Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 





     АРХИВ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FYI: SSH scanning changes to a more distributed (coordinated?) model.


 SSH scanning changes to a more distributed (coordinated?) model.
Published: 2007-10-22,
Last Updated: 2007-10-22 19:17:15 UTC
by donald smith (Version: 2)

We have seen reports in the past where a single victim was attacked by multiple 
source IP addresses in an ssh bruteforce attempt but usually it has been a 
single or at most a few source IP addresses.
Today we had 4 separate reports of an increase in ssh bruteforce attacks. Two 
of those reports stated that they were seeing lots of source hosts against a 
single victim. The isc.sans.org port 22 graph supports this as there has been a 
large increase in the source hosts seen in ssh scans during this month. If you 
can verify that this is a distributed, coordinated attack as some of us suspect 
that would be helpful. The type of coordination I would expect in this case is 
different systems using different account/password pairs.

"Almost every hour logcheck is emailing me about failed SSH logins. In the past 
the failed logins usually came from just one host at a time. fail2ban on my 
server would take care of this and I wouldn't worry. But now I'm seeing 
multiple servers all trying within minutes of each other and they'll only try a 
few times so fail2ban isn't working very effectively. It only appears to be for 
user "root" and "mysql"." (David)

"We're seeing unusually high inbound SSH scanning across our networks. The 
activity showed up on our radar 10/21 around 18:30 CDT (23:30 GMT). Some of the 
reverse lookups on scanning hosts suggest that these systems are compromised 
themselves (e.g. nagios.blah.tld or mail.blah.tld); many reverse lookups do not 
suggest this... At first blush, it appears that the majority of these remote 
scanners are in Europe or Eastern Europe." (Bert)

"I see 2 or three ssh attempts in a day, and
suddenly I'm seeing one about every 3 minutes start almost an hour ago.
(reported around 6am MDT).
Anyone else seeing this stuff? Thanks.
" (James)

UPDATE Coordination appears to be verified:

"What was more interesting than the distributed of the scans was that each host 
appeared to scan a different part of the dictionary. Normally we give them 11 
tries and then iptables locks them out. When I looked at last week's log 
summary I was surprised to find several groups of 11 login name attempts which 
clearly began in different parts of the alphabet.  This looks like an attempt 
to bypass the limited number of probes from any one host which most good 
firewall programs impose." (Ben)


Copyright © Lexa Software, 1996-2009.