Re: SSH scans...

From: Peter Willis (psyphreak_at_phreaker.net)
Date: 12/20/04

  • Next message: Tim Kennedy: "Re: [incidents] SSH scans..."
    Date: Mon, 20 Dec 2004 14:39:33 -0500
    To: Gerry Dalton <gerry@wts.net>
    
    

    Maybe this is a dumb question, but why not set up a honeynet or an IDS
    like snort and block addresses or networks as they begin scanning? Less
    administration needed and you don't have to block ranges larger than
    necessary...

    Also, I threw together a little C app and script which will quickly find
    passwords commonly used in brute force attacks. You may be able to use
    it with cron to locate users with easily-guessed passwords and reset
    them so brute force attacks aren't as successful.
    http://freshmeat.net/p/dumbass/

    Gerry Dalton wrote:

    >I have seen similar probes over the last 2 months. Most all have been from APNIC address blocks. I got so tired of some of it I just went ahead and blocked a full range of addresses from getting past our border routers.
    >
    >So far these have just been a nuisance.
    >
    >Gerry
    >
    >
    >
    >At 09:21 AM 12/20/2004, Dejan Markovic wrote:
    >
    >
    >
    >>Hi Guys,
    >>
    >>Don't know whether this is the right list, but need to ask if others have
    >>the same entries in their logs for the past number of months. Let me take a
    >>step back, I maintain a number of networks on different IP ranges and they
    >>are all being probed by what looks like a tool, or maybe it is the same
    >>group/script. The originating computers range from open proxies to owned
    >>boxes and there are two distinct patterns I've seen so far. The following
    >>scan is a recent example where the root/password from x.x.x.x: 59 Time(s)
    >>caught my attention the first time a while back, and still getting the same
    >>scans on a daily basis:
    >>
    >>account/password from 210.245.168.28: 1 Time(s)
    >>adam/password from 210.245.168.28: 1 Time(s)
    >>adm/password from 210.245.168.28: 2 Time(s)
    >>alan/password from 210.245.168.28: 1 Time(s)
    >>apache/password from 210.245.168.28: 1 Time(s)
    >>backup/password from 210.245.168.28: 1 Time(s)
    >>cip51/password from 210.245.168.28: 1 Time(s)
    >>cip52/password from 210.245.168.28: 1 Time(s)
    >>cosmin/password from 210.245.168.28: 1 Time(s)
    >>cyrus/password from 210.245.168.28: 1 Time(s)
    >>data/password from 210.245.168.28: 1 Time(s)
    >>frank/password from 210.245.168.28: 1 Time(s)
    >>george/password from 210.245.168.28: 1 Time(s)
    >>henry/password from 210.245.168.28: 1 Time(s)
    >>horde/password from 210.245.168.28: 1 Time(s)
    >>iceuser/password from 210.245.168.28: 1 Time(s)
    >>irc/password from 210.245.168.28: 2 Time(s)
    >>jane/password from 210.245.168.28: 1 Time(s)
    >>john/password from 210.245.168.28: 1 Time(s)
    >>master/password from 210.245.168.28: 1 Time(s)
    >>matt/password from 210.245.168.28: 1 Time(s)
    >>mysql/password from 210.245.168.28: 1 Time(s)
    >>nobody/password from 210.245.168.28: 1 Time(s)
    >>noc/password from 210.245.168.28: 1 Time(s)
    >>operator/password from 210.245.168.28: 1 Time(s)
    >>oracle/password from 210.245.168.28: 1 Time(s)
    >>pamela/password from 210.245.168.28: 1 Time(s)
    >>patrick/password from 210.245.168.28: 2 Time(s)
    >>rolo/password from 210.245.168.28: 1 Time(s)
    >>root/password from 210.245.168.28: 59 Time(s)
    >>server/password from 210.245.168.28: 1 Time(s)
    >>sybase/password from 210.245.168.28: 1 Time(s)
    >>test/password from 210.245.168.28: 5 Time(s)
    >>user/password from 210.245.168.28: 3 Time(s)
    >>web/password from 210.245.168.28: 2 Time(s)
    >>webmaster/password from 210.245.168.28: 1 Time(s)
    >>www-data/password from 210.245.168.28: 1 Time(s)
    >>www/password from 210.245.168.28: 1 Time(s)
    >>wwwrun/password from 210.245.168.28: 1 Time(s)
    >>
    >>Regards,
    >>Dan
    >>
    >>
    >
    >
    >


  • Next message: Tim Kennedy: "Re: [incidents] SSH scans..."