[Dshield] Distributed SSH brute force
hakon at alstadheim.priv.no
Wed May 7 22:00:14 GMT 2008
Andreas Maus wrote:
> Hi *!
> Since yesterday ~21:00 CEST (GMT+2) I've seen (*sigh* again)
> several ssh brute force attempts for user root in a
> distributed fashion (one attempt per IP) from several
> hosts - almost all of them from western europe (.nl,.de,.at,.ch,...)
I'm also seeing them. First there is one connect that shows up like this:
"May 7 16:13:26 alstadheim sshd: Did not receive identification
string from 18.104.22.168"
Then I get a slew of login attempts from a whole array of machines.
Look for SSH-SCOUT in <http://www.alstadheim.priv.no/cgi-bin/blacklist>.
The "SSH-SCOUT" tag is an addtition today, so older entries will not
have that mark. The scouts that have NIL in the "firewall-hits" column
are the pure scouts, which never show up after that first hit. The other
machines do not show up in my blacklist, because there is only one
"misspelled" password from each.
I expect there is a faint chance of false positives on the scouts, but
as I am the only one logging in at my server, I can say that the current
list contains no false positives.
> I'm wondering if anyone knows what these guys are trying to do
> if they succeed. Installing a binary to do more distributed brute force
> attempts? Something else ?
> Ah and by the way - while struggeling with abuse handling - is there
> an advice to persuade the guys and girls handling the abuse requests
> that there _is_ a problem on their servers?
> (Common quote: "So someony mistyped your hostname/IP address. So what?"
> *grml* )
Don't know. I used to try reporting them through dshield (in the old
days when they were running attacks from a single address, i would block
them automatically in my firewall). Never had much luck. Never a
response, and lately I have not been able to get the dshield site to
even accept my efforts to start a "fightback".
47 35 39 38
More information about the list