Re: SSH scans...

From: Peter Willis (psyphreak_at_phreaker.net)
Date: 12/20/04

  • Next message: Tim Kennedy: "Re: [incidents] SSH scans..." 
    Date: Mon, 20 Dec 2004 14:39:33 -0500
To: Gerry Dalton <gerry@wts.net>

    Maybe this is a dumb question, but why not set up a honeynet or an IDS
    like snort and block addresses or networks as they begin scanning? Less
    administration needed and you don't have to block ranges larger than
    necessary...

    Also, I threw together a little C app and script which will quickly find
    passwords commonly used in brute force attacks. You may be able to use
    it with cron to locate users with easily-guessed passwords and reset
    them so brute force attacks aren't as successful.
    http://freshmeat.net/p/dumbass/

    Gerry Dalton wrote:

    >I have seen similar probes over the last 2 months. Most all have been from APNIC address blocks. I got so tired of some of it I just went ahead and blocked a full range of addresses from getting past our border routers.
    >
    >So far these have just been a nuisance.
    >
    >Gerry
    >
    >
    >
    >At 09:21 AM 12/20/2004, Dejan Markovic wrote:
    >
    >
    >
    >>Hi Guys,
    >>
    >>Don't know whether this is the right list, but need to ask if others have
    >>the same entries in their logs for the past number of months. Let me take a
    >>step back, I maintain a number of networks on different IP ranges and they
    >>are all being probed by what looks like a tool, or maybe it is the same
    >>group/script. The originating computers range from open proxies to owned
    >>boxes and there are two distinct patterns I've seen so far. The following
    >>scan is a recent example where the root/password from x.x.x.x: 59 Time(s)
    >>caught my attention the first time a while back, and still getting the same
    >>scans on a daily basis:
    >>
    >>account/password from 210.245.168.28: 1 Time(s)
    >>adam/password from 210.245.168.28: 1 Time(s)
    >>adm/password from 210.245.168.28: 2 Time(s)
    >>alan/password from 210.245.168.28: 1 Time(s)
    >>apache/password from 210.245.168.28: 1 Time(s)
    >>backup/password from 210.245.168.28: 1 Time(s)
    >>cip51/password from 210.245.168.28: 1 Time(s)
    >>cip52/password from 210.245.168.28: 1 Time(s)
    >>cosmin/password from 210.245.168.28: 1 Time(s)
    >>cyrus/password from 210.245.168.28: 1 Time(s)
    >>data/password from 210.245.168.28: 1 Time(s)
    >>frank/password from 210.245.168.28: 1 Time(s)
    >>george/password from 210.245.168.28: 1 Time(s)
    >>henry/password from 210.245.168.28: 1 Time(s)
    >>horde/password from 210.245.168.28: 1 Time(s)
    >>iceuser/password from 210.245.168.28: 1 Time(s)
    >>irc/password from 210.245.168.28: 2 Time(s)
    >>jane/password from 210.245.168.28: 1 Time(s)
    >>john/password from 210.245.168.28: 1 Time(s)
    >>master/password from 210.245.168.28: 1 Time(s)
    >>matt/password from 210.245.168.28: 1 Time(s)
    >>mysql/password from 210.245.168.28: 1 Time(s)
    >>nobody/password from 210.245.168.28: 1 Time(s)
    >>noc/password from 210.245.168.28: 1 Time(s)
    >>operator/password from 210.245.168.28: 1 Time(s)
    >>oracle/password from 210.245.168.28: 1 Time(s)
    >>pamela/password from 210.245.168.28: 1 Time(s)
    >>patrick/password from 210.245.168.28: 2 Time(s)
    >>rolo/password from 210.245.168.28: 1 Time(s)
    >>root/password from 210.245.168.28: 59 Time(s)
    >>server/password from 210.245.168.28: 1 Time(s)
    >>sybase/password from 210.245.168.28: 1 Time(s)
    >>test/password from 210.245.168.28: 5 Time(s)
    >>user/password from 210.245.168.28: 3 Time(s)
    >>web/password from 210.245.168.28: 2 Time(s)
    >>webmaster/password from 210.245.168.28: 1 Time(s)
    >>www-data/password from 210.245.168.28: 1 Time(s)
    >>www/password from 210.245.168.28: 1 Time(s)
    >>wwwrun/password from 210.245.168.28: 1 Time(s)
    >>
    >>Regards,
    >>Dan
    >>
    >>
    >
    >
    >

  • Next message: Tim Kennedy: "Re: [incidents] SSH scans..."

    Relevant Pages

    • Re: FTP scans from wanadoo.fr
      ... now aware of the scope of the scanning activity from Wanadoo.fr network ... space and they have requested a list of source IPs involved in scanning ... with Wanadoo.fr management, and they need some data to go with it. ... >> I have started gathering IPs and just blocking the networks as wanadoo ...
      (Incidents)
    • Re: x.25 / x.28 pentesting
      ... > connect to a host in a x.25 network. ... > networks through a x28 dialin PAD and try some kind of basic hack in the ... that was able to scan Sprintnet NUAs, ... There were also some tools for NUI scanning, ...
      (Pen-Test)
    • RE: Online Scanning Services Vrs. Stand Alone Applications
      ... but in my opinion remote scanning is a waste of time and money for large networks such as anything over a class C. ... Subject: Online Scanning Services Vrs. ... CORE IMPACT does. ...
      (Pen-Test)
    • Re: ICMP 3 & 11 incoming but no outgoing traffic
      ... > Perhaps someone is scanning those networks with the spoofed source ... couple of log files where I found some interesting entries. ...
      (comp.security.firewalls)