Hi Alexandre, I also noticed an increase of the SSH scans... I have some honeypots setup and all of them are being scanned
constantly. To avoid this on my "real" servers I run the OSSEC HIDS with active response enabled... It by default analyses your logs (on real time) and after a few invalid user names or multiple password attempts it will add the IP to the hosts.deny list and also block it on the firewall (right now only iptables, ipfilter and aix ipsec are supported). Changing the port of the SSH also helps reducing the trash in the logs... *http://www.ossec.net/hids/ (ossec hids web site) Thanks, -- Daniel B. Cid, CISSP --- Alexandre H <[EMAIL PROTECTED]> escreveu: > Hi, > > I've witnessed what I think is an increase in SSH > scans over the > Internet in the past four or five weeks. The scan > seems to originate > from various countries around the globe which makes > me think of it to be > a worm-like spreading virus searching for vulnerable > systems running the > SSH service. I confirmed the attack with a friend of > mine who also > happens to run a SSH server at home. We both live in > Montreal, QC, > Canada and are using the same ISP. > > Since January 29 (maybe before), no less than 26000+ > connection attempts > have been made on my system (which is running SSH) > -- 4000 just in the > last three days. Each attempt tries to login with a > specific username, > but many attempts are made in a short period of time > (1 to 2 minutes) > with different usernames. I believe that the worm > holds a list of common > usernames and passwords and successively tries to > connect with each of > them when it finds a host with a port 22 open. > > Typical attacks are similar to the following: > > # grep Invalid /var/log/messages | head > Feb 26 15:06:12 localhost sshd[3500]: Invalid user > delta from 194.44.247.243 > Feb 26 15:06:14 localhost sshd[3502]: Invalid user > admin from 194.44.247.243 > Feb 26 15:06:16 localhost sshd[3504]: Invalid user > test from 194.44.247.243 > Feb 26 15:06:18 localhost sshd[3506]: Invalid user > testing from > 194.44.247.243 > Feb 26 15:06:20 localhost sshd[3508]: Invalid user > tester from > 194.44.247.243 > Feb 26 15:06:22 localhost sshd[3510]: Invalid user > academy from > 194.44.247.243 > Feb 26 15:06:24 localhost sshd[3512]: Invalid user > protector from > 194.44.247.243 > Feb 26 15:06:27 localhost sshd[3516]: Invalid user > skylyn from > 194.44.247.243 > Feb 26 15:06:31 localhost sshd[3520]: Invalid user > webmaster from > 194.44.247.243 > Feb 26 15:06:33 localhost sshd[3522]: Invalid user > master from > 194.44.247.243 > > In my attempt to get an initial idea of what it > could be, I fired my > telnet client to connect to 2-3 random hosts among > the addresses and > tried to see if their SSH service was up. Indeed > they were, and their > banner shown what seemed to be an older version of > SSH (seen OpenSSH 3.5 > and 3.6). Also, one of these had the default Apache > web page on its web > server. > > I have attached a list of IP addresses from which > the attack originated > so far. The text file contains the addresses from my > system log files > and from my friend's log files. I have yet to > contact the responsable > people of the corresponding domains. > > Also, the list of different usernames is various -- > I count 4712 > different login names in my system log files. I > attached a list of > usernames to this message. It may be a good idea to > check your systems > to see if any of the provided usernames is present > and has a weak password. > > A quick look on the web for a mention of this SSH > scan didn't provide me > with a satisfying explanation. > > Did anyone ever notice such abnormal traffic in > their system logs? I'd > be interested to hear about it. Also, to read about > it if any alert has > been published on the web. > > Thanks. > > Alexandre Hamelin > > > 127.0.0.1 > 132.208.131.220 > 195.136.50.169 > 195.226.181.130 > 200.243.20.1 > 201.128.58.157 > 201.224.216.66 > 201.231.41.75 > 202.87.44.6 > 203.232.240.62 > 207.150.188.10 > 209.1.163.104 > 211.114.82.252 > 211.21.59.105 > 216.143.235.193 > 217.77.71.41 > 218.233.70.200 > 218.80.222.134 > 219.123.39.115 > 219.134. > 220.193.98.15 > 220.247.217.189 > 220.248.119.254 > 221.158.159.71 > 221.247.6.118 > 24.152.183.143 > 24.34.144.241 > 24.37.8.148 > 59.106.29.182 > 59.120.34.161 > 61.154.10.28 > 62.217.39.27 > 65.98.70.122 > 67.41.115.90 > 70.26.122.173 > 80.191.68.130 > 82.224.139.101 > 83.17.24.30 > 87.226.11.39 > 125.248.150.148 > 161.111.231.250 > 170.140.151.53 > 193.147.136.95 > 194.44.247.243 > 195.50.153.246 > 200.206.25.19 > 200.49.242.35 > 201.12.114.5 > 201.234.207.16 > 202.138.185.211 > 202.141.128.120 > 202.63.110.66 > 202.63.163.98 > 203.117.210.109 > 209.205.202.70 > 209.59.134.195 > 210.181.198.72 > 210.245.87.54 > 211.137.85.187 > 211.20.135.84 > 211.214.219.118 > 212.227.165.57 > 218.188.0.35 > 218.248.33.225 > 218.27.102.6 > 219.166.83.13 > 220.194.58.127 > 24.6.172.227 > 58.80.230.46 > 59.124.30.40 > 61.11.52.6 > 61.19.46.137 > 61.219.134.90 > 61.220.106.90 > 61.222.201.234 > 61.78.59.216 > 62.111.225.188 > 66.201.244.225 > 67.69.105.30 > 69.159.103.178 > 80.53.222.218 > 83.104.159.111 > 84.245.14.208 > ::ffff:12.5.252.13 > ::ffff:125.251.147.197 > ::ffff:202.115.131.206 > ::ffff:202.57.134.147 > ::ffff:203.100.127.12 > ::ffff:203.131.72.116 > ::ffff:209.45.74.105 > ::ffff:210.104.255.77 > ::ffff:211.162.78.106 > ::ffff:211.90.119.91 > ::ffff:213.33.189.42 > ::ffff:213.85.52.3 > ::ffff:216.208.255.30 > ::ffff:218.146.254.87 > ::ffff:218.24.139.109 > ::ffff:218.97.192.161 > ::ffff:220.194.55.122 > ::ffff:220.66.95.133 > ::ffff:222.233.123.198 > ::ffff:24.203.174.17 > ::ffff:24.39.225.89 > ::ffff:58.81.118.237 > ::ffff:59.0.190.1 > ::ffff:61.152.114.111 > ::ffff:61.152.162.37 > ::ffff:61.233.28.130 > ::ffff:61.250.82.53 > ::ffff:67.177.243.77 > ::ffff:67.32.49.180 > ::ffff:69.53.127.51 > ::ffff:80.190.207.15 > ::ffff:84.55.133.100 > > 1 > 123qwe > 2005 > 20admin > 20info > 20jobs > 20mail > 20support > Aaliyah > Aaron > Aba > Abel > Access > Chicago > Christ > Dakota > Exit > Ionut > Ionutz > Jewel > Jordan > Joshua > Justin > Melk > Nicole > PostgreSQL > Robert > Victor > Where > Zmeu > a-sawa > a... > a1 > a2 > a3 > aa > aaa > aabusiness > aahelp > aai > aaliyah > aaron > aarti > abbey > abby > abc > abcd > abdenace > abdol > abdul > abdulkaf > abdullah > abdur > abe > abel > abigail > abilenki > abliss > abofus > abracadabra > abraham > abrar > absolute > absurdir_deadphp > abundant > abuse > acacia > academia > academic > academy > accept > access > acchan > accompong > account > accounting > accounts > accountservices > accoutn > ace > achille > acid > acosialls > action > ad > ada > adabas > adam > add > addcat > addictioninformation > addies > addiessandravol > addlife > addlink > address > adela > adelina > adeline > adi > adidas > adina > adine > adinfo > adkmotel > adlai > admin > admin2 > adminbox > admincontact > administration > administrator > admins > adminsbb > adminsupport > admissions > adolf > adolph > adonis > adonix > adouglas > adresponse > adrian > adriana > ads > adsales > aduard > adult > adv > advantage > advertise > advertising > advisor > ae > aecpro > af > affiliate > affiliateinfo > affiliatel > affiliateprogram > affiliater > affiliaterelations > affiliates > affiliatesale > affiliatesuccess > affiliatesupport > africa > afrodita > ag > agata > agatha > agency > agent > agentsale > agnes > ahile > ahmed > ahmet > ahto > ai > aidan > aimee > air > airplain > aisha > aix > aizawa > aja > ajiro > aki > akia > akon > al > alain > alan > alancat > alarm > alarmist > alastair > albert > albertha > alberto > album > aldo > alec > alegra > alejandro > alen > alenka > aleon > alert > alex > alexa > alexander > alexandra > alexandru > alexie > alexis > alf > alfred > ali > === message truncated === _______________________________________________________ Yahoo! Acesso Grátis - Internet rápida e grátis. Instale o discador agora! http://br.acesso.yahoo.com
