[Dshield] SSH bruteforce with logname "lp"

Tomas L. Byrnes tomb at byrneit.net
Tue Jul 1 23:12:09 GMT 2008


These IPs aren't in DShield, or in the brute force feed we have.

Looks like a lot of IP entropy.

 

> -----Original Message-----
> From: list-bounces at lists.dshield.org 
> [mailto:list-bounces at lists.dshield.org] On Behalf Of Johannes Ullrich
> Sent: Tuesday, July 01, 2008 1:06 PM
> To: General DShield Discussion List
> Subject: Re: [Dshield] SSH bruteforce with logname "lp"
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
> 
> is anybody interested in sharing ssh logs? it would be 
> trivial to throw them into a database. I am more interested 
> in the usernames that are used vs. the IPs. We already got 
> the IPs (I would think) in DShield. However, there may be 
> some who only probe ssh servers they know they exist and are 
> not firewalled. would be interesting to find those.
> 
> 
> - ---------
> SANSFIRE 2008 - Washington DC; 42 courses, July 22-31; www.sans.org/
> info/26174
> 
> 
> 
> 
> 
> 
> 
> 
> 
> On Jul 1, 2008, at 1:55 PM, jayjwa wrote:
> 
> >
> >
> > On Mon, 30 Jun 2008, Shaun wrote:
> >
> > -> I'm seeing a large surge in SSH attempts this morning. Large, as
> > in,
> > -> more than 10% of the hosts I've blocked for bruteforcing all year
> > are
> > -> from today.
> > ->
> > -> They're coming from a variety of different sources (mostly APNIC,
> > no
> > -> surprise), but all are using "lp" as their attempted login.  
> > Haven't seen
> > -> this particular pattern before. Curious whether anyone else is
> > getting
> > -> the same thing, or if this is some sort of targeted attack.
> >
> > I'm not recording alot of hits to tcp/22, but my ssh is not there 
> > anymore anyways. "lp" is sometimes a system account, maybe 
> someone is 
> > looking for system accounts left open. I've seen that, and other 
> > system accounts, tried before.
> >
> >
> > 2008-07-01T07:22:51-04:00 atr2 kernel: Ssh Scan: IN=ppp0 OUT= MAC=
> > SRC=76.76.18.11 DST=64.179.15.222 LEN=48 TOS=0x00 PREC=0x00 TTL=117
> > ID=45559 PROTO=TCP SPT=22485 DPT=22 WINDOW=65535 RES=0x00 
> SYN URGP=0 
> > 2008-07-01T08:14:50-04:00 atr2 kernel: Ssh Scan: IN=ppp0 OUT= MAC=
> > SRC=24.118.246.112 DST=64.179.15.222 LEN=60 TOS=0x00 PREC=0x00
> > TTL=47 ID=34293 DF PROTO=TCP SPT=56344 DPT=22 WINDOW=5840 
> RES=0x00 SYN 
> > URGP=0 2008-07-01T08:14:53-04:00 atr2 kernel: Ssh Scan: 
> IN=ppp0 OUT= 
> > MAC=
> > SRC=24.118.246.112 DST=64.179.15.222 LEN=60 TOS=0x00 PREC=0x00
> > TTL=47 ID=34294 DF PROTO=TCP SPT=56344 DPT=22 WINDOW=5840 
> RES=0x00 SYN 
> > URGP=0 2008-07-01T10:48:15-04:00 atr2 kernel: Ssh Scan: 
> IN=ppp0 OUT= 
> > MAC=
> > SRC=211.245.23.143 DST=64.179.15.222 LEN=60 TOS=0x00 PREC=0x00
> > TTL=49 ID=26692 DF PROTO=TCP SPT=41670 DPT=22 WINDOW=5840 
> RES=0x00 SYN 
> > URGP=0 2008-07-01T10:48:18-04:00 atr2 kernel: Ssh Scan: 
> IN=ppp0 OUT= 
> > MAC=
> > SRC=211.245.23.143 DST=64.179.15.222 LEN=60 TOS=0x00 PREC=0x00
> > TTL=49 ID=26693 DF PROTO=TCP SPT=41670 DPT=22 WINDOW=5840 
> RES=0x00 SYN 
> > URGP=0
> >
> >
> >
> > Ssh bruteforces have been going on a long time now. Maybe this is 
> > 'attack history' week? ;) I captured what look to be some 
> really old 
> > unicode & webdav IIS exploits earlier in the week:
> >
> > 
> ftp://atr2.ath.cx/pub/file_hosting/packet_captures/bot-exploit-attempt
> > s-tcp80.cap
> >
> > _________________________________________
> > SANSFIRE !! The Internet Storm Center Conference 
> > http://www.sans.org/sansfire08/
> >
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (Darwin)
> 
> iD8DBQFIao4/PNuXYcm/v/0RAwWHAJ4uDRsTZ/NzafBdgiVpqru51N72bQCeOrW3
> Xg4s4qq81930B80xw+KSWvY=
> =de/o
> -----END PGP SIGNATURE-----
> _________________________________________
> SANSFIRE !! The Internet Storm Center Conference 
> http://www.sans.org/sansfire08/
> 



More information about the list mailing list