BeesTea
Network Janitor
Premium,VIP
join:2003-03-08
00000
| SSH scanning.
Hey folks, reports are starting to pop up about increased scanning for sshd's across the net. The scans are coming from all over but there are large concentrations of the scans originating in the .de .kr .se and .it tld's as well as comcast.net. I've seen these scans on three sampling points of mine. Each in different tld's, and each in distant IP blocks. The scanning is certainly far reaching.
Two logins are tried per scan, test and user.
It's not apparent yet what exactly is the reasoning behind the scans. Perhaps related to the apache_ssl vuln, perhaps the SWAT vuln, or worse perhaps a large mirror compromise and people are now fishing for installations from the mirror.
Either way, watch your sshd logs for connections and check your systems for either of those accounts.
Should you happen to find that your system has either of these accounts, please contact me via PM.
Cheers,
-BeesT
--
echo 16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D4D465452snlb xq |dc |
|
Epyon9283
Premium
join:2001-12-26
Dayton, NJ | I don't have sshd open to the world but I got 44 hits on port 22 since the 20th. I never really check my firewall logs so I don't know if this is more than usual. |
|
elboricua
El Subestimado
Premium
join:2001-08-12
Bronx, NY | reply to BeesTea
Thanks for the heads up. I just checked the logs on my firewall. Lots of "Illegal user test from" entries. More than usual. I normally get one or two a week. I have been getting 3 or 4 a day. Doing a whois on the IP's now. |
|
elboricua
El Subestimado
Premium
join:2001-08-12
Bronx, NY
edit:
July 23rd, @11:39AM
| Most of the IP's that have been scanning me are from Quebec and from the UK. In my case the usernames being tried are admin and user. With some root thrown in for good measure.
Some snippits from my logs.
Jul 19 14:42:02 Vulcan-Raven sshd[3959]: Illegal user admin from 213.86.59.248
Jul 19 14:42:02 Vulcan-Raven sshd[20578]: input_userauth_request: illegal user a
dmin
Jul 19 14:42:02 Vulcan-Raven sshd[20578]: Failed password for illegal user admin
from 213.86.59.248 port 40497 ssh2
Jul 19 14:42:02 Vulcan-Raven sshd[20578]: Received disconnect from 213.86.59.248
: 11: Bye Bye
Jul 19 14:42:03 Vulcan-Raven sshd[6934]: Illegal user guest from 213.86.59.248
Jul 19 14:42:03 Vulcan-Raven sshd[30903]: input_userauth_request: illegal user g
uest
Jul 19 14:42:03 Vulcan-Raven sshd[30903]: Failed password for illegal user guest
from 213.86.59.248 port 40525 ssh2
Jul 19 14:42:03 Vulcan-Raven sshd[30903]: Received disconnect from 213.86.59.248
: 11: Bye Bye
Jul 19 14:42:03 Vulcan-Raven sshd[32021]: Illegal user admin from 213.86.59.248
Jul 19 14:42:03 Vulcan-Raven sshd[9129]: input_userauth_request: illegal user ad
min
Jul 19 14:42:03 Vulcan-Raven sshd[9129]: Failed password for illegal user admin
from 213.86.59.248 port 40539 ssh2
Jul 19 14:42:04 Vulcan-Raven sshd[9129]: Received disconnect from 213.86.59.248:
11: Bye Bye
Jul 19 14:42:04 Vulcan-Raven sshd[31823]: Illegal user admin from 213.86.59.248
Jul 19 14:42:04 Vulcan-Raven sshd[24870]: input_userauth_request: illegal user a
dmin
EDIT:
Added loginfo |
|
JohnInSJ
Premium
join:2003-09-22
San Jose, CA | reply to BeesTea
Yep - I saw my first hit yesterday... no such users on my system. Actually just one user can ssh in, and I change that password regularly.
Sigh. Security is a pain. |
|
elboricua
El Subestimado
Premium
join:2001-08-12
Bronx, NY
| said by JohnInSJ  :
Yep - I saw my first hit yesterday... no such users on my system. Actually just one user can ssh in, and I change that password regularly.
Sigh. Security is a pain.
Same here. Only one user can ssh in. I use key authentication with passphrase and I change the passphrase regularly. The key I change every 6 months or so. |
|
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Budd Lake, NJ
 ·Optimum Online
| reply to BeesTea
Interesting, I have a crash box that lives outside the firewall. There was a typo in the ipfilter config so it was filtering the interface that I wasn't using. 
Yesterday's daily run email showed one IP hitting ssh with the "normal" list of installed accounts, such as "guest, games, toor, nobody", etc. Hadn't seen that in a very long time. APNIC IP source.
--
Thanks for the memories
Don't forget to vote! |
|
deblin
Dark Side of the Moon
Premium,MVM
join:2001-09-01
Middletown, DE | reply to BeesTea
No hits for me yet on my firewall with static SBC service. But thanks for the heads up. I don't allow ssh from anywhere but trusted hosts, but it's good to know anyway.
--
"I drank what?" -Socrates |
|
yock
Eschew the False Dichotomy
Premium
join:2000-11-21
Fairfield, OH
edit:
July 23rd, @01:43PM
| reply to BeesTea
I'm sitting here at work looking at this, knowing that I just opened outside SSH to my network on Wednesday. I suppose I have something to check when I get home.
[edit]
By the way, could this be the prelude to the discovery of a new exploit? |
|
Drunkula
Premium
join:2000-06-12
Denton, TX
 ·Verizon FIOS
edit:
July 23rd, @03:52PM
| reply to BeesTea
Anybody care to set up a honeypot? It could be interesting to see what they are trying to do...
[edit]
I just remembered I get 2 IPs with this cable account. I may setup my laptop running SuSE on the 2nd IP just to see what happens.
--
'I just love scanning for lifeforms!' |
|
yock
Eschew the False Dichotomy
Premium
join:2000-11-21
Fairfield, OH | I have a Slack 10 box I just setup last night. It's still bare, so if you're all interested, let me know... |
|
boredMDer
Premium
join:2002-09-22
Pasadena, MD
| reply to BeesTea
Hmm, only a few attempts here -
Jul 22 01:47:46 hackzbox sshd[4477]: Failed password for illegal user test from 24.14.31.1
*45 port 3565 ssh2
Jul 22 01:47:47 hackzbox sshd[4479]: Failed password for illegal user guest from 24.14.31.
*145 port 3621 ssh2
Jul 18 03:45:38 hackzbox sshd[25647]: Failed password for illegal user test from 62.117.99
*.83 port 3841 ssh2
Jul 18 03:45:39 hackzbox sshd[25649]: Failed password for illegal user guest from 62.117.9
*9.83 port 3870 ssh2
(*) WARNING 4 long line(s) split
However, I've had a lot more scans on my ftp, which I guess could be normal, but since I rarely check my auth logs, not really something I've seen -
[ Fri Jul 23 - 16:02:22 - pts/21 ]
[pmohr@HackzBox] log $ sudo grep no\ such\ user auth.log | wc -l
16
[ Fri Jul 23 - 16:02:24 - pts/21 ]
[pmohr@HackzBox] log $ sudo bzcat auth.log.*.bz* | grep no\ such\ user | wc -l
16
|
|
JohnInSJ
Premium
join:2003-09-22
San Jose, CA
 ·SONIC.NET
| Weird. I got a 4 more today, from 194.105.226.117 (skjalfti17.simnet.is)- same test/guest ssh probe. Something must be worming its way around the net.
Iceland? (simnet.is) O...K... |
|
JohnInSJ
Premium
join:2003-09-22
San Jose, CA
·SONIC.NET
| Oh hey guys you might want to drop the SANS Internet Storm Center folks a message - they're tracking this to see how big it is.
»isc.incidents.org/diary.php?isc=···a345f342 |
|
shdesigns
Powered By Infinite Improbabilty Drive
Premium
join:2000-12-01
Stone Mountain, GA
·Atlantic Nexus
| reply to BeesTea
MyNetwatchman shows ssh on the "increasing" hits. The logs show each IP scanning multiple boxes.
»www.mynetwatchman.com/incidentsb···e=tcp/22
It increased to 0.2% of total, up from 0.1% so 2x, but not thi highest, but still in the top 10 increasing.
--
Scott Henion
Embedded Systems Consultant, shenion on #ATUhttp://shdesigns.org |
|
yock
Eschew the False Dichotomy
Premium
join:2000-11-21
Fairfield, OH | That is interesting, there are scans coming from my old ISP Fuse.net. |
|
nklb
Premium
join:2000-11-17
Ypsilanti, MI
clubs:
| reply to BeesTea
I'm also showing this trend. 62.94.74.44 seems to have tried several times;
Jul 17 02:57:40 [sshd] Illegal user test from 62.94.74.44
Jul 17 02:57:40 [sshd] error: Could not get shadow information for NOUSER
Jul 17 02:57:40 [sshd] Failed password for illegal user test from 62.94.74.44 port 4860 ssh2
Jul 17 02:57:41 [sshd] Failed password for illegal user guest from 62.94.74.44 port 4903 ssh2
--
for all your Linux questions |
|
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Budd Lake, NJ
·Optimum Online
| reply to BeesTea
This is a good place to get a little advance notice of anything interesting going down:
»www.openbsd.org/cgi-bin/cvsweb/s···bin/ssh/
I don't see too much of note, but then again I didn't click through every commit comment...
--
Thanks for the memories
Don't forget to vote! |
|
computx
Is it Friday yet?
Premium
join:2000-09-02
Kirksville, MO | reply to BeesTea
A few hits here with test and guest as the username also.
Mine are coming from italy and a Sprint ip block.
--
To err is human...to really foul up requires the root password.
--redefeat bush in november! -- |
|
deblin
Dark Side of the Moon
Premium,MVM
join:2001-09-01
Middletown, DE
·Verizon FIOS
·Comcast Workplace
·DSL EXTREME
| reply to nklb
This is disconcerting. The machine that scanned you is running an open OpenSSH daemon:
$ telnet 62.94.74.44 22
Trying 62.94.74.44...
Connected to 62.94.74.44.
Escape character is '^]'.
SSH-1.99-OpenSSH_3.8p1
^]
And it's a recent one. Definitely smells like a 0-day kiddie exploit :/
Unfortunately for it, most of the accounts it tries would not exist on the majority of unix boxes, nor would they be stupid enough to have one of these default passwords. This sort of probing is more like a windows exploit probing for passwordless or commong password administrator accounts. It doesn't make sense for Unix targets, really.
--
"I drank what?" -Socrates |
|
