Re: [Full-disclosure] Distributed SSH username/password brute forceattack



Hello,

until yesterday the attacks came from different servers all over the world. But only about 5-10 attacks per day (I maintain my little gateway server for my home network on cable internet) and they tried until they got banned (about 3 times because auf fail2ban).

But now I only get 1 try per machine but about 20-30 machines per hour! This is the new quality of brute forcing I wanted to ask the list about. I have never seen anything like it before. And I am not sure when it is stopping.

The last hour:

Oct 22 17:03:37 wintermute sshd[18335]: error: PAM: Authentication failure for illegal user root from ip-206-83-201-107.sterlingnetwork.net
Oct 22 17:05:16 wintermute sshd[18496]: error: PAM: Authentication failure for illegal user root from filter.elex.be
Oct 22 17:07:10 wintermute sshd[18556]: error: PAM: Authentication failure for illegal user root from 213.219.217.5
Oct 22 17:09:32 wintermute sshd[18740]: error: PAM: Authentication failure for illegal user root from 217.22.237.38
Oct 22 17:11:30 wintermute sshd[18894]: error: PAM: Authentication failure for illegal user root from 195.58.83.26
Oct 22 17:13:24 wintermute sshd[18987]: error: PAM: Authentication failure for illegal user root from 217.220.122.58
Oct 22 17:15:45 wintermute sshd[19178]: error: PAM: Authentication failure for illegal user root from gw.ptr-62-65-142-213.customer.ch.netstream.com
Oct 22 17:17:48 wintermute sshd[19273]: error: PAM: Authentication failure for illegal user root from 85.96.205.14
Oct 22 17:19:31 wintermute sshd[19377]: error: PAM: Authentication failure for illegal user root from algojunkie.com
Oct 22 17:21:53 wintermute sshd[19558]: error: PAM: Authentication failure for illegal user root from ter75-3-82-242-68-233.fbx.proxad.net
Oct 22 17:23:50 wintermute sshd[19662]: error: PAM: Authentication failure for illegal user root from mailux.bendux.de
Oct 22 17:26:06 wintermute sshd[19829]: error: PAM: Authentication failure for illegal user root from 213-35-211-206-dsl.end.estpak.ee
Oct 22 17:30:01 wintermute sshd[20055]: error: PAM: Authentication failure for illegal user root from 230.249-200-80.adsl-static.isp.belgacom.be
Oct 22 17:32:37 wintermute sshd[20214]: error: PAM: Authentication failure for illegal user root from host-148-117-2-96.midco.net
Oct 22 17:34:28 wintermute sshd[20330]: error: PAM: Authentication failure for illegal user root from 213.156.69.126
Oct 22 17:36:18 wintermute sshd[20466]: error: PAM: Authentication failure for illegal user root from michaelholst.eu
Oct 22 17:38:44 wintermute sshd[20584]: error: PAM: Authentication failure for illegal user root from infomed.dia.fi.upm.es
Oct 22 17:40:43 wintermute sshd[20770]: error: PAM: Authentication failure for illegal user root from rueckziegel.de
Oct 22 17:42:42 wintermute sshd[20862]: error: PAM: Authentication failure for illegal user root from 200.172.166.2
Oct 22 17:45:18 wintermute sshd[21160]: error: PAM: Authentication failure for illegal user root from 201.228.66.13
Oct 22 17:47:07 wintermute sshd[21225]: error: PAM: Authentication failure for illegal user root from 62.244.23.38
Oct 22 17:49:04 wintermute sshd[21332]: error: PAM: Authentication failure for illegal user root from 44.241-201-80.adsl-static.isp.belgacom.be
Oct 22 17:53:24 wintermute sshd[21601]: error: PAM: Authentication failure for illegal user root from cm19182.red.mundo-r.com
Oct 22 17:55:45 wintermute sshd[21766]: error: PAM: Authentication failure for illegal user root from ter75-3-82-242-68-233.fbx.proxad.net
Oct 22 17:57:49 wintermute sshd[21852]: error: PAM: Authentication failure for illegal user root from 63.168.207.130
Oct 22 17:59:43 wintermute sshd[22000]: error: PAM: Authentication failure for illegal user root from host101-126-static.75-81-b.business.telecomitalia.it
Oct 22 18:02:01 wintermute sshd[22194]: error: PAM: Authentication failure for illegal user root from static-ip-217-172-186-62.inaddr.intergenia.de
Oct 22 16:03:43 wintermute sshd[13326]: error: PAM: Authentication failure for illegal user root from 192.116.243.241
Oct 22 16:05:21 wintermute sshd[13492]: error: PAM: Authentication failure for illegal user root from ip.82.144.205.44.stat.volia.net
Oct 22 16:07:42 wintermute sshd[13567]: error: PAM: Authentication failure for illegal user root from host81-150-208-48.in-addr.btopenworld.com
Oct 22 16:09:21 wintermute sshd[13722]: error: PAM: Authentication failure for illegal user root from mail.medelektronika.hu
Oct 22 16:11:13 wintermute sshd[13911]: error: PAM: Authentication failure for illegal user root from 62.244.23.38
Oct 22 16:13:38 wintermute sshd[14055]: error: PAM: Authentication failure for illegal user root from tacofilter.emissary.co.jp
Oct 22 16:15:07 wintermute sshd[14234]: error: PAM: Authentication failure for illegal user root from algojunkie.com
Oct 22 16:16:55 wintermute sshd[14281]: error: PAM: Authentication failure for illegal user root from mtl93-10-88-173-209-112.fbx.proxad.net
Oct 22 16:19:11 wintermute sshd[14422]: error: PAM: Authentication failure for illegal user root from 217.14.200.23
Oct 22 16:23:13 wintermute sshd[14689]: error: PAM: Authentication failure for illegal user root from p5.pub.ro
Oct 22 16:25:03 wintermute sshd[14805]: error: PAM: Authentication failure for illegal user root from mail.hellmig-edv.de
Oct 22 16:26:54 wintermute sshd[14931]: error: PAM: Authentication failure for illegal user root from 80.188.22.2
Oct 22 16:29:07 wintermute sshd[15056]: error: PAM: Authentication failure for illegal user root from 82.77.126.238
Oct 22 16:32:44 wintermute sshd[15276]: error: PAM: Authentication failure for illegal user root from 217-133-115-54.b2b.tiscali.it
Oct 22 16:35:04 wintermute sshd[15424]: error: PAM: Authentication failure for illegal user root from ip68-229-216-221.ok.ok.cox.net
Oct 22 16:36:51 wintermute sshd[15524]: error: PAM: Authentication failure for illegal user root from host227.72.248.139.conversent.net
Oct 22 16:38:40 wintermute sshd[15639]: error: PAM: Authentication failure for illegal user root from epi226.internetdsl.tpnet.pl
Oct 22 16:40:56 wintermute sshd[15845]: error: PAM: Authentication failure for illegal user root from demeter.hellmig-edv.de
Oct 22 16:42:49 wintermute sshd[15918]: error: PAM: Authentication failure for illegal user root from 85-18-94-139.ip.fastwebnet.it
Oct 22 16:44:42 wintermute sshd[16067]: error: PAM: Authentication failure for illegal user root from 77.70.2.23
Oct 22 16:47:04 wintermute sshd[16205]: error: PAM: Authentication failure for illegal user root from 217-133-115-54.b2b.tiscali.it
Oct 22 16:51:33 wintermute sshd[16494]: error: PAM: Authentication failure for illegal user root from 200-162-255-4.corp.ajato.com.br
Oct 22 16:53:12 wintermute sshd[16578]: error: PAM: Authentication failure for illegal user root from 148.245.157.217
Oct 22 16:54:55 wintermute sshd[16685]: error: PAM: Authentication failure for illegal user root from neoddmpisek.pi.ipex.cz
Oct 22 16:57:14 wintermute sshd[16837]: error: PAM: Authentication failure for illegal user root from host153-206-static.115-81-b.business.telecomitalia.it
Oct 22 16:59:05 wintermute sshd[16946]: error: PAM: Authentication failure for illegal user root from ns30547.ovh.net
Oct 22 17:01:00 wintermute sshd[17135]: error: PAM: Authentication failure for illegal user root from 84.78.22.164
Oct 22 18:04:16 wintermute sshd[23555]: error: PAM: Authentication failure for illegal user root from 107.84.96-84.rev.gaoland.net
Oct 22 18:06:09 wintermute sshd[23912]: error: PAM: Authentication failure for illegal user root from metano.gasan.com.co
Oct 22 18:08:47 wintermute sshd[24044]: error: PAM: Authentication failure for illegal user root from devel.teracode.com
Oct 22 18:10:29 wintermute sshd[24209]: error: PAM: Authentication failure for illegal user root from 147.83.48.6
Oct 22 18:12:34 wintermute sshd[24407]: error: PAM: Authentication failure for illegal user root from 203-59-234-202.perm.iinet.net.au
Oct 22 18:14:54 wintermute sshd[24581]: error: PAM: Authentication failure for illegal user root from 213.255.77.62
Oct 22 18:17:11 wintermute sshd[24751]: error: PAM: Authentication failure for illegal user root from 202.125.157.206
Oct 22 18:18:53 wintermute sshd[24850]: error: PAM: Authentication failure for illegal user root from 81-223-15-28.c-wdreihufeisengasse.xdsl-line.inode.at
Oct 22 18:21:14 wintermute sshd[25051]: error: PAM: Authentication failure for illegal user root from babels-elite.de
Oct 22 18:23:16 wintermute sshd[25156]: error: PAM: Authentication failure for illegal user root from 192.38.108.11
Oct 22 18:25:51 wintermute sshd[25322]: error: PAM: Authentication failure for illegal user root from 67.105.126.195.ptr.us.xo.net
Oct 22 18:27:43 wintermute sshd[25408]: error: PAM: Authentication failure for illegal user root from 195.138.155.54
Oct 22 18:29:51 wintermute sshd[25558]: error: PAM: Authentication failure for illegal user root from mail.snklk.com
Oct 22 18:32:14 wintermute sshd[25711]: error: PAM: Authentication failure for illegal user root from 217.73.168.129
Oct 22 18:34:07 wintermute sshd[25812]: error: PAM: Authentication failure for illegal user root from 195.138.155.54
Oct 22 18:36:06 wintermute sshd[25982]: error: PAM: Authentication failure for illegal user root from 83.65.141.94
Oct 22 18:40:35 wintermute sshd[26289]: error: PAM: Authentication failure for illegal user root from 193.166.146.101
Oct 22 18:42:33 wintermute sshd[26379]: error: PAM: Authentication failure for illegal user root from 213.219.217.5
Oct 22 18:46:59 wintermute sshd[26661]: error: PAM: Authentication failure for illegal user root from neptuno.ipimar.pt
Oct 22 18:48:59 wintermute sshd[26776]: error: PAM: Authentication failure for illegal user root from 12.160.119.2
Oct 22 18:53:33 wintermute sshd[27052]: error: PAM: Authentication failure for illegal user root from 201.228.66.13
Oct 22 18:56:15 wintermute sshd[27243]: error: PAM: Authentication failure for illegal user root from 211.61.130.199
Oct 22 18:57:55 wintermute sshd[27297]: error: PAM: Authentication failure for illegal user root from host81-150-208-48.in-addr.btopenworld.com
Oct 22 18:59:52 wintermute sshd[27452]: error: PAM: Authentication failure for illegal user root from host242-209-static.41-85-b.business.telecomitalia.it


Richard G. wrote:
Phillip, what network are you on? I use RCN (X.X.X.X) to
get to Level3
and use to see these things all the time from China and
Korea. Since I do
not do business there, I just drop their packets at my router. Richard

-----Original Message-----
From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf
Of Philipp
Sent: Monday, October 22, 2007 7:37 AM
To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Distributed SSH username/password brute
forceattack

Hello,

since this night I experience distributed SSH username/password
guessing brute force attacks. Anyone seen something similar?

Up until this night always one host tried to guess username/password
combinations until it got banned by fail2ban. But now I see in my
logfiles:

Oct 22 01:42:18 myhost sshd[2672]: error: PAM: Authentication failure
for illegal user root from xxxx.de
Oct 22 01:44:49 myhost sshd[2832]: error: PAM: Authentication failure
for illegal user root from xxxx.85
Oct 22 01:47:16 myhost sshd[2981]: error: PAM: Authentication failure
for illegal user root from xxxx.86
Oct 22 01:50:33 myhost sshd[3233]: error: PAM: Authentication failure
for illegal user root from xxxx.ar
Oct 22 01:52:38 myhost sshd[3307]: error: PAM: Authentication failure
for illegal user root from xxxx.be
Oct 22 01:55:34 myhost sshd[3551]: error: PAM: Authentication failure
for illegal user root from xxxx.106
Oct 22 01:58:04 myhost sshd[3691]: error: PAM: Authentication failure
for illegal user root from xxxx.11
Oct 22 02:00:44 myhost sshd[3999]: error: PAM: Authentication failure
for illegal user root from xxxx.cl

The time is CEST and the attacks are still ongoing.

kind regards,

Philipp

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



kind regards,

Philipp

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/