[unisog] step up in SSH scanning starting today?

John Ives jives at security.berkeley.edu
Mon May 12 23:50:59 GMT 2008

In the last two weeks we have had 666 (not joking about the number) IP 
addresses invloved in SSH or FTP bruteforce attacks, with less than 20 
of those IP addresses being FTP.  We keep and publish a running list of 
IP addresses along with the last time they were seen attacking the 
campus.  The IPs are derived from both IDS sensors and honeypots and 
uses OSSEC to create a backend list of IP addresses.  While my coding is 
not the most elegant, it has worked well in dropping the numbers of hack 
attempts to my personal machine. there is a KB article outlining the 
basic premise and at 



Tom Perrine wrote:
> Anyone else see a significant rise in SSH dictionary attacks, especially 
> from .KR?
> A friend at a local ISP (CA.US) reported this morning that they usually 
> see 1-3 scans per day, but had 10 concurrent sweeps this morning with 
> more sources popping up at about 1 new per hour.  Most sources in China, 
> and KR, IIRC.
> Another site (UK) reported a similar but not quite as aggressive set of 
> new sweeps, all theirs from .KR IP space.
> I'm not seeing it here.
> What's the consensus?  Isolated or major ramp-up?
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog

John Ives                                           Phone (510) 642-7773
System & Network Security			     Cell (510) 229-8676
University of California, Berkeley

More information about the unisog mailing list