Ruminations on an SSH attack

Bill Sconce sconce at in-spec-inc.com
Sun Dec 18 14:47:01 EST 2005


On Wed, 14 Dec 2005 19:57:45 -0500
Ben Scott <dragonhawk at gmail.com> wrote:

> ...the fact
> that a great many of the world's computers are not, in fact, under the
> control of the nominal owner of said computer.  (Spyware, adware,
> viruses, Trojans, zombies, etc., etc., ad infinitum, ad naseum) 


By coincidence, almost as Ben was writing this my firewall machine was
becoming the recipient of an SSH attack.  (It didn't succeed, so far as I've
been able to tell).  But after I finally noticed the attention we were getting
(er, it wasn't right away...  and I needed help - thanks Bruce!!) there were
thousands  of entries in the logs, over three days.  Turns out we now seem to 
have pen pals from Michigan to Beijing back to Reston VA.

OK, thousands of attempted logins - that's what a dictionary attack IS.

But what's interesting is how many addresses the attack came FROM, and
how quickly "the word" gets around when "someone" sees that a port at some
IP address is an SSH port.  A "great many of the world's computers are not,
in fact, under the control of the nominal owner of said computer," Ben says. 

Well, a high school in Korea, sure.  A network company in Shanghai, natch.

But...  a bank in Vermont?  

*Verizon*?   (heh, heh)

-Bill

________________________________________________________________________
The attacks came from (I wrote a Python program to extract the IPs from
7,078 lines of text in the log):

    209.59.164.162
        "Liquid Web", 4210 Creyts Rd., Lansing MI, US
        
    201.11.221.140
        Brasil Telecom S/A - Filial Distrito Federal, Brasilia
        
    202.90.149.5
        Advanced Science and Technology Institute, Quezon City, Phillipines
        
    204.126.80.26
        NewsBank, Inc., 397 Main Street, Chester VT, US
    
    210.97.10.180
        Changhowon High School, Icheon Si, GYEONGGI-DO, Korea
        
    211.99.64.236
        Telecommunication Corporation, CNPC, Haidian District, Beijing
        
    61.129.117.112
        Shanghai Global Network Co., Ltd, 333 North Jiangxi Rd, Shanghai
        
    70.109.161.147
        Verizon Internet Services, 1880 Campus Commons Dr, Reston VA, US
        
    85.214.22.59
        Strato Rechenzentrum AG, Pascalstrasse 10, Berlin
        



More information about the gnhlug-discuss mailing list