SSH Attacks Observed on the Internet
SSH Attacks
This an analysis of the output of the logwatch utility
running on three systems at a large university in the
midwestern U.S., on a /16 (or Class B) IP address block.
It just records the attempts to break in via SSH, for an
arbitrarily chosen period.
It ignores the
constant flood of connection attempts to other commonly
attacked ports (SMTP, DNS, HTTP, Windows file and print
sharing, Microsoft SQL Server, etc).
See
http://dshield.org/
for information on the current threat environment on
the Internet, and the ports commonly used in current attacks.
The following shows SSH attacks detected against three hosts.
UNIX hosts with the hostnames and IP addresses of
host1 and host2 have been on the
net for several years.
The system host3 was put on the net 15 weeks
before the below data was captured.
It was not attacked at all with SSH for its first three days,
and then an attacker's automated scan for SSH servers
detected it.
Within 15 weeks it had become at least as popular a target
as the others.
The following further summarizes the logwatch output
to simply give counts of SSH attempts for root and
non-root accounts.
Note that all the systems have been configured so that even if
you knew the root password you still could not login
as root, see
my Linux and OpenBSD hardening page
for how to configure the SSH service in this safer way
on any UNIX host.
Most of these seem to be password-guessing attacks.
The attacks with one to three guesses per account probably
try the strings "password," the login itself,
and "admin".
There are a few attacks listed here as a single attack against a
non-root account, although they were an incomplete SSH
session and did not progress to the point of an authentication
failure.
I think that they were probably attempts to exploit a
vulnerability in the SSH protocol itself, looking for systems
with known buggy implementations of SSH.
For example, the only attack on June 22,
the attacks from Slovenia on June 23,
and the attacks from Manchester NH and Amsterdam on June 25.
June 20
host1 |
|
| Attacker | Attacks |
| 219.223.254.130 mail.utsz.edu.cn Shenzhen University, Shenzhen, Guangdong Province, China |
59 root41 non- root |
| 211.21.59.105 Jia Ning Huang, Taiwain |
1 root |
host2 |
|
| Attacker | Attacks |
| 219.223.254.130 mail.utsz.edu.cn Shenzhen University, Shenzhen, Guangdong Province, China |
59 root41 non- root |
| 211.21.59.105 Jia Ning Huang, Taiwain |
5 root |
host3 |
|
| Attacker | Attacks |
| 219.223.254.130 mail.utsz.edu.cn Shenzhen University, Shenzhen, Guangdong Province, China |
59 root48 non- root |
| 211.21.59.105 Jia Ning Huang, Taiwain |
1 root8 non- root |
mail.utsz.edu.cn launched what I call
the "Patrick Attack".
It goes through all the IP addresses in a
range, trying to guess passwords for these
accounts in this order:
patrick, rolo, iceuser, horde, cyrus, www,
wwwrun, matt, test, www-data, mysql,
irc, jane, pamela, cosmin, cip52, cip51,
noc, webmaster, data, user, web, oracle,
sybase, master, account, backup, server,
adam, alan, frank, george, henry, john,
test
June 21
host1 |
|
| Attacker | Attacks |
| 64.160.59.118 nSite Software, Inc |
1 root25 non- root |
host2 |
|
| Attacker | Attacks |
| 64.160.59.118 nSite Software, Inc |
1 root25 non- root |
host3 |
|
| Attacker | Attacks |
| 64.160.59.118 nSite Software, Inc |
7 non-root |
Identical attacks on host1
and host2, a similar but less
aggressive one on host3.
June 22
host1 |
|
| Attacker | Attacks |
| none today! | none today! |
host2 |
|
| Attacker | Attacks |
| 211.157.109.153 Chinacomm, Beijing, China |
1 non-root |
host3 |
|
| Attacker | Attacks |
| none today! | none today! |
An unusually light day! Just one probe looking for vulnerable SSH server software.
June 23
host1 |
|
| Attacker | Attacks |
| 209.51.136.2 ns1.tnrevolution.com Atlanta GA, USA area |
122 root2222 non- root |
| 211.167.66.71 Development & Research Center of State Council Net, Beijing, China |
25 root |
| 217.141.104.139 cdn-proxy-al1-1.opb.interbusiness.it Telecom Italia administrative system, Roma, Italy |
91 root |
| 193.77.156.161 BSN-77-156-161.dsl.siol.net DSL-connected PC in Slovenia |
1 non-root |
| 211.157.109.153 Chinacomm, Beijing, China | 1 non-root |
host2 |
|
| Attacker | Attacks |
| 209.51.136.2 ns1.tnrevolution.com Atlanta GA, USA area |
122 root2222 non- root |
| 211.167.66.71 Development & Research Center of State Council Net, Beijing, China |
30 root |
| 217.141.104.139 cdn-proxy-al1-1.opb.interbusiness.it Telecom Italia administrative system, Roma, Italy |
91 root |
| 193.77.156.161 BSN-77-156-161.dsl.siol.net DSL-connected PC in Slovenia |
1 non-root |
host3 |
|
| Attacker | Attacks |
| 209.51.136.2 ns1.tnrevolution.com Atlanta GA, USA area |
113 root251 non- root |
| 211.167.66.71 Development & Research Center of State Council Net, Beijing, China |
32 root |
| 217.141.104.139 cdn-proxy-al1-1.opb.interbusiness.it Telecom Italia administrative system, Roma, Italy |
75 root |
| 193.77.156.161 BSN-77-156-161.dsl.siol.net DSL-connected PC in Slovenia |
1 non-root |
Four nearly identical attacks, plus a probe for a vulnerable SSH version to just one host.
June 24
host1 |
|
| Attacker | Attacks |
| 200.27.37.26 Telmex Chile, Santiago, Chile |
3 root6 non- root |
host2 |
|
| Attacker | Attacks |
| 200.27.37.26 Telmex Chile, Santiago, Chile |
3 root6 non- root |
host3 |
|
| Attacker | Attacks |
| 200.27.37.26 Telmex Chile, Santiago, Chile |
3 root6 non- root |
| 203.155.165.250 Kantana Group, Bangkok, Thailand |
13 non-root |
Three identical simple attacks from
Telmex Chile: two guesses each for users
admin and test,
one guess each for users
guest and user,
and three for root.
The non-root ones were tried
in the order:
test, guest, admin, admin, user, test.
This attack is seen frequently, see all the
instances of 3 against root and 6
against other accounts.
The attack from the
Kantana Group in Bangkok
guessed one password each for these accounts
in this order:
staff, sales, recruit, alias, office,
samba, tomcat, webadmin, spam,
virus, cyrus, oracle, michael.
June 25
host1 |
|
| Attacker | Attacks |
| 193.232.117.201 zenonxp.wdcb.ru Moscow State University, Moscow, Russia |
15 root164 non- root |
| 217.141.104.139 cdn-proxy-al1-1.opb.interbusiness.it Telecom Italia administrative system, Roma, Italy |
19 root159 non- root |
| 216.177.21.106 G4 Communications, Manchester NH, USA |
1 non-root |
| 203.129.81.200 Hutchinson GlobalCenter, Hong Kong |
358 root |
| 87.233.135.176 2295.flexservers.com Web-hosting company, Amsterdam, Netherlands |
1 non-root |
host2 |
|
| Attacker | Attacks |
| 193.232.117.201 zenonxp.wdcb.ru Moscow State University, Moscow, Russia |
15 root164 non- root |
| 217.141.104.139 cdn-proxy-al1-1.opb.interbusiness.it Telecom Italia administrative system, Roma, Italy |
19 root159 non- root |
| 216.177.21.106 G4 Communications, Manchester NH, USA |
1 non-root |
| 203.129.81.200 Hutchinson GlobalCenter, Hong Kong |
358 root |
| 87.233.135.176 2295.flexservers.com Web-hosting company, Amsterdam, Netherlands |
1 non-root |
host3 |
|
| Attacker | Attacks |
| 193.232.117.201 zenonxp.wdcb.ru Moscow State University, Moscow, Russia |
15 root156 non- root |
| 217.141.104.139 cdn-proxy-al1-1.opb.interbusiness.it Telecom Italia administrative system, Roma, Italy |
19 root145 non- root |
| 203.129.81.200 Hutchinson GlobalCenter, Hong Kong |
358 root |
The machine
cdn-proxy-al1-1.opb.interbusiness.it
reappears, but this time it is using an attack
very different from that of two days ago.
This time its attack is essentially identical
to that from zenonxp.wdcb.ru and
makes one password guess each for a large
number of user accounts with American English
names (adam, alan, alex, amanda, angel,
brett, dan, danny, david, dean,
divine, frank, ....)
and expected system accounts
(admin, administrator, admins, agent,
alias, amavisd, apache, appowner,
appserver, aptproxy, backup ....)
The five attacks on host1 and
host2 were identical.
The attacks on host3 were identical
(from 203.129.81.200) or very similar
(from zenonxp.wdcb.ru and
cdn-proxy-al1-1.opb.interbusiness.it).
June 26
host1 |
|
| Attacker | Attacks |
| 211.101.4.64 IHW Network, Beijing, China |
6 root1051 non- root |
| 58.241.118.114 China Network Communications Group, Jiangsu Province, China |
3 root6 non- root |
host2 |
|
| Attacker | Attacks |
| 211.101.4.64 IHW Network, Beijing, China |
6 root1051 non- root |
| 58.241.118.114 China Network Communications Group, Jiangsu Province, China |
3 root6 non- root |
host3 |
|
| Attacker | Attacks |
| 211.101.4.64 IHW Network, Beijing, China |
6 root1051 non- root |
| 58.241.118.114 China Network Communications Group, Jiangsu Province, China |
3 root6 non- root |
| 61.197.243.69 Chunan, Korean Youth League In Japan, Tokyo, Japan |
12 non-root |
The attack from 211.101.4.64 was what I call
the "A's and Aaliyah" attack, as it guesses
passwords for a bunch of accounts including
aa, aaa, aaaa, aaaaa, aaaaaa, aaliyah,
aaron, ab, aba, abc, abel, abuse,
academy, ace, achim, ada, adabas, ...
The attack from 58.241.118.114 was the same as that from Telmex Chile two days before.
The attack from the
Korean Youth League In Japan machine
guessed one password each for these accounts
in this order:
staff, sales, recruit, alias, office,
samba, tomcat, webadmin, spam,
virus, cyrus, oracle.
Just like the attack on June 24 from
Bangkok, except it did not try the
account michael.
June 27
host1 |
|
| Attacker | Attacks |
| 221.195.33.92 CNC Group Hebei Province Network, Hebei, China |
107 root70 non- root |
| 221.10.254.205 CNC Group Sichuan Province Network, Sichuan, China |
59 root48 non- root |
| 210.201.144.162 DSL dial-up client in static.apol.com.tw domain, Asia Pacific On-line Service, Taipei, Taiwan |
15 root154 non- root |
| 201.234.241.50 c201234241-50.impsat.com.co, Santa Fe de Bogota, Colombia |
3 root6 non- root |
host2 |
|
| Attacker | Attacks |
| 221.195.33.92 CNC Group Hebei Province Network, Hebei, China |
107 root70 non- root |
| 221.10.254.205 CNC Group Sichuan Province Network, Sichuan, China |
59 root48 non- root |
| 210.201.144.162 DSL dial-up client in static.apol.com.tw domain, Asia Pacific On-line Service, Taipei, Taiwan |
15 root154 non- root |
| 201.234.241.50 c201234241-50.impsat.com.co, Santa Fe de Bogota, Colombia |
3 root6 non- root |
host3 |
|
| Attacker | Attacks |
| 221.195.33.92 CNC Group Hebei Province Network, Hebei, China |
94 root67 non- root |
| 221.10.254.205 CNC Group Sichuan Province Network, Sichuan, China |
59 root48 non- root |
Four identical attacks on host1 and host2.
The attacks from 221.195.33.92 were very slightly different against host3 than against host1 and host2.
The attacks from 221.10.254.205 were identical on all three hosts.
June 28
host1 |
|
| Attacker | Attacks |
| 211.167.89.99 Development & Research Center of State Council Net, Beijing, China |
15 root214 non- root |
| 218.247.185.166 Zhen-Fen-Wei-Ye Company, Beijing, China. |
3 root6 non- root |
| 140.109.23.135 biocomp.iis.sinica.edu.tw Ministry of Education Computer Center, Ho-Ping, Taiwan |
33 non-root |
host2 |
|
| Attacker | Attacks |
| 211.167.89.99 Development & Research Center of State Council Net, Beijing, China |
15 root214 non- root |
| 218.247.185.166 Zhen-Fen-Wei-Ye Company, Beijing, China. |
3 root6 non- root |
| 140.109.23.135 biocomp.iis.sinica.edu.tw Ministry of Education Computer Center, Ho-Ping, Taiwan |
8 non-root |
host3 |
|
| Attacker | Attacks |
| 211.167.89.99 Development & Research Center of State Council Net, Beijing, China |
15 root24 non- root |
| 218.247.185.166 Zhen-Fen-Wei-Ye Company, Beijing, China. |
3 root6 non- root |
| 140.109.23.135 biocomp.iis.sinica.edu.tw Ministry of Education Computer Center, Ho-Ping, Taiwan |
12 non-root |
| 221.195.33.92 CNC Group Hebei Province Network, Hebei, China |
9 root10 non- root |
Another machine from the Development Research Center of State Council Net! This attacker is at 211.167.89.99, the from five days ago was at 211.167.66.71.
The machine from Hebei Province, China reappears for another attack on host3 only.
June 29
host1 |
|
| Attacker | Attacks |
| none today! | none today! |
host2 |
|
| Attacker | Attacks |
| none today! | none today! |
host3 |
|
| Attacker | Attacks |
| 61.120.204.43 NEC Magnus Communications, Japan |
40 root |
An unusually quiet day!
June 30
host1 |
|
| Attacker | Attacks |
| 80.92.200.89 Web Media Services, Moscow, Russia |
3 root6 non- root |
| 221.214.176.160 China Network Communications Group Corp, Shandong Province, China |
103 root37 non- root |
host2 |
|
| Attacker | Attacks |
| 80.92.200.89 Web Media Services, Moscow, Russia |
3 root6 non- root |
| 221.214.176.160 China Network Communications Group Corp, Shandong Province, China |
4 root13 non- root |
host3 |
|
| Attacker | Attacks |
| 80.92.200.89 Web Media Services, Moscow, Russia |
3 root6 non- root |
| 64.246.119.33 psychosis.assylum.nuintari.net Amplex Electric Inc, Millbury OH, USA. |
7 root |
The attack from Shandong Province, China was
a new one in this list.
Against host1,
the non-root accounts attacked
were test (15 password guesses),
tester (15 password guesses),
and testing (7 password guesses).
Plus, reasonably aggressive root
password guessing.
Against host2,
just 13 password guesses for test.
July 1
host1 |
|
| Attacker | Attacks |
| 82.100.17.161 ns.arsys.cz CZFreeNet, Prague, Czech Republic |
2 root772 non- root |
host2 |
|
| Attacker | Attacks |
| 82.100.17.161 ns.arsys.cz CZFreeNet, Prague, Czech Republic |
2 root2571 non- root |
host3 |
|
| Attacker | Attacks |
| 82.100.17.161 ns.arsys.cz CZFreeNet, Prague, Czech Republic |
2 root27 non- root |
| (61.19.42.74 CAT Telecom, Bangkok, Thailand |
13 root |
The attack from Prague made 1 password guess
each for 27 to 2571 accounts.
I don't recognize the assumed nationality
of the names:
adele, adelia, ademia, adena, adeola,
aderes, aderyn, adesina, adhira, adiba, adie,
adila, adina, adishree, aditi, adolfina,
adolpha, adoncia, adriana, adriane, adrianne,
adrienne, aduke, adzo, afric, africa, afton,
agalia, agape, agapi, agata, agatha, aglaia,
ahava, ahawi, ahmya, ahneta,
aiko, ailis, aine, aisha,
aisling, akasma, aki, akilah, albertine,
albina, alda, aldora, aleah, alecia, aleeza,
alesa, alesia, alhena, alicia ...
July 2
host1 |
|
| Attacker | Attacks |
| 211.136.91.150 China Mobile Communications Corp, Beijing, China |
3 root6 non- root |
| 218.14.146.205 ChinaNet, Guangdong Province, Guangzhou, China |
15 root |
host2 |
|
| Attacker | Attacks |
| 211.136.91.150 China Mobile Communications Corp, Beijing, China |
3 root6 non- root |
| 218.14.146.205 ChinaNet, Guangdong Province, Guangzhou, China |
1 root |
host3 |
|
| Attacker | Attacks |
| 211.136.91.150 China Mobile Communications Corp, Beijing, China |
3 root6 non- root |
| 218.14.146.205 ChinaNet, Guangdong Province, Guangzhou, China |
1 root |
| 163.220.2.39 gneo-crm.hpcc.jp National Institute of Advanced Industrial Science and Technology, Tskuba, Japan |
782 root6656 non- root |
The attack from Japan's national research
institute at Tskuba was the most aggressive
seen so far.
It very unusually included attacks against
one numeric login and 13 mixed-case logins,
something not usually found in UNIX:
00089, Aaliyah, Aaron, Aba, Abel, Access,
DTM, Exit, Ionut, Jewel, ROOT, Where, Yon-Sun,
Zmeu.
It then started through an alphabetical list:
a, aa, aage, aaron, aartjan, abacus, abbas,
abbess, abbot, abigail, ablazed, abode, ...
So although Aaliyah shows up,
this attack differs from what I called
"A's and Aaliyah" above.