Increase in SSH attacks as of announcement of rtld bug

Mike Tancsa mike at sentex.net
Wed Dec 2 13:24:40 UTC 2009 

At 07:51 AM 12/2/2009, Mohd Fazli Azran wrote:
> >
>Seem they use multi host and brute force. My network are every day
>increasing the activity of attempt ssh login with multiple host +
>multiple login with multiple password. seem i got many of this messages
>
Yes, thats the latest pattern I have been seeing-- distributed, slow 
and coordinated.  Here is a sample from one of my honeypots.  The 
only way to deal with them I found is to have multiple sensors 
throughout my network and aggregate the data.  Otherwise, each IP 
only appears every few hrs in the logs.  In the snippet below, 
195.135.140.107 hit the one box 5hrs later, but I had a dozen hits 
total in that short period elsewhere in my network


Nov 24 05:19:09 server sshd[99051]: Invalid user daily from 
195.135.140.107
Nov 24 05:21:43 server sshd[19081]: Invalid user daily from 
78.36.196.2
Nov 24 05:23:40 server sshd[33746]: Invalid user daily from 
62.123.229.20
Nov 24 05:31:18 server sshd[88003]: Invalid user neomail from 
212.57.104.168
Nov 24 05:33:26 server sshd[11552]: Invalid user packages from 
217.70.139.42
Nov 24 05:41:54 server sshd[2430]: Invalid user packages from 
94.82.179.33
Nov 24 05:46:39 server sshd[30961]: Invalid user raqbackup from 
99.63.133.121
Nov 24 05:51:27 server sshd[53631]: Invalid user raqbackup from 
58.68.30.14
Nov 24 05:54:11 server sshd[72915]: Invalid user spool from 
193.85.165.141
Nov 24 05:56:39 server sshd[93869]: Invalid user spool from 
88.79.68.190
Nov 24 06:05:33 server sshd[53698]: Invalid user support from 
91.144.140.84
Nov 24 06:09:12 server sshd[99870]: Invalid user techsupport from 
190.96.169.145
Nov 24 06:12:41 server sshd[14339]: Invalid user techsupport from 
221.6.14.108
Nov 24 06:14:53 server sshd[25984]: Invalid user techsupport from 
89.97.228.190
Nov 24 06:16:37 server sshd[35437]: Invalid user techsupport from 
62.23.130.173
Nov 24 06:20:04 server sshd[45740]: Invalid user customer from 
221.148.90.73
Nov 24 06:30:24 server sshd[22798]: Invalid user michael from 
200.6.208.158
Nov 24 06:32:57 server sshd[50955]: Invalid user michael from 
82.212.49.128
Nov 24 06:38:13 server sshd[78472]: Invalid user michael from 
80.32.236.113
Nov 24 14:15:58 server sshd[53503]: Invalid user folder from 
194.78.138.227
Nov 24 14:18:29 server sshd[71545]: Invalid user rpcuser from 
116.55.226.131
Nov 24 14:21:12 server sshd[99996]: Invalid user rpcuser from 
190.67.23.122
Nov 24 14:26:21 server sshd[19058]: Invalid user rpcuser from 
212.243.41.9
Nov 24 14:34:11 server sshd[79740]: Invalid user rpcuser from 
217.70.139.42
Nov 24 14:19:32 server sshd[35166]: Invalid user rpcuser from 
213.140.19.143
Nov 24 14:32:14 server sshd[47004]: Invalid user rpcuser from 
212.0.127.98
Nov 24 14:34:46 server sshd[55993]: Invalid user rpcuser from 
212.0.127.98
Nov 24 14:47:30 server sshd[80927]: Invalid user rpcuser from 
95.91.122.220
Nov 24 14:50:02 server sshd[99146]: Invalid user rpcuser from 
213.140.19.143
Nov 24 14:52:42 server sshd[17685]: Invalid user rpcuser from 
218.69.27.138
Nov 24 15:01:39 server sshd[78630]: Invalid user rpcuser from 
90.182.107.194
Nov 24 15:03:15 server sshd[94459]: Invalid user rpcuser from 
212.0.127.98
Nov 24 15:06:56 server sshd[25865]: Invalid user security from 
85.126.145.125
Nov 24 15:08:18 server sshd[39544]: Invalid user security from 
58.68.30.14
Nov 24 15:12:18 server sshd[59293]: Invalid user security from 
217.220.124.90



>Did not receive identification from X.X.X.X
>
>Mohd Fazli Azran
>System Analysis
>KL Malaysia
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG/MacGPG2 v2.0.12 (Darwin)
>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
>iEYEARECAAYFAksWYrsACgkQNF5f3mz2bZm2QwCfTZhxaAu586n66tGoAoX2DzjH
>Wd0AmgMQyxsmJ+eoeDEgJOdXMk2SxiaB
>=Ymfg
>-----END PGP SIGNATURE-----

--------------------------------------------------------------------
Mike Tancsa,                                      tel +1 519 651 3400
Sentex Communications,                            mike at sentex.net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada                         www.sentex.net/mike

More information about the freebsd-security mailing list