Re: [Full-disclosure] Distributed SSH username/password brute forceattack



Hi!
Same thing.
GMT +2

Oct 22 20:36:13 nms sshd[90657]: Failed password for invalid user gopher
from 77.46.152.2 port 55120 ssh2
Oct 22 20:37:05 nms sshd[90660]: Connection from 83.19.34.46 port 38394
Oct 22 20:37:06 nms sshd[90660]: error: PAM: authentication error for root
from 83.19.34.46
Oct 22 20:37:06 nms sshd[90660]: Failed keyboard-interactive/pam for root
from 83.19.34.46 port 38394 ssh2
Oct 22 20:39:12 nms sshd[90663]: Connection from 202.14.63.3 port 52821
Oct 22 20:39:15 nms sshd[90663]: error: PAM: authentication error for root
from 202.14.63.3
Oct 22 20:39:15 nms sshd[90663]: Failed keyboard-interactive/pam for root
from 202.14.63.3 port 52821 ssh2
Oct 22 20:41:40 nms sshd[90669]: Connection from 81.138.4.120 port 3087
Oct 22 20:41:41 nms sshd[90669]: error: PAM: authentication error for root
from 81.138.4.120
Oct 22 20:41:41 nms sshd[90669]: Failed keyboard-interactive/pam for root
from 81.138.4.120 port 3087 ssh2
Oct 22 20:43:42 nms sshd[90672]: Connection from 87.98.49.190 port 55339
Oct 22 20:43:43 nms sshd[90672]: error: PAM: authentication error for root
from 87.98.49.190
Oct 22 20:43:43 nms sshd[90672]: Failed keyboard-interactive/pam for root
from 87.98.49.190 port 55339 ssh2
Oct 22 20:45:51 nms sshd[90698]: Connection from 213.35.211.206 port 1926
Oct 22 20:45:52 nms sshd[90698]: error: PAM: authentication error for root
from 213.35.211.206
Oct 22 20:45:52 nms sshd[90698]: Failed keyboard-interactive/pam for root
from 213.35.211.206 port 1926 ssh2
Oct 22 20:48:33 nms sshd[90701]: Connection from 66.184.240.3 port 34371
Oct 22 20:48:35 nms sshd[90701]: error: PAM: authentication error for root
from 66.184.240.3
Oct 22 20:48:35 nms sshd[90701]: Failed keyboard-interactive/pam for root
from 66.184.240.3 port 34371 ssh2
Oct 22 20:55:21 nms sshd[90723]: Connection from 82.127.35.70 port 4240
Oct 22 20:55:25 nms sshd[90723]: error: PAM: authentication error for root
from 82.127.35.70
Oct 22 20:55:25 nms sshd[90723]: Failed keyboard-interactive/pam for root
from 82.127.35.70 port 4240 ssh2
Oct 22 20:59:23 nms sshd[90732]: Connection from 72.159.147.141 port 42446
Oct 22 20:59:24 nms sshd[90732]: error: PAM: authentication error for root
from 72.159.147.141
Oct 22 20:59:24 nms sshd[90732]: Failed keyboard-interactive/pam for root
from 72.159.147.141 port 42446 ssh2
Oct 22 21:02:11 nms sshd[90756]: Connection from 220.130.152.234 port 37232
Oct 22 21:02:13 nms sshd[90756]: error: PAM: authentication error for root
from 220.130.152.234
Oct 22 21:02:13 nms sshd[90756]: Failed keyboard-interactive/pam for root
from 220.130.152.234 port 37232 ssh2
Oct 22 21:04:10 nms sshd[90759]: Connection from 202.106.60.24 port 61804
Oct 22 21:04:13 nms sshd[90759]: error: PAM: authentication error for root
from 202.106.60.24
Oct 22 21:04:13 nms sshd[90759]: Failed keyboard-interactive/pam for root
from 202.106.60.24 port 61804 ssh2
Oct 22 21:06:44 nms sshd[90765]: Connection from 206.222.29.141 port 1858
Oct 22 21:06:46 nms sshd[90765]: error: PAM: authentication error for root
from 206.222.29.141
Oct 22 21:06:46 nms sshd[90765]: Failed keyboard-interactive/pam for root
from 206.222.29.141 port 1858 ssh2
Oct 22 21:08:42 nms sshd[90768]: Connection from 213.49.15.90 port 14656
Oct 22 21:08:43 nms sshd[90768]: error: PAM: authentication error for root
from 213.49.15.90
Oct 22 21:08:43 nms sshd[90768]: Failed keyboard-interactive/pam for root
from 213.49.15.90 port 14656 ssh2
Oct 22 21:10:50 nms sshd[90774]: Connection from 212.71.134.227 port 2090
Oct 22 21:10:51 nms sshd[90774]: error: PAM: authentication error for root
from 212.71.134.227
Oct 22 21:10:51 nms sshd[90774]: Failed keyboard-interactive/pam for root
from 212.71.134.227 port 2090 ssh2
Oct 22 21:13:31 nms sshd[90790]: Connection from 74.232.154.114 port 57834
Oct 22 21:13:33 nms sshd[90790]: error: PAM: authentication error for root
from 74.232.154.114
Oct 22 21:13:33 nms sshd[90790]: Failed keyboard-interactive/pam for root
from 74.232.154.114 port 57834 ssh2
Oct 22 21:15:34 nms sshd[90796]: Connection from 83.218.176.249 port 46125
Oct 22 21:15:34 nms sshd[90796]: error: PAM: authentication error for root
from 83.218.176.249
Oct 22 21:15:34 nms sshd[90796]: Failed keyboard-interactive/pam for root
from 83.218.176.249 port 46125 ssh2
Oct 22 21:18:55 nms sshd[90799]: Connection from 64.71.152.46 port 1779
Oct 22 21:18:57 nms sshd[90799]: error: PAM: authentication error for root
from 64.71.152.46
Oct 22 21:18:57 nms sshd[90799]: Failed keyboard-interactive/pam for root
from 64.71.152.46 port 1779 ssh2
Oct 22 21:43:11 nms sshd[90843]: Connection from 203.130.242.139 port 16597
Oct 22 21:43:14 nms sshd[90843]: error: PAM: authentication error for root
from 203.130.242.139
Oct 22 21:43:14 nms sshd[90843]: Failed keyboard-interactive/pam for root
from 203.130.242.139 port 16597 ssh2
Oct 22 21:56:40 nms sshd[90881]: Connection from 80.122.89.106 port 12387
Oct 22 21:56:42 nms sshd[90881]: error: PAM: authentication error for root
from 80.122.89.106
Oct 22 21:56:42 nms sshd[90881]: Failed keyboard-interactive/pam for root
from 80.122.89.106 port 12387 ssh2
Oct 22 21:57:38 nms sshd[90884]: Connection from 82.207.23.93 port 3642


Best regards,
Valery Marchuk

----- Original Message -----
From: "Philipp" <subs07@xxxxxxxxxxxx>
To: <full-disclosure@xxxxxxxxxxxxxxxxx>
Sent: Monday, October 22, 2007 2:36 PM
Subject: [Full-disclosure] Distributed SSH username/password brute
forceattack


Hello,

since this night I experience distributed SSH username/password
guessing brute force attacks. Anyone seen something similar?

Up until this night always one host tried to guess username/password
combinations until it got banned by fail2ban. But now I see in my
logfiles:

Oct 22 01:42:18 myhost sshd[2672]: error: PAM: Authentication failure
for illegal user root from xxxx.de
Oct 22 01:44:49 myhost sshd[2832]: error: PAM: Authentication failure
for illegal user root from xxxx.85
Oct 22 01:47:16 myhost sshd[2981]: error: PAM: Authentication failure
for illegal user root from xxxx.86
Oct 22 01:50:33 myhost sshd[3233]: error: PAM: Authentication failure
for illegal user root from xxxx.ar
Oct 22 01:52:38 myhost sshd[3307]: error: PAM: Authentication failure
for illegal user root from xxxx.be
Oct 22 01:55:34 myhost sshd[3551]: error: PAM: Authentication failure
for illegal user root from xxxx.106
Oct 22 01:58:04 myhost sshd[3691]: error: PAM: Authentication failure
for illegal user root from xxxx.11
Oct 22 02:00:44 myhost sshd[3999]: error: PAM: Authentication failure
for illegal user root from xxxx.cl

The time is CEST and the attacks are still ongoing.

kind regards,

Philipp

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages