I get this type of attack also. The latest one is different in both the length of time spent on it and the distinct characteristic of only attempting to gain root access.
By all indications, this was a scripted attack. The port numbers used seemed to follow a general upward trend with a pseudo-random reset to a lower port. I'm sure there are multiple scripts for running brute force attacks of this kind. I expect the scripted attacks to grow ever more sophisticated over time, as there is definitely a professional bent to system cracking these days.
I do have a question for y'all. Is there some non-crippling thing I can do to my system to detect an attack and : 1) send me an email (optionally), 2) log the conversation for xxx seconds, 3) automatically update the firewall to block the offending user/script. Keep in mind I'm running on an antique here: Pentium Pro 200 MHz @ 40MB RAM w/ ~8 GB of disk.
P.S. - I have an email and phone call in to the good people at the USDA and will update you all on anything I may find out. Assuming they will ever admit that one of their PCs has been compromised.
-----Original Message----- From: Dustin Decker .
I've been seeing a lot of traffic that behaves in similar fashion, across sensors deployed on various ISP's for which the only common link is being a client of mine, and the attacks. I (and more importantly my clients) stay off the radar pretty well, so I am inclined to think this is a scripted process, executed after a root-kit is installed etc. to further the conquest.
If you watch the behavior, and the ascending port numbers, it looks more and more like I am correct. What I find interesting is the sources change over time, and then we see the script trying an even larger number of user names.
Another reference point - I see this a lot more on roadrunner clients than any others. Someone is ramping up for something, looking for launch platforms is my guess. Anyone interested in seeing the entire conversations (rather than the logged info below) can drop me an e-mail and I will obfuscate things and offer 'em up. Due to confidentiality clauses in my contracts, I will have to munge the IPs that I am protecting, and make a mess of the checksums etc.