Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: RE: Weird SSH attack last night and this morning (still ongoing)

RE: Weird SSH attack last night and this morning (still ongoing)

From: Erin Carroll <amoeba_at_amoebazone.com>
Date: Wed, 7 May 2008 11:15:38 -0700

Robert,

I agree that this kind of traffic/attack is extremely common. The only
notable thing about this one is the very slow attack interval perceived by
the individual targets. Instead of hammering away at a single target it
looks like a botnet which is cycling through a large list of targets to
spread the attack around and more likely sneak in under the radar. That way
the botnet can leverage its size to run thousands of attacks simultaneously
but limit the risk of alerting the individual targets since each destination
is hit with attempts in a small trickle. This method of attack is not so
common.

It's easy to see or be alerted on the defense side of hundreds or thousands
of failed attempts but a couple an hour from all different IP's? Fairly easy
to imagine this slipping past most automated defense or threshold-based
protections alerts for organizations. Fail2ban, denyhosts, and other ways of
automating response need the threshold to be reached to blackhole/null the
attacker source. This attack pattern seems explicitly designed to bypass
those types of controls which is what makes it interesting. 

--
Erin Carroll
Moderator, SecurityFocus pen-test mailing list
amoeba_at_amoebazone.com
"Do Not Taunt Happy-Fun Ball"
-----Original Message-----
From: Robert Taylor [mailto:rjamestaylor_at_gmail.com] 
Sent: Wednesday, May 07, 2008 10:04 AM
To: Gary Baribault
Cc: incidents_at_securityfocus.com
Subject: Re: Weird SSH attack last night and this morning (still ongoing)
It's extremely common to have these scans.
http://robotterror.com/site/wiki/mitigating_brute_force_password_attacks_wit
h_pam_abl
That's a link to my blog. I'm a Linux System Admin at a major hosting  
company; this is something I see nightly. Usually, though, I see hits  
on the order of thousands per hour before I get worried.
On May 7, 2008, at 7:27 AM, Gary Baribault wrote:
> I don't know what is going on last night and this morning ... I have  
> three Linux servers facing the Internet, two on cable modems and  
> another on a static IP/commercial connection and this last one is a  
> gateway to a Web/FTP/SMTP/Pop3/NTP Linux based system.
>
> I have DenyHosts installed on all three and have blocked about 75  
> attempts ..  from known compromised adresses .. The log shows  
> (obviously) that there where even more attempts from adresses that  
> are unknown to DenyHosts but there was only one login attemps per  
> adress and it was with the Root account .. which is obviously  
> blocked in my sshd config ..
>
> Of the three machines, one of them only had about 10 attempts, but  
> the other two had about 200 attempts .. all of them with only 1 try  
> with the user Root ..
>
> Is any one else seing this? or am I being targeted? This is still  
> going on now .. and it started arround 10:00 last night GMT+4
>
> -- 
> Gary Baribault
> Courriel: gary_at_baribault.net
> GPG Key: 0x4346F013
> GPG Fingerprint: BCE8 2E6B EB39 9B23 6904 1DF4 C4E6 2CF7 4346 F013
>
Received on May 07 2008
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]