[Dshield] SSH bruteforce with logname "lp"

Tom dshield at oitc.com
Fri Jul 4 12:50:07 GMT 2008


Johannes,

We use DenyHosts (http://denyhosts.sourceforge.net/) which uses and 
maintains a realtime database from 26K+ systems on attack IPs and I 
am sure they would share with you.  This would include (obviously) 
our data as well.

Actually if you implement it you will have the DB synchronized on your machine.

Tom

At 9:43 PM -0700 7/3/08, CunningPike wrote:
>Count me in - we have a ssh server that accepts only SSH keypair auth,
>Johannes Ullrich wrote:
>>  -----BEGIN PGP SIGNED MESSAGE-----
>>  Hash: RIPEMD160
>>
>>  is anybody interested in sharing ssh logs? it would be trivial to 
>>  throw them into a database. I am more interested in the usernames that 
>>  are used vs. the IPs. We already got the IPs (I would think) in 
>>  DShield. However, there may be some who only probe ssh servers they 
>>  know they exist and are not firewalled. would be interesting to find 
>>  those.
>>
>>
>>  - ---------
>>  SANSFIRE 2008 - Washington DC; 42 courses, July 22-31; www.sans.org/ 
>>  info/26174
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>  On Jul 1, 2008, at 1:55 PM, jayjwa wrote:
>>
>>>
>>>  On Mon, 30 Jun 2008, Shaun wrote:
>>>
>>>  -> I'm seeing a large surge in SSH attempts this morning. Large, as 
>>>  in,
>>>  -> more than 10% of the hosts I've blocked for bruteforcing all year 
>>>  are
>>>  -> from today.
>>>  ->
>>>  -> They're coming from a variety of different sources (mostly APNIC, 
>>>  no
>>>  -> surprise), but all are using "lp" as their attempted login. 
>>>  Haven't seen
>>>  -> this particular pattern before. Curious whether anyone else is 
>>>  getting
>>>  -> the same thing, or if this is some sort of targeted attack.
>>>
>>>  I'm not recording alot of hits to tcp/22, but my ssh is not there 
>>>  anymore
>>>  anyways. "lp" is sometimes a system account, maybe someone is 
>>>  looking for
>>>  system accounts left open. I've seen that, and other system 
>>>  accounts, tried
>>>  before.
>>>
>>>
>>>  2008-07-01T07:22:51-04:00 atr2 kernel: Ssh Scan: IN=ppp0 OUT= MAC= 
>>>  SRC=76.76.18.11 DST=64.179.15.222 LEN=48 TOS=0x00 PREC=0x00 TTL=117 
>>>  ID=45559 PROTO=TCP SPT=22485 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
>>>  2008-07-01T08:14:50-04:00 atr2 kernel: Ssh Scan: IN=ppp0 OUT= MAC= 
>>>  SRC=24.118.246.112 DST=64.179.15.222 LEN=60 TOS=0x00 PREC=0x00 
>>>  TTL=47 ID=34293 DF PROTO=TCP SPT=56344 DPT=22 WINDOW=5840 RES=0x00 
>>>  SYN URGP=0
>>>  2008-07-01T08:14:53-04:00 atr2 kernel: Ssh Scan: IN=ppp0 OUT= MAC= 
>>>  SRC=24.118.246.112 DST=64.179.15.222 LEN=60 TOS=0x00 PREC=0x00 
>>>  TTL=47 ID=34294 DF PROTO=TCP SPT=56344 DPT=22 WINDOW=5840 RES=0x00 
>>>  SYN URGP=0
>>>  2008-07-01T10:48:15-04:00 atr2 kernel: Ssh Scan: IN=ppp0 OUT= MAC= 
>>>  SRC=211.245.23.143 DST=64.179.15.222 LEN=60 TOS=0x00 PREC=0x00 
>>>  TTL=49 ID=26692 DF PROTO=TCP SPT=41670 DPT=22 WINDOW=5840 RES=0x00 
>>>  SYN URGP=0
>>>  2008-07-01T10:48:18-04:00 atr2 kernel: Ssh Scan: IN=ppp0 OUT= MAC= 
>>>  SRC=211.245.23.143 DST=64.179.15.222 LEN=60 TOS=0x00 PREC=0x00 
>>>  TTL=49 ID=26693 DF PROTO=TCP SPT=41670 DPT=22 WINDOW=5840 RES=0x00 
>>>  SYN URGP=0
>>>
>>>
>>>
>>>  Ssh bruteforces have been going on a long time now. Maybe this is 
>>>  'attack
>>>  history' week? ;) I captured what look to be some really old unicode 
>>>  & webdav
>>>  IIS exploits earlier in the week:
>>>
>>> 
>>>ftp://atr2.ath.cx/pub/file_hosting/packet_captures/bot-exploit-attempts-tcp80.cap
>>>
>>>  _________________________________________
>>>  SANSFIRE !! The Internet Storm Center Conference
>>>  http://www.sans.org/sansfire08/
>>>
>>
>>  -----BEGIN PGP SIGNATURE-----
>>  Version: GnuPG v1.4.7 (Darwin)
>>
>>  iD8DBQFIao4/PNuXYcm/v/0RAwWHAJ4uDRsTZ/NzafBdgiVpqru51N72bQCeOrW3
>>  Xg4s4qq81930B80xw+KSWvY=
>>  =de/o
>>  -----END PGP SIGNATURE-----
>>  _________________________________________
>>  SANSFIRE !! The Internet Storm Center Conference
>>  http://www.sans.org/sansfire08/
>_________________________________________
>SANSFIRE !! The Internet Storm Center Conference
>http://www.sans.org/sansfire08/


-- 
Tom Shaw - Chief Engineer, OITC
<tshaw at oitc.com>, http://www.oitc.com/
US Phone Numbers: 321-984-3714, 321-729-6258(fax), 
321-258-2475(cell/voice mail,pager)
Text Paging: http://www.oitc.com/Pager/sendmessage.html
AIM/iChat: trshaw at mac.com

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety.         Benjamin Franklin


More information about the list mailing list