|
This an analysis of the output of the logwatch utility running on three systems at a large university in the midwestern U.S., on a /16 (or Class B) IP address block. It just records the attempts to break in via SSH, for an arbitrarily chosen period in the summer of 2006. It ignores the constant flood of connection attempts to other commonly attacked ports (SMTP, DNS, HTTP, Windows file and print sharing, Microsoft SQL Server, etc). See http://dshield.org/ for information on the current threat environment on the Internet, and the ports commonly used in current attacks.
The following shows SSH attacks detected against three hosts. UNIX hosts with the hostnames and IP addresses of host1 and host2 have been on the net for several years. The system host3 was put on the net 15 weeks before the below data was captured. It was not attacked at all with SSH for its first three days, and then an attacker's automated scan for SSH servers detected it. Within 15 weeks it had become at least as popular a target as the others.
The following further summarizes the logwatch output to simply give counts of SSH attempts for root and non-root accounts. Note that all the systems have been configured so that even if you knew the root password you still could not login as root, see my Linux and OpenBSD hardening page for how to configure the SSH service in this safer way on any UNIX host.
Most of these seem to be password-guessing attacks. The attacks with one to three guesses per account probably try the strings "password," the login itself, and "admin". There are a few attacks listed here as a single attack against a non-root account, although they were an incomplete SSH session and did not progress to the point of an authentication failure. I think that they were probably attempts to exploit a vulnerability in the SSH protocol itself, looking for systems with known buggy implementations of SSH. For example, the only attack on June 22, the attacks from Slovenia on June 23, and the attacks from Manchester NH and Amsterdam on June 25.
| host1 | |
| Attacker | Attacks |
| 219.223.254.130 mail.utsz.edu.cn Shenzhen University, Shenzhen, Guangdong Province, China |
59 root 41 non-root |
| 211.21.59.105 Jia Ning Huang, Taiwain |
1 root |
| host2 | |
| Attacker | Attacks |
| 219.223.254.130 mail.utsz.edu.cn Shenzhen University, Shenzhen, Guangdong Province, China |
59 root 41 non-root |
| 211.21.59.105 Jia Ning Huang, Taiwain |
5 root |
| host3 | |
| Attacker | Attacks |
| 219.223.254.130 mail.utsz.edu.cn Shenzhen University, Shenzhen, Guangdong Province, China |
59 root 48 non-root |
| 211.21.59.105 Jia Ning Huang, Taiwain |
1 root 8 non-root |
mail.utsz.edu.cn launched what I call the "Patrick Attack". It goes through all the IP addresses in a range, trying to guess passwords for these accounts in this order: patrick, rolo, iceuser, horde, cyrus, www, wwwrun, matt, test, www-data, mysql, irc, jane, pamela, cosmin, cip52, cip51, noc, webmaster, data, user, web, oracle, sybase, master, account, backup, server, adam, alan, frank, george, henry, john, test
| host1 | |
| Attacker | Attacks |
| 64.160.59.118 nSite Software, Inc |
1 root 25 non-root |
| host2 | |
| Attacker | Attacks |
| 64.160.59.118 nSite Software, Inc |
1 root 25 non-root |
| host3 | |
| Attacker | Attacks |
| 64.160.59.118 nSite Software, Inc |
7 non-root |
Identical attacks on host1 and host2, a similar but less aggressive one on host3.
| host1 | |
| Attacker | Attacks |
| none today! | none today! |
| host2 | |
| Attacker | Attacks |
| 211.157.109.153 Chinacomm, Beijing, China |
1 non-root |
| host3 | |
| Attacker | Attacks |
| none today! | none today! |
An unusually light day! Just one probe looking for vulnerable SSH server software.
| host1 | |
| Attacker | Attacks |
| 209.51.136.2 ns1.tnrevolution.com Atlanta GA, USA area |
122 root 2222 non-root |
| 211.167.66.71 Development & Research Center of State Council Net, Beijing, China |
25 root |
| 217.141.104.139 cdn-proxy-al1-1.opb.interbusiness.it Telecom Italia administrative system, Roma, Italy |
91 root |
| 193.77.156.161 BSN-77-156-161.dsl.siol.net DSL-connected PC in Slovenia |
1 non-root |
| 211.157.109.153 Chinacomm, Beijing, China | 1 non-root |
| host2 | |
| Attacker | Attacks |
| 209.51.136.2 ns1.tnrevolution.com Atlanta GA, USA area |
122 root 2222 non-root |
| 211.167.66.71 Development & Research Center of State Council Net, Beijing, China |
30 root |
| 217.141.104.139 cdn-proxy-al1-1.opb.interbusiness.it Telecom Italia administrative system, Roma, Italy |
91 root |
| 193.77.156.161 BSN-77-156-161.dsl.siol.net DSL-connected PC in Slovenia |
1 non-root |
| host3 | |
| Attacker | Attacks |
| 209.51.136.2 ns1.tnrevolution.com Atlanta GA, USA area |
113 root 251 non-root |
| 211.167.66.71 Development & Research Center of State Council Net, Beijing, China |
32 root |
| 217.141.104.139 cdn-proxy-al1-1.opb.interbusiness.it Telecom Italia administrative system, Roma, Italy |
75 root |
| 193.77.156.161 BSN-77-156-161.dsl.siol.net DSL-connected PC in Slovenia |
1 non-root |
Four nearly identical attacks, plus a probe for a vulnerable SSH version to just one host.
| host1 | |
| Attacker | Attacks |
| 200.27.37.26 Telmex Chile, Santiago, Chile |
3 root 6 non-root |
| host2 | |
| Attacker | Attacks |
| 200.27.37.26 Telmex Chile, Santiago, Chile |
3 root 6 non-root |
| host3 | |
| Attacker | Attacks |
| 200.27.37.26 Telmex Chile, Santiago, Chile |
3 root 6 non-root |
| 203.155.165.250 Kantana Group, Bangkok, Thailand |
13 non-root |
Three identical simple attacks from Telmex Chile: two guesses each for users admin and test, one guess each for users guest and user, and three for root. The non-root ones were tried in the order: test, guest, admin, admin, user, test. This attack is seen frequently, see all the instances of 3 against root and 6 against other accounts.
The attack from the Kantana Group in Bangkok guessed one password each for these accounts in this order: staff, sales, recruit, alias, office, samba, tomcat, webadmin, spam, virus, cyrus, oracle, michael.
| host1 | |
| Attacker | Attacks |
| 193.232.117.201 zenonxp.wdcb.ru Moscow State University, Moscow, Russia |
15 root 164 non-root |
| 217.141.104.139 cdn-proxy-al1-1.opb.interbusiness.it Telecom Italia administrative system, Roma, Italy |
19 root 159 non-root |
| 216.177.21.106 G4 Communications, Manchester NH, USA |
1 non-root |
| 203.129.81.200 Hutchinson GlobalCenter, Hong Kong |
358 root |
| 87.233.135.176 2295.flexservers.com Web-hosting company, Amsterdam, Netherlands |
1 non-root |
| host2 | |
| Attacker | Attacks |
| 193.232.117.201 zenonxp.wdcb.ru Moscow State University, Moscow, Russia |
15 root 164 non-root |
| 217.141.104.139 cdn-proxy-al1-1.opb.interbusiness.it Telecom Italia administrative system, Roma, Italy |
19 root 159 non-root |
| 216.177.21.106 G4 Communications, Manchester NH, USA |
1 non-root |
| 203.129.81.200 Hutchinson GlobalCenter, Hong Kong |
358 root |
| 87.233.135.176 2295.flexservers.com Web-hosting company, Amsterdam, Netherlands |
1 non-root |
| host3 | |
| Attacker | Attacks |
| 193.232.117.201 zenonxp.wdcb.ru Moscow State University, Moscow, Russia |
15 root 156 non-root |
| 217.141.104.139 cdn-proxy-al1-1.opb.interbusiness.it Telecom Italia administrative system, Roma, Italy |
19 root 145 non-root |
| 203.129.81.200 Hutchinson GlobalCenter, Hong Kong |
358 root |
The machine cdn-proxy-al1-1.opb.interbusiness.it reappears, but this time it is using an attack very different from that of two days ago. This time its attack is essentially identical to that from zenonxp.wdcb.ru and makes one password guess each for a large number of user accounts with American English names (adam, alan, alex, amanda, angel, brett, dan, danny, david, dean, divine, frank, ....) and expected system accounts (admin, administrator, admins, agent, alias, amavisd, apache, appowner, appserver, aptproxy, backup ....)
The five attacks on host1 and host2 were identical.
The attacks on host3 were identical (from 203.129.81.200) or very similar (from zenonxp.wdcb.ru and cdn-proxy-al1-1.opb.interbusiness.it).
| host1 | |
| Attacker | Attacks |
| 211.101.4.64 IHW Network, Beijing, China |
6 root 1051 non-root |
| 58.241.118.114 China Network Communications Group, Jiangsu Province, China |
3 root 6 non-root |
| host2 | |
| Attacker | Attacks |
| 211.101.4.64 IHW Network, Beijing, China |
6 root 1051 non-root |
| 58.241.118.114 China Network Communications Group, Jiangsu Province, China |
3 root 6 non-root |
| host3 | |
| Attacker | Attacks |
| 211.101.4.64 IHW Network, Beijing, China |
6 root 1051 non-root |
| 58.241.118.114 China Network Communications Group, Jiangsu Province, China |
3 root 6 non-root |
| 61.197.243.69 Chunan, Korean Youth League In Japan, Tokyo, Japan |
12 non-root |
The attack from 211.101.4.64 was what I call the "A's and Aaliyah" attack, as it guesses passwords for a bunch of accounts including aa, aaa, aaaa, aaaaa, aaaaaa, aaliyah, aaron, ab, aba, abc, abel, abuse, academy, ace, achim, ada, adabas, ...
The attack from 58.241.118.114 was the same as that from Telmex Chile two days before.
The attack from the Korean Youth League In Japan machine guessed one password each for these accounts in this order: staff, sales, recruit, alias, office, samba, tomcat, webadmin, spam, virus, cyrus, oracle. Just like the attack on June 24 from Bangkok, except it did not try the account michael.
| host1 | |
| Attacker | Attacks |
| 221.195.33.92 CNC Group Hebei Province Network, Hebei, China |
107 root 70 non-root |
| 221.10.254.205 CNC Group Sichuan Province Network, Sichuan, China |
59 root 48 non-root |
| 210.201.144.162 DSL dial-up client in static.apol.com.tw domain, Asia Pacific On-line Service, Taipei, Taiwan |
15 root 154 non-root |
| 201.234.241.50 c201234241-50.impsat.com.co, Santa Fe de Bogota, Colombia |
3 root 6 non-root |
| host2 | |
| Attacker | Attacks |
| 221.195.33.92 CNC Group Hebei Province Network, Hebei, China |
107 root 70 non-root |
| 221.10.254.205 CNC Group Sichuan Province Network, Sichuan, China |
59 root 48 non-root |
| 210.201.144.162 DSL dial-up client in static.apol.com.tw domain, Asia Pacific On-line Service, Taipei, Taiwan |
15 root 154 non-root |
| 201.234.241.50 c201234241-50.impsat.com.co, Santa Fe de Bogota, Colombia |
3 root 6 non-root |
| host3 | |
| Attacker | Attacks |
| 221.195.33.92 CNC Group Hebei Province Network, Hebei, China |
94 root 67 non-root |
| 221.10.254.205 CNC Group Sichuan Province Network, Sichuan, China |
59 root 48 non-root |
Four identical attacks on host1 and host2.
The attacks from 221.195.33.92 were very slightly different against host3 than against host1 and host2.
The attacks from 221.10.254.205 were identical on all three hosts.
| host1 | |
| Attacker | Attacks |
| 211.167.89.99 Development & Research Center of State Council Net, Beijing, China |
15 root 214 non-root |
| 218.247.185.166 Zhen-Fen-Wei-Ye Company, Beijing, China. |
3 root 6 non-root |
| 140.109.23.135 biocomp.iis.sinica.edu.tw Ministry of Education Computer Center, Ho-Ping, Taiwan |
33 non-root |
| host2 | |
| Attacker | Attacks |
| 211.167.89.99 Development & Research Center of State Council Net, Beijing, China |
15 root 214 non-root |
| 218.247.185.166 Zhen-Fen-Wei-Ye Company, Beijing, China. |
3 root 6 non-root |
| 140.109.23.135 biocomp.iis.sinica.edu.tw Ministry of Education Computer Center, Ho-Ping, Taiwan |
8 non-root |
| host3 | |
| Attacker | Attacks |
| 211.167.89.99 Development & Research Center of State Council Net, Beijing, China |
15 root 24 non-root |
| 218.247.185.166 Zhen-Fen-Wei-Ye Company, Beijing, China. |
3 root 6 non-root |
| 140.109.23.135 biocomp.iis.sinica.edu.tw Ministry of Education Computer Center, Ho-Ping, Taiwan |
12 non-root |
| 221.195.33.92 CNC Group Hebei Province Network, Hebei, China |
9 root 10 non-root |
Another machine from the Development Research Center of State Council Net! This attacker is at 211.167.89.99, the from from five days ago was at 211.167.66.71.
The machine from Hebei Province, China reappears for another attack on host3 only.
| host1 | |
| Attacker | Attacks |
| none today! | none today! |
| host2 | |
| Attacker | Attacks |
| none today! | none today! |
| host3 | |
| Attacker | Attacks |
| 61.120.204.43 NEC Magnus Communications, Japan |
40 root |
An unusually quiet day!
| host1 | |
| Attacker | Attacks |
| 80.92.200.89 Web Media Services, Moscow, Russia |
3 root 6 non-root |
| 221.214.176.160 China Network Communications Group Corp, Shandong Province, China |
103 root 37 non-root |
| host2 | |
| Attacker | Attacks |
| 80.92.200.89 Web Media Services, Moscow, Russia |
3 root 6 non-root |
| 221.214.176.160 China Network Communications Group Corp, Shandong Province, China |
4 root 13 non-root |
| host3 | |
| Attacker | Attacks |
| 80.92.200.89 Web Media Services, Moscow, Russia |
3 root 6 non-root |
| 64.246.119.33 psychosis.assylum.nuintari.net Amplex Electric Inc, Millbury OH, USA. |
7 root |
The attack from Shandong Province, China was a new one in this list. Against host1, the non-root accounts attacked were test (15 password guesses), tester (15 password guesses), and testing (7 password guesses). Plus, reasonably aggressive root password guessing.
Against host2, just 13 password guesses for test.
| host1 | |
| Attacker | Attacks |
| 82.100.17.161 ns.arsys.cz CZFreeNet, Prague, Czech Republic |
2 root 772 non-root |
| host2 | |
| Attacker | Attacks |
| 82.100.17.161 ns.arsys.cz CZFreeNet, Prague, Czech Republic |
2 root 2571 non-root |
| host3 | |
| Attacker | Attacks |
| 82.100.17.161 ns.arsys.cz CZFreeNet, Prague, Czech Republic |
2 root 27 non-root |
| (61.19.42.74 CAT Telecom, Bangkok, Thailand |
13 root |
The attack from Prague made 1 password guess each for 27 to 2571 accounts. I don't recognize the assumed nationality of the names: adele, adelia, ademia, adena, adeola, aderes, aderyn, adesina, adhira, adiba, adie, adila, adina, adishree, aditi, adolfina, adolpha, adoncia, adriana, adriane, adrianne, adrienne, aduke, adzo, afric, africa, afton, agalia, agape, agapi, agata, agatha, aglaia, ahava, ahawi, ahmya, ahneta, aiko, ailis, aine, aisha, aisling, akasma, aki, akilah, albertine, albina, alda, aldora, aleah, alecia, aleeza, alesa, alesia, alhena, alicia ...
| host1 | |
| Attacker | Attacks |
| 211.136.91.150 China Mobile Communications Corp, Beijing, China |
3 root 6 non-root |
| 218.14.146.205 ChinaNet, Guangdong Province, Guangzhou, China |
15 root |
| host2 | |
| Attacker | Attacks |
| 211.136.91.150 China Mobile Communications Corp, Beijing, China |
3 root 6 non-root |
| 218.14.146.205 ChinaNet, Guangdong Province, Guangzhou, China |
1 root |
| host3 | |
| Attacker | Attacks |
| 211.136.91.150 China Mobile Communications Corp, Beijing, China |
3 root 6 non-root |
| 218.14.146.205 ChinaNet, Guangdong Province, Guangzhou, China |
1 root |
| 163.220.2.39 gneo-crm.hpcc.jp National Institute of Advanced Industrial Science and Technology, Tskuba, Japan |
782 root 6656 non-root |
The attack from Japan's national research institute at Tskuba was the most aggressive seen so far. It very unusually included attacks against one numeric login and 13 mixed-case logins, something not usually found in UNIX: 00089, Aaliyah, Aaron, Aba, Abel, Access, DTM, Exit, Ionut, Jewel, ROOT, Where, Yon-Sun, Zmeu.
It then started through an alphabetical list: a, aa, aage, aaron, aartjan, abacus, abbas, abbess, abbot, abigail, ablazed, abode, ... So although Aaliyah shows up, this attack differs from what I called "A's and Aaliyah" above.
|
|
|
|||||||||
|
|||||||||
|
| © Bob Cromwell Sep 2010. Created with /bin/vi and ImageMagick, hosted on OpenBSD with Apache. Root password available here, privacy policy here. |
