Ruminations on an SSH attack
Bill Sconce
sconce at in-spec-inc.com
Sun Dec 18 14:47:01 EST 2005
On Wed, 14 Dec 2005 19:57:45 -0500
Ben Scott <dragonhawk at gmail.com> wrote:
> ...the fact
> that a great many of the world's computers are not, in fact, under the
> control of the nominal owner of said computer. (Spyware, adware,
> viruses, Trojans, zombies, etc., etc., ad infinitum, ad naseum)
By coincidence, almost as Ben was writing this my firewall machine was
becoming the recipient of an SSH attack. (It didn't succeed, so far as I've
been able to tell). But after I finally noticed the attention we were getting
(er, it wasn't right away... and I needed help - thanks Bruce!!) there were
thousands of entries in the logs, over three days. Turns out we now seem to
have pen pals from Michigan to Beijing back to Reston VA.
OK, thousands of attempted logins - that's what a dictionary attack IS.
But what's interesting is how many addresses the attack came FROM, and
how quickly "the word" gets around when "someone" sees that a port at some
IP address is an SSH port. A "great many of the world's computers are not,
in fact, under the control of the nominal owner of said computer," Ben says.
Well, a high school in Korea, sure. A network company in Shanghai, natch.
But... a bank in Vermont?
*Verizon*? (heh, heh)
-Bill
________________________________________________________________________
The attacks came from (I wrote a Python program to extract the IPs from
7,078 lines of text in the log):
209.59.164.162
"Liquid Web", 4210 Creyts Rd., Lansing MI, US
201.11.221.140
Brasil Telecom S/A - Filial Distrito Federal, Brasilia
202.90.149.5
Advanced Science and Technology Institute, Quezon City, Phillipines
204.126.80.26
NewsBank, Inc., 397 Main Street, Chester VT, US
210.97.10.180
Changhowon High School, Icheon Si, GYEONGGI-DO, Korea
211.99.64.236
Telecommunication Corporation, CNPC, Haidian District, Beijing
61.129.117.112
Shanghai Global Network Co., Ltd, 333 North Jiangxi Rd, Shanghai
70.109.161.147
Verizon Internet Services, 1880 Campus Commons Dr, Reston VA, US
85.214.22.59
Strato Rechenzentrum AG, Pascalstrasse 10, Berlin
More information about the gnhlug-discuss
mailing list