UNIX / Linux keyboard.

SSH Attacks Observed on the Internet

SSH Attacks

This an analysis of the output of the logwatch utility running on three systems at a large university in the midwestern U.S., on a /16 (or Class B) IP address block. It just records the attempts to break in via SSH, for an arbitrarily chosen period. It ignores the constant flood of connection attempts to other commonly attacked ports (SMTP, DNS, HTTP, Windows file and print sharing, Microsoft SQL Server, etc). See http://dshield.org/ for information on the current threat environment on the Internet, and the ports commonly used in current attacks.

The following shows SSH attacks detected against three hosts. UNIX hosts with the hostnames and IP addresses of host1 and host2 have been on the net for several years. The system host3 was put on the net 15 weeks before the below data was captured. It was not attacked at all with SSH for its first three days, and then an attacker's automated scan for SSH servers detected it. Within 15 weeks it had become at least as popular a target as the others.

The following further summarizes the logwatch output to simply give counts of SSH attempts for root and non-root accounts. Note that all the systems have been configured so that even if you knew the root password you still could not login as root, see my Linux and OpenBSD hardening page for how to configure the SSH service in this safer way on any UNIX host.

Most of these seem to be password-guessing attacks. The attacks with one to three guesses per account probably try the strings "password," the login itself, and "admin". There are a few attacks listed here as a single attack against a non-root account, although they were an incomplete SSH session and did not progress to the point of an authentication failure. I think that they were probably attempts to exploit a vulnerability in the SSH protocol itself, looking for systems with known buggy implementations of SSH. For example, the only attack on June 22, the attacks from Slovenia on June 23, and the attacks from Manchester NH and Amsterdam on June 25.

June 20

host1
Attacker Attacks
219.223.254.130
mail.utsz.edu.cn
Shenzhen University, Shenzhen, Guangdong Province, China
59 root
41 non-root
211.21.59.105
Jia Ning Huang, Taiwain
1 root
host2
Attacker Attacks
219.223.254.130
mail.utsz.edu.cn
Shenzhen University, Shenzhen, Guangdong Province, China
59 root
41 non-root
211.21.59.105
Jia Ning Huang, Taiwain
5 root
host3
Attacker Attacks
219.223.254.130
mail.utsz.edu.cn
Shenzhen University, Shenzhen, Guangdong Province, China
59 root
48 non-root
211.21.59.105
Jia Ning Huang, Taiwain
1 root
8 non-root

mail.utsz.edu.cn launched what I call the "Patrick Attack". It goes through all the IP addresses in a range, trying to guess passwords for these accounts in this order: patrick, rolo, iceuser, horde, cyrus, www, wwwrun, matt, test, www-data, mysql, irc, jane, pamela, cosmin, cip52, cip51, noc, webmaster, data, user, web, oracle, sybase, master, account, backup, server, adam, alan, frank, george, henry, john, test

June 21

host1
Attacker Attacks
64.160.59.118
nSite Software, Inc
1 root
25 non-root
host2
Attacker Attacks
64.160.59.118
nSite Software, Inc
1 root
25 non-root
host3
Attacker Attacks
64.160.59.118
nSite Software, Inc
7 non-root

Identical attacks on host1 and host2, a similar but less aggressive one on host3.

June 22

host1
Attacker Attacks
none today! none today!
host2
Attacker Attacks
211.157.109.153
Chinacomm, Beijing, China
1 non-root
host3
Attacker Attacks
none today! none today!

An unusually light day! Just one probe looking for vulnerable SSH server software.

June 23

host1
Attacker Attacks
209.51.136.2
ns1.tnrevolution.com
Atlanta GA, USA area
122 root
2222 non-root
211.167.66.71
Development & Research Center of State Council Net, Beijing, China
25 root
217.141.104.139
cdn-proxy-al1-1.opb.interbusiness.it
Telecom Italia administrative system, Roma, Italy
91 root
193.77.156.161
BSN-77-156-161.dsl.siol.net
DSL-connected PC in Slovenia
1 non-root
211.157.109.153 Chinacomm, Beijing, China 1 non-root
host2
Attacker Attacks
209.51.136.2
ns1.tnrevolution.com
Atlanta GA, USA area
122 root
2222 non-root
211.167.66.71
Development & Research Center of State Council Net, Beijing, China
30 root
217.141.104.139
cdn-proxy-al1-1.opb.interbusiness.it
Telecom Italia administrative system, Roma, Italy
91 root
193.77.156.161
BSN-77-156-161.dsl.siol.net
DSL-connected PC in Slovenia
1 non-root
host3
Attacker Attacks
209.51.136.2
ns1.tnrevolution.com
Atlanta GA, USA area
113 root
251 non-root
211.167.66.71
Development & Research Center of State Council Net, Beijing, China
32 root
217.141.104.139
cdn-proxy-al1-1.opb.interbusiness.it
Telecom Italia administrative system, Roma, Italy
75 root
193.77.156.161
BSN-77-156-161.dsl.siol.net
DSL-connected PC in Slovenia
1 non-root

Four nearly identical attacks, plus a probe for a vulnerable SSH version to just one host.

June 24

host1
Attacker Attacks
200.27.37.26
Telmex Chile, Santiago, Chile
3 root
6 non-root
host2
Attacker Attacks
200.27.37.26
Telmex Chile, Santiago, Chile
3 root
6 non-root
host3
Attacker Attacks
200.27.37.26
Telmex Chile, Santiago, Chile
3 root
6 non-root
203.155.165.250
Kantana Group, Bangkok, Thailand
13 non-root

Three identical simple attacks from Telmex Chile: two guesses each for users admin and test, one guess each for users guest and user, and three for root. The non-root ones were tried in the order: test, guest, admin, admin, user, test. This attack is seen frequently, see all the instances of 3 against root and 6 against other accounts.

The attack from the Kantana Group in Bangkok guessed one password each for these accounts in this order: staff, sales, recruit, alias, office, samba, tomcat, webadmin, spam, virus, cyrus, oracle, michael.

June 25

host1
Attacker Attacks
193.232.117.201
zenonxp.wdcb.ru
Moscow State University, Moscow, Russia
15 root
164 non-root
217.141.104.139
cdn-proxy-al1-1.opb.interbusiness.it
Telecom Italia administrative system, Roma, Italy
19 root
159 non-root
216.177.21.106
G4 Communications, Manchester NH, USA
1 non-root
203.129.81.200
Hutchinson GlobalCenter, Hong Kong
358 root
87.233.135.176
2295.flexservers.com
Web-hosting company, Amsterdam, Netherlands
1 non-root
host2
Attacker Attacks
193.232.117.201
zenonxp.wdcb.ru
Moscow State University, Moscow, Russia
15 root
164 non-root
217.141.104.139
cdn-proxy-al1-1.opb.interbusiness.it
Telecom Italia administrative system, Roma, Italy
19 root
159 non-root
216.177.21.106
G4 Communications, Manchester NH, USA
1 non-root
203.129.81.200
Hutchinson GlobalCenter, Hong Kong
358 root
87.233.135.176
2295.flexservers.com
Web-hosting company, Amsterdam, Netherlands
1 non-root
host3
Attacker Attacks
193.232.117.201
zenonxp.wdcb.ru
Moscow State University, Moscow, Russia
15 root
156 non-root
217.141.104.139
cdn-proxy-al1-1.opb.interbusiness.it
Telecom Italia administrative system, Roma, Italy
19 root
145 non-root
203.129.81.200
Hutchinson GlobalCenter, Hong Kong
358 root

The machine cdn-proxy-al1-1.opb.interbusiness.it reappears, but this time it is using an attack very different from that of two days ago. This time its attack is essentially identical to that from zenonxp.wdcb.ru and makes one password guess each for a large number of user accounts with American English names (adam, alan, alex, amanda, angel, brett, dan, danny, david, dean, divine, frank, ....) and expected system accounts (admin, administrator, admins, agent, alias, amavisd, apache, appowner, appserver, aptproxy, backup ....)

The five attacks on host1 and host2 were identical.

The attacks on host3 were identical (from 203.129.81.200) or very similar (from zenonxp.wdcb.ru and cdn-proxy-al1-1.opb.interbusiness.it).

June 26

host1
Attacker Attacks
211.101.4.64
IHW Network, Beijing, China
6 root
1051 non-root
58.241.118.114
China Network Communications Group, Jiangsu Province, China
3 root
6 non-root
host2
Attacker Attacks
211.101.4.64
IHW Network, Beijing, China
6 root
1051 non-root
58.241.118.114
China Network Communications Group, Jiangsu Province, China
3 root
6 non-root
host3
Attacker Attacks
211.101.4.64
IHW Network, Beijing, China
6 root
1051 non-root
58.241.118.114
China Network Communications Group, Jiangsu Province, China
3 root
6 non-root
61.197.243.69
Chunan, Korean Youth League In Japan, Tokyo, Japan
12 non-root

The attack from 211.101.4.64 was what I call the "A's and Aaliyah" attack, as it guesses passwords for a bunch of accounts including aa, aaa, aaaa, aaaaa, aaaaaa, aaliyah, aaron, ab, aba, abc, abel, abuse, academy, ace, achim, ada, adabas, ...

The attack from 58.241.118.114 was the same as that from Telmex Chile two days before.

The attack from the Korean Youth League In Japan machine guessed one password each for these accounts in this order: staff, sales, recruit, alias, office, samba, tomcat, webadmin, spam, virus, cyrus, oracle. Just like the attack on June 24 from Bangkok, except it did not try the account michael.

June 27

host1
Attacker Attacks
221.195.33.92
CNC Group Hebei Province Network, Hebei, China
107 root
70 non-root
221.10.254.205
CNC Group Sichuan Province Network, Sichuan, China
59 root
48 non-root
210.201.144.162
DSL dial-up client in static.apol.com.tw domain,
Asia Pacific On-line Service, Taipei, Taiwan
15 root
154 non-root
201.234.241.50
c201234241-50.impsat.com.co,
Santa Fe de Bogota, Colombia
3 root
6 non-root
host2
Attacker Attacks
221.195.33.92
CNC Group Hebei Province Network, Hebei, China
107 root
70 non-root
221.10.254.205
CNC Group Sichuan Province Network, Sichuan, China
59 root
48 non-root
210.201.144.162
DSL dial-up client in static.apol.com.tw domain,
Asia Pacific On-line Service, Taipei, Taiwan
15 root
154 non-root
201.234.241.50
c201234241-50.impsat.com.co,
Santa Fe de Bogota, Colombia
3 root
6 non-root
host3
Attacker Attacks
221.195.33.92
CNC Group Hebei Province Network, Hebei, China
94 root
67 non-root
221.10.254.205
CNC Group Sichuan Province Network, Sichuan, China
59 root
48 non-root

Four identical attacks on host1 and host2.

The attacks from 221.195.33.92 were very slightly different against host3 than against host1 and host2.

The attacks from 221.10.254.205 were identical on all three hosts.

June 28

host1
Attacker Attacks
211.167.89.99
Development & Research Center of State Council Net, Beijing, China
15 root
214 non-root
218.247.185.166
Zhen-Fen-Wei-Ye Company, Beijing, China.
3 root
6 non-root
140.109.23.135
biocomp.iis.sinica.edu.tw
Ministry of Education Computer Center, Ho-Ping, Taiwan
33 non-root
host2
Attacker Attacks
211.167.89.99
Development & Research Center of State Council Net, Beijing, China
15 root
214 non-root
218.247.185.166
Zhen-Fen-Wei-Ye Company, Beijing, China.
3 root
6 non-root
140.109.23.135
biocomp.iis.sinica.edu.tw
Ministry of Education Computer Center, Ho-Ping, Taiwan
8 non-root
host3
Attacker Attacks
211.167.89.99
Development & Research Center of State Council Net, Beijing, China
15 root
24 non-root
218.247.185.166
Zhen-Fen-Wei-Ye Company, Beijing, China.
3 root
6 non-root
140.109.23.135
biocomp.iis.sinica.edu.tw
Ministry of Education Computer Center, Ho-Ping, Taiwan
12 non-root
221.195.33.92
CNC Group Hebei Province Network, Hebei, China
9 root
10 non-root

Another machine from the Development Research Center of State Council Net! This attacker is at 211.167.89.99, the from five days ago was at 211.167.66.71.

The machine from Hebei Province, China reappears for another attack on host3 only.

June 29

host1
Attacker Attacks
none today! none today!
host2
Attacker Attacks
none today! none today!
host3
Attacker Attacks
61.120.204.43
NEC Magnus Communications, Japan
40 root

An unusually quiet day!

June 30

host1
Attacker Attacks
80.92.200.89
Web Media Services, Moscow, Russia
3 root
6 non-root
221.214.176.160
China Network Communications Group Corp, Shandong Province, China
103 root
37 non-root
host2
Attacker Attacks
80.92.200.89
Web Media Services, Moscow, Russia
3 root
6 non-root
221.214.176.160
China Network Communications Group Corp, Shandong Province, China
4 root
13 non-root
host3
Attacker Attacks
80.92.200.89
Web Media Services, Moscow, Russia
3 root
6 non-root
64.246.119.33
psychosis.assylum.nuintari.net
Amplex Electric Inc, Millbury OH, USA.
7 root

The attack from Shandong Province, China was a new one in this list. Against host1, the non-root accounts attacked were test (15 password guesses), tester (15 password guesses), and testing (7 password guesses). Plus, reasonably aggressive root password guessing.

Against host2, just 13 password guesses for test.

July 1

host1
Attacker Attacks
82.100.17.161
ns.arsys.cz
CZFreeNet, Prague, Czech Republic
2 root
772 non-root
host2
Attacker Attacks
82.100.17.161
ns.arsys.cz
CZFreeNet, Prague, Czech Republic
2 root
2571 non-root
host3
Attacker Attacks
82.100.17.161
ns.arsys.cz
CZFreeNet, Prague, Czech Republic
2 root
27 non-root
(61.19.42.74
CAT Telecom, Bangkok, Thailand
13 root

The attack from Prague made 1 password guess each for 27 to 2571 accounts. I don't recognize the assumed nationality of the names: adele, adelia, ademia, adena, adeola, aderes, aderyn, adesina, adhira, adiba, adie, adila, adina, adishree, aditi, adolfina, adolpha, adoncia, adriana, adriane, adrianne, adrienne, aduke, adzo, afric, africa, afton, agalia, agape, agapi, agata, agatha, aglaia, ahava, ahawi, ahmya, ahneta, aiko, ailis, aine, aisha, aisling, akasma, aki, akilah, albertine, albina, alda, aldora, aleah, alecia, aleeza, alesa, alesia, alhena, alicia ...

July 2

host1
Attacker Attacks
211.136.91.150
China Mobile Communications Corp, Beijing, China
3 root
6 non-root
218.14.146.205
ChinaNet, Guangdong Province, Guangzhou, China
15 root
host2
Attacker Attacks
211.136.91.150
China Mobile Communications Corp, Beijing, China
3 root
6 non-root
218.14.146.205
ChinaNet, Guangdong Province, Guangzhou, China
1 root
host3
Attacker Attacks
211.136.91.150
China Mobile Communications Corp, Beijing, China
3 root
6 non-root
218.14.146.205
ChinaNet, Guangdong Province, Guangzhou, China
1 root
163.220.2.39
gneo-crm.hpcc.jp
National Institute of Advanced Industrial Science and Technology, Tskuba, Japan
782 root
6656 non-root

The attack from Japan's national research institute at Tskuba was the most aggressive seen so far. It very unusually included attacks against one numeric login and 13 mixed-case logins, something not usually found in UNIX: 00089, Aaliyah, Aaron, Aba, Abel, Access, DTM, Exit, Ionut, Jewel, ROOT, Where, Yon-Sun, Zmeu.

It then started through an alphabetical list: a, aa, aage, aaron, aartjan, abacus, abbas, abbess, abbot, abigail, ablazed, abode, ... So although Aaliyah shows up, this attack differs from what I called "A's and Aaliyah" above.