Re: Dictionary attacks on port 22



On Sat, 25 Feb 2006, in the Usenet newsgroup comp.os.linux.security, in article
<87r75qubcl.fsf@xxxxxxxxxxx>, Harry Putnam wrote:

ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin) writes:


First Last IP hits
Feb 18 08:30:47 <> Feb 18 09:50:39 200.88.113.25 5283
Feb 22 08:11:51 <> Feb 22 08:49:29 217.71.210.152 2372
Feb 17 19:42:11 <> Feb 21 18:15:19 220.119.33.251 1365
Feb 18 01:49:01 <> Feb 18 02:42:19 194.146.224.92 1270
Feb 20 22:58:07 <> Feb 20 23:22:34 220.158.24.21 876
Feb 22 05:01:32 <> Feb 22 05:43:41 220.232.149.165 570

Just looking at the first six, they smell strongly of zombie - perhaps
a windoze box someone found that the owner left wide open.

Can you explain that? Are basing it on number of hits? IP? ... what?

IP. Your first, 200.88.113.25, is 25sosua113.codetel.net.do in the
Dominican Republic. Codetel has a fairly poor reputation for abuse
problems. The address implies a home system though at the moment I can't
reach it. Host number two is valerian-152.210.71.217.zonepro-serveurs.net
in France. This appears to be a hosting service. Host 3 doesn't resolve, but
is in a block allocated to Korea Telcon, suballocated to another hosting
service though I can't read the Hanguil. Kortel seems to feel that there
is no need to configure PTR records (it's only a "SHOULD" on the APNIC
policy document as recommended in RFC2050). A lot of people feel this is
reason to block such IP space. Host 4 is sd204.sivit.org - yet another
hosting service in France. Interestingly, when I connect to this site, I
get forwarded on to the www.google.com login page. Host 5 is a dynamic
address in Japan s21.ItokyoFL116.vectant.ne.jp running an incompletely
configured version of Apache on Linux, while host 6 is at our dear friends
(NOT!) at pacific.net.hk whose users seem to delight in running zombies.
The later block (like the 217.116.0.0/14 and 217.120.0.0/13 blocks from
Kortel) is in fact blackholed here for that very reason so I can't comment
on the individual host. Using another ISP, I find (as usual) the klowns at
pacific.net.hk haven't figured how to set up DNS either.

Sounded like you think those six are coming from a single machine?

No, not on three continents. The possibility that they are controlled by
the same individual is low, though not impossible. The fact that they
seem to all decided to attempt to dictionary attack you might be related,
but that's pushing the indications pretty hard.

Must be nice to live in a quiet part of the Internet. ;-)

How man dictionary attack type hits do you see in a day?

None. My ssh server doesn't run on a low port, and the chance of anyone
even finding it is quite poor, never mind seeing repeat attempts. Also,
I only accept connections to that server from a VERY limited list of IP
addresses. On the other hand, I see quite a large number of connection
_attempts_ to port 22 on my public address - typically about a thousand
a day. That's why I no longer have a server there, and don't bother even
logging the attempts.

Old guy
.



Relevant Pages

  • Re: Why is my Exch srvr spamming people?
    ... so if you've ruled out open relays--how about an internal host that's ... these 400 connections may not be the actual source. ... and a client PC can send over TCP port 25 to another server on the ... "Rene Frenger" wrote: ...
    (microsoft.public.exchange.admin)
  • gdm hangs
    ... gdm will hang 9 of 10 times when logging out. ... with or without the client having been connected to the Server. ... # Timed login, useful for kiosks. ... Must output the chosen host on stdout, ...
    (Debian-User)
  • problem with sendmail in solaris 9
    ... names that should be exposed as from this host, ... # save Unix-style "From_" lines at top of header? ... # work recipient factor ... # SMTP STARTTLS server options ...
    (SunManagers)
  • Re: Add new cluster and use existing LUNs?
    ... Storport driver and Powerpath on all of our SAN host servers so we are trying ... In the end I think that I may play it cautious and create a new RAID group, ... > varied activity (DBMSes, Messaging Server, File Server, Web Servers, ... Some of the physical spindle limitations can be addressed through the SAN ...
    (microsoft.public.sqlserver.clustering)
  • Re: Best way to scan processes on remote nodes
    ... The user login in via a captive account so I would like to in DCL via ... raising a connection to each host, and running a server process, and retrieving and processing the results, or the inability to connect to the host. ... If you have C code, you can maintain connections to a remote server, and basically roll your own directory server. ...
    (comp.os.vms)