Increase in SSH attacks as of announcement of rtld bug
Mike Tancsa
mike at sentex.net
Wed Dec 2 13:24:40 UTC 2009
At 07:51 AM 12/2/2009, Mohd Fazli Azran wrote:
> >
>Seem they use multi host and brute force. My network are every day
>increasing the activity of attempt ssh login with multiple host +
>multiple login with multiple password. seem i got many of this messages
>
Yes, thats the latest pattern I have been seeing-- distributed, slow
and coordinated. Here is a sample from one of my honeypots. The
only way to deal with them I found is to have multiple sensors
throughout my network and aggregate the data. Otherwise, each IP
only appears every few hrs in the logs. In the snippet below,
195.135.140.107 hit the one box 5hrs later, but I had a dozen hits
total in that short period elsewhere in my network
Nov 24 05:19:09 server sshd[99051]: Invalid user daily from
195.135.140.107
Nov 24 05:21:43 server sshd[19081]: Invalid user daily from
78.36.196.2
Nov 24 05:23:40 server sshd[33746]: Invalid user daily from
62.123.229.20
Nov 24 05:31:18 server sshd[88003]: Invalid user neomail from
212.57.104.168
Nov 24 05:33:26 server sshd[11552]: Invalid user packages from
217.70.139.42
Nov 24 05:41:54 server sshd[2430]: Invalid user packages from
94.82.179.33
Nov 24 05:46:39 server sshd[30961]: Invalid user raqbackup from
99.63.133.121
Nov 24 05:51:27 server sshd[53631]: Invalid user raqbackup from
58.68.30.14
Nov 24 05:54:11 server sshd[72915]: Invalid user spool from
193.85.165.141
Nov 24 05:56:39 server sshd[93869]: Invalid user spool from
88.79.68.190
Nov 24 06:05:33 server sshd[53698]: Invalid user support from
91.144.140.84
Nov 24 06:09:12 server sshd[99870]: Invalid user techsupport from
190.96.169.145
Nov 24 06:12:41 server sshd[14339]: Invalid user techsupport from
221.6.14.108
Nov 24 06:14:53 server sshd[25984]: Invalid user techsupport from
89.97.228.190
Nov 24 06:16:37 server sshd[35437]: Invalid user techsupport from
62.23.130.173
Nov 24 06:20:04 server sshd[45740]: Invalid user customer from
221.148.90.73
Nov 24 06:30:24 server sshd[22798]: Invalid user michael from
200.6.208.158
Nov 24 06:32:57 server sshd[50955]: Invalid user michael from
82.212.49.128
Nov 24 06:38:13 server sshd[78472]: Invalid user michael from
80.32.236.113
Nov 24 14:15:58 server sshd[53503]: Invalid user folder from
194.78.138.227
Nov 24 14:18:29 server sshd[71545]: Invalid user rpcuser from
116.55.226.131
Nov 24 14:21:12 server sshd[99996]: Invalid user rpcuser from
190.67.23.122
Nov 24 14:26:21 server sshd[19058]: Invalid user rpcuser from
212.243.41.9
Nov 24 14:34:11 server sshd[79740]: Invalid user rpcuser from
217.70.139.42
Nov 24 14:19:32 server sshd[35166]: Invalid user rpcuser from
213.140.19.143
Nov 24 14:32:14 server sshd[47004]: Invalid user rpcuser from
212.0.127.98
Nov 24 14:34:46 server sshd[55993]: Invalid user rpcuser from
212.0.127.98
Nov 24 14:47:30 server sshd[80927]: Invalid user rpcuser from
95.91.122.220
Nov 24 14:50:02 server sshd[99146]: Invalid user rpcuser from
213.140.19.143
Nov 24 14:52:42 server sshd[17685]: Invalid user rpcuser from
218.69.27.138
Nov 24 15:01:39 server sshd[78630]: Invalid user rpcuser from
90.182.107.194
Nov 24 15:03:15 server sshd[94459]: Invalid user rpcuser from
212.0.127.98
Nov 24 15:06:56 server sshd[25865]: Invalid user security from
85.126.145.125
Nov 24 15:08:18 server sshd[39544]: Invalid user security from
58.68.30.14
Nov 24 15:12:18 server sshd[59293]: Invalid user security from
217.220.124.90
>Did not receive identification from X.X.X.X
>
>Mohd Fazli Azran
>System Analysis
>KL Malaysia
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG/MacGPG2 v2.0.12 (Darwin)
>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
>iEYEARECAAYFAksWYrsACgkQNF5f3mz2bZm2QwCfTZhxaAu586n66tGoAoX2DzjH
>Wd0AmgMQyxsmJ+eoeDEgJOdXMk2SxiaB
>=Ymfg
>-----END PGP SIGNATURE-----
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet since 1994 www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike
More information about the freebsd-security
mailing list