[Dshield] SSH bruteforce with logname "lp"

CunningPike cunningpike at gmail.com
Fri Jul 4 04:43:59 GMT 2008


Count me in - we have a ssh server that accepts only SSH keypair auth, 
but still gets hammered by brute-force attempts, so we'd have a good bit 
of data.

Let me know how/when you want them.

CP

Johannes Ullrich wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
> 
> is anybody interested in sharing ssh logs? it would be trivial to  
> throw them into a database. I am more interested in the usernames that  
> are used vs. the IPs. We already got the IPs (I would think) in  
> DShield. However, there may be some who only probe ssh servers they  
> know they exist and are not firewalled. would be interesting to find  
> those.
> 
> 
> - ---------
> SANSFIRE 2008 - Washington DC; 42 courses, July 22-31; www.sans.org/  
> info/26174
> 
> 
> 
> 
> 
> 
> 
> 
> 
> On Jul 1, 2008, at 1:55 PM, jayjwa wrote:
> 
>>
>> On Mon, 30 Jun 2008, Shaun wrote:
>>
>> -> I'm seeing a large surge in SSH attempts this morning. Large, as  
>> in,
>> -> more than 10% of the hosts I've blocked for bruteforcing all year  
>> are
>> -> from today.
>> ->
>> -> They're coming from a variety of different sources (mostly APNIC,  
>> no
>> -> surprise), but all are using "lp" as their attempted login.  
>> Haven't seen
>> -> this particular pattern before. Curious whether anyone else is  
>> getting
>> -> the same thing, or if this is some sort of targeted attack.
>>
>> I'm not recording alot of hits to tcp/22, but my ssh is not there  
>> anymore
>> anyways. "lp" is sometimes a system account, maybe someone is  
>> looking for
>> system accounts left open. I've seen that, and other system  
>> accounts, tried
>> before.
>>
>>
>> 2008-07-01T07:22:51-04:00 atr2 kernel: Ssh Scan: IN=ppp0 OUT= MAC=  
>> SRC=76.76.18.11 DST=64.179.15.222 LEN=48 TOS=0x00 PREC=0x00 TTL=117  
>> ID=45559 PROTO=TCP SPT=22485 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
>> 2008-07-01T08:14:50-04:00 atr2 kernel: Ssh Scan: IN=ppp0 OUT= MAC=  
>> SRC=24.118.246.112 DST=64.179.15.222 LEN=60 TOS=0x00 PREC=0x00  
>> TTL=47 ID=34293 DF PROTO=TCP SPT=56344 DPT=22 WINDOW=5840 RES=0x00  
>> SYN URGP=0
>> 2008-07-01T08:14:53-04:00 atr2 kernel: Ssh Scan: IN=ppp0 OUT= MAC=  
>> SRC=24.118.246.112 DST=64.179.15.222 LEN=60 TOS=0x00 PREC=0x00  
>> TTL=47 ID=34294 DF PROTO=TCP SPT=56344 DPT=22 WINDOW=5840 RES=0x00  
>> SYN URGP=0
>> 2008-07-01T10:48:15-04:00 atr2 kernel: Ssh Scan: IN=ppp0 OUT= MAC=  
>> SRC=211.245.23.143 DST=64.179.15.222 LEN=60 TOS=0x00 PREC=0x00  
>> TTL=49 ID=26692 DF PROTO=TCP SPT=41670 DPT=22 WINDOW=5840 RES=0x00  
>> SYN URGP=0
>> 2008-07-01T10:48:18-04:00 atr2 kernel: Ssh Scan: IN=ppp0 OUT= MAC=  
>> SRC=211.245.23.143 DST=64.179.15.222 LEN=60 TOS=0x00 PREC=0x00  
>> TTL=49 ID=26693 DF PROTO=TCP SPT=41670 DPT=22 WINDOW=5840 RES=0x00  
>> SYN URGP=0
>>
>>
>>
>> Ssh bruteforces have been going on a long time now. Maybe this is  
>> 'attack
>> history' week? ;) I captured what look to be some really old unicode  
>> & webdav
>> IIS exploits earlier in the week:
>>
>> ftp://atr2.ath.cx/pub/file_hosting/packet_captures/bot-exploit-attempts-tcp80.cap
>>
>> _________________________________________
>> SANSFIRE !! The Internet Storm Center Conference
>> http://www.sans.org/sansfire08/
>>
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (Darwin)
> 
> iD8DBQFIao4/PNuXYcm/v/0RAwWHAJ4uDRsTZ/NzafBdgiVpqru51N72bQCeOrW3
> Xg4s4qq81930B80xw+KSWvY=
> =de/o
> -----END PGP SIGNATURE-----
> _________________________________________
> SANSFIRE !! The Internet Storm Center Conference
> http://www.sans.org/sansfire08/


More information about the list mailing list