits earlier in the week:
>
> ftp://atr2.ath.cx/pub/file_hosting/packet_captures/bot-exploit-attempts-tcp80.cap
>
> _________________________________________
> SANSFIRE !! The Internet Storm Center Conference
> http://www.sans.org/sansfire08/
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFIao4/PNuXYcm/v/0RAwWHAJ4uDRsTZ/NzafBdgiVpqru51N72bQCeOrW3
Xg4s4qq81930B80xw+KSWvY=
=de/o
-----END PGP SIGNATURE-----


More information about the list mailing list