Crackers and correlations
Dustin Decker
dustin.decker at 1on1security.com
Fri Oct 29 12:56:51 CDT 2004
Not too long ago, someone posted information on a series of attempts to log
on via ssh, more or less brute forcing things. I figured I would throw out
some of what I've seen which is similar.
I've been seeing a lot of traffic that behaves in similar fashion, across
sensors deployed on various ISP's for which the only common link is being a
client of mine, and the attacks. I (and more importantly my clients) stay
off the radar pretty well, so I am inclined to think this is a scripted
process, executed after a root-kit is installed etc. to further the
conquest.
If you watch the behavior, and the ascending port numbers, it looks more and
more like I am correct. What I find interesting is the sources change over
time, and then we see the script trying an even larger number of user names.
Another reference point - I see this a lot more on roadrunner clients than
any others. Someone is ramping up for something, looking for launch
platforms is my guess. Anyone interested in seeing the entire conversations
(rather than the logged info below) can drop me an e-mail and I will
obfuscate things and offer 'em up. Due to confidentiality clauses in my
contracts, I will have to munge the IPs that I am protecting, and make a
mess of the checksums etc.
Oct 16 22:26:01 [obfuscated] sshd[14705]: Failed password for nobody from
62.188.61.214 port 3201 ssh2
Oct 16 22:26:08 [obfuscated] sshd[14712]: input_userauth_request: illegal
user patrick
Oct 16 22:26:11 [obfuscated] sshd[14712]: Failed password for illegal user
patrick from 62.188.61.214 port 1622 ssh2
Oct 16 22:26:18 [obfuscated] sshd[14713]: input_userauth_request: illegal
user patrick
Oct 16 22:26:21 [obfuscated] sshd[14713]: Failed password for illegal user
patrick from 62.188.61.214 port 4104 ssh2
Oct 16 22:26:30 [obfuscated] sshd[14714]: Failed password for root from
62.188.61.214 port 2606 ssh2
Oct 16 22:26:38 [obfuscated] sshd[14715]: Failed password for root from
62.188.61.214 port 4781 ssh2
Oct 16 22:26:50 [obfuscated] sshd[14716]: Failed password for root from
62.188.61.214 port 2941 ssh2
Oct 16 22:25:59 [obfuscated2] sshd(pam_unix)[14705]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=usern214.dsl.pipex.com
user=nobody
Oct 16 22:26:08 [obfuscated2] sshd(pam_unix)[14712]: check pass; user
unknown
Oct 16 22:26:08 [obfuscated2] sshd(pam_unix)[14712]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=usern214.dsl.pipex.com
Oct 16 22:26:18 [obfuscated2] sshd(pam_unix)[14713]: check pass; user
unknown
Oct 16 22:26:18 [obfuscated2] sshd(pam_unix)[14713]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=usern214.dsl.pipex.com
Oct 16 22:26:27 [obfuscated2] sshd(pam_unix)[14714]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=usern214.dsl.pipex.com
user=root
Oct 16 22:26:36 [obfuscated2] sshd(pam_unix)[14715]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=usern214.dsl.pipex.com
user=root
Oct 16 22:26:47 [obfuscated2] sshd(pam_unix)[14716]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=usern214.dsl.pipex.com
user=root
Oct 24 05:01:57 [obfuscated4] sshd(pam_unix)[2541]: check pass; user unknown
Oct 24 05:01:57 [obfuscated4] sshd(pam_unix)[2541]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=220.70.167.67
Oct 24 05:02:01 [obfuscated4] sshd(pam_unix)[2548]: check pass; user unknown
Oct 24 05:02:01 [obfuscated4] sshd(pam_unix)[2548]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=220.70.167.67
Oct 24 05:02:09 [obfuscated4] sshd(pam_unix)[2549]: check pass; user unknown
Oct 24 05:02:09 [obfuscated4] sshd(pam_unix)[2549]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=220.70.167.67
Oct 24 05:02:14 [obfuscated4] sshd(pam_unix)[2550]: check pass; user unknown
Oct 24 05:02:14 [obfuscated4] sshd(pam_unix)[2550]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=220.70.167.67
Oct 24 05:02:18 [obfuscated4] sshd(pam_unix)[2551]: check pass; user unknown
Oct 24 05:02:18 [obfuscated4] sshd(pam_unix)[2551]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=220.70.167.67
Oct 24 05:02:22 [obfuscated4] sshd(pam_unix)[2552]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=220.70.167.67 user=root
Oct 24 05:02:26 [obfuscated4] sshd(pam_unix)[2553]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=220.70.167.67 user=root
Oct 24 05:02:34 [obfuscated4] sshd(pam_unix)[2554]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=220.70.167.67 user=root
Oct 24 05:02:39 [obfuscated4] sshd(pam_unix)[2555]: check pass; user unknown
Oct 24 05:02:39 [obfuscated4] sshd(pam_unix)[2555]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=220.70.167.67
Oct 27 15:30:39 [obfuscated3] sshd(pam_unix)[5783]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.234.105.236 user=nobody
Oct 27 15:30:43 [obfuscated3] sshd(pam_unix)[5784]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.234.105.236
Oct 27 15:30:48 [obfuscated3] sshd(pam_unix)[5785]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.234.105.236
[about 400 more of these]
Oct 27 15:30:42 [obfuscated3] sshd[5783]: Failed password for nobody from
211.234.105.236 port 44817 ssh2
Oct 27 15:30:43 [obfuscated3] sshd[5784]: input_userauth_request: illegal
user patrick
Oct 27 15:30:46 [obfuscated3] sshd[5784]: Failed password for illegal user
patrick from 211.234.105.236 port 44944 ssh2
Oct 27 15:30:48 [obfuscated3] sshd[5785]: input_userauth_request: illegal
user patrick
Oct 27 15:30:50 [obfuscated3] sshd[5785]: Failed password for illegal user
patrick from 211.234.105.236 port 45018 ssh2
Oct 27 15:30:54 [obfuscated3] sshd[5786]: Failed password for root from
211.234.105.236 port 45089 ssh2
Oct 27 15:31:04 [obfuscated3] sshd[5788]: Failed password for root from
211.234.105.236 port 45156 ssh2
Oct 27 15:31:08 [obfuscated3] sshd[5796]: Failed password for root from
211.234.105.236 port 45310 ssh2
Oct 27 15:31:13 [obfuscated3] sshd[5799]: Failed password for root from
211.234.105.236 port 45382 ssh2
Oct 27 15:31:17 [obfuscated3] sshd[5800]: Failed password for root from
211.234.105.236 port 45453 ssh2
Oct 27 15:31:21 [obfuscated3] sshd[5801]: input_userauth_request: illegal
user rolo
Oct 27 15:31:23 [obfuscated3] sshd[5801]: Failed password for illegal user
rolo from 211.234.105.236 port 45521 ssh2
Oct 27 15:31:25 [obfuscated3] sshd[5802]: input_userauth_request: illegal
user iceuser
Oct 27 15:31:27 [obfuscated3] sshd[5802]: Failed password for illegal user
iceuser from 211.234.105.236 port 45613 ssh2
Oct 27 15:31:29 [obfuscated3] sshd[5803]: input_userauth_request: illegal
user horde
Oct 27 15:31:32 [obfuscated3] sshd[5803]: Failed password for illegal user
horde from 211.234.105.236 port 45682 ssh2
Oct 27 15:31:34 [obfuscated3] sshd[5804]: input_userauth_request: illegal
user cyrus
Oct 27 15:31:36 [obfuscated3] sshd[5804]: Failed password for illegal user
cyrus from 211.234.105.236 port 45745 ssh2
Oct 27 15:31:39 [obfuscated3] sshd[5805]: input_userauth_request: illegal
user www
Oct 27 15:31:42 [obfuscated3] sshd[5805]: Failed password for illegal user
www from 211.234.105.236 port 45807 ssh2
Oct 27 15:31:47 [obfuscated3] sshd[5806]: input_userauth_request: illegal
user wwwrun
Oct 27 15:31:49 [obfuscated3] sshd[5806]: Failed password for illegal user
wwwrun from 211.234.105.236 port 45881 ssh2
Oct 27 15:31:51 [obfuscated3] sshd[5807]: input_userauth_request: illegal
user matt
Oct 27 15:31:53 [obfuscated3] sshd[5807]: Failed password for illegal user
matt from 211.234.105.236 port 45979 ssh2
Oct 27 15:31:56 [obfuscated3] sshd[5808]: input_userauth_request: illegal
user test
Oct 27 15:31:58 [obfuscated3] sshd[5808]: Failed password for illegal user
test from 211.234.105.236 port 46032 ssh2
Oct 27 15:32:04 [obfuscated3] sshd[5809]: input_userauth_request: illegal
user test
Oct 27 15:32:06 [obfuscated3] sshd[5809]: Failed password for illegal user
test from 211.234.105.236 port 46091 ssh2
Oct 27 15:32:08 [obfuscated3] sshd[5816]: input_userauth_request: illegal
user test
Oct 27 15:32:10 [obfuscated3] sshd[5816]: Failed password for illegal user
test from 211.234.105.236 port 46179 ssh2
Oct 27 15:32:12 [obfuscated3] sshd[5817]: input_userauth_request: illegal
user test
Oct 27 15:32:15 [obfuscated3] sshd[5817]: Failed password for illegal user
test from 211.234.105.236 port 46224 ssh2
Oct 27 15:32:17 [obfuscated3] sshd[5818]: input_userauth_request: illegal
user www-data
Oct 27 15:32:19 [obfuscated3] sshd[5818]: Failed password for illegal user
www-data from 211.234.105.236 port 46267 ssh2
Oct 27 15:32:21 [obfuscated3] sshd[5821]: input_userauth_request: illegal
user mysql
Oct 27 15:32:28 [obfuscated3] sshd[5821]: Failed password for illegal user
mysql from 211.234.105.236 port 46310 ssh2
Oct 27 15:32:34 [obfuscated3] sshd[5826]: Failed password for operator from
211.234.105.236 port 46401 ssh2
Oct 27 15:32:41 [obfuscated3] sshd[5829]: Failed password for adm from
211.234.105.236 port 46448 ssh2
Oct 27 15:32:49 [obfuscated3] sshd[5830]: Failed password for apache from
211.234.105.236 port 46506 ssh2
Oct 27 15:32:51 [obfuscated3] sshd[5831]: input_userauth_request: illegal
user irc
Oct 27 15:32:53 [obfuscated3] sshd[5831]: Failed password for illegal user
irc from 211.234.105.236 port 46560 ssh2
Oct 27 15:32:55 [obfuscated3] sshd[5834]: input_userauth_request: illegal
user irc
Oct 27 15:32:57 [obfuscated3] sshd[5834]: Failed password for illegal user
irc from 211.234.105.236 port 46589 ssh2
Oct 27 15:33:03 [obfuscated3] sshd[5835]: Failed password for adm from
211.234.105.236 port 46620 ssh2
Oct 27 15:33:07 [obfuscated3] sshd[5844]: Failed password for root from
211.234.105.236 port 46655 ssh2
Oct 27 15:33:11 [obfuscated3] sshd[5845]: Failed password for root from
211.234.105.236 port 46686 ssh2
Oct 27 15:33:16 [obfuscated3] sshd[5846]: Failed password for root from
211.234.105.236 port 46713 ssh2
Oct 27 15:33:18 [obfuscated3] sshd[5847]: input_userauth_request: illegal
user jane
Oct 27 15:33:20 [obfuscated3] sshd[5847]: Failed password for illegal user
jane from 211.234.105.236 port 46737 ssh2
Oct 27 15:33:26 [obfuscated3] sshd[5850]: input_userauth_request: illegal
user pamela
Oct 27 15:33:29 [obfuscated3] sshd[5850]: Failed password for illegal user
pamela from 211.234.105.236 port 46766 ssh2
Oct 27 15:33:34 [obfuscated3] sshd[5851]: Failed password for root from
211.234.105.236 port 46819 ssh2
Oct 27 15:33:39 [obfuscated3] sshd[5853]: Failed password for root from
211.234.105.236 port 46849 ssh2
Oct 27 15:33:49 [obfuscated3] sshd[5855]: Failed password for root from
211.234.105.236 port 46874 ssh2
Oct 27 15:33:55 [obfuscated3] sshd[5856]: Failed password for root from
211.234.105.236 port 46929 ssh2
Oct 27 15:34:04 [obfuscated3] sshd[5861]: Failed password for root from
211.234.105.236 port 46959 ssh2
Oct 27 15:34:06 [obfuscated3] sshd[5870]: input_userauth_request: illegal
user cosmin
Oct 27 15:34:14 [obfuscated3] sshd[5870]: Failed password for illegal user
cosmin from 211.234.105.236 port 47009 ssh2
Oct 27 15:34:18 [obfuscated3] sshd[5874]: Failed password for root from
211.234.105.236 port 47049 ssh2
Oct 27 15:34:24 [obfuscated3] sshd[5875]: Failed password for root from
211.234.105.236 port 47064 ssh2
Oct 27 15:34:28 [obfuscated3] sshd[5879]: Failed password for root from
211.234.105.236 port 47083 ssh2
Oct 27 15:34:32 [obfuscated3] sshd[5880]: Failed password for root from
211.234.105.236 port 47100 ssh2
Oct 27 15:34:37 [obfuscated3] sshd[5882]: Failed password for root from
211.234.105.236 port 47114 ssh2
Oct 27 15:34:41 [obfuscated3] sshd[5883]: Failed password for root from
211.234.105.236 port 47128 ssh2
Oct 27 15:34:51 [obfuscated3] sshd[5887]: Failed password for root from
211.234.105.236 port 47141 ssh2
More information about the Kclug
mailing list