Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

SSH Brute Force

Published: 2011-07-17
Last Updated: 2011-07-17 03:09:18 UTC
by Mark Hofman (Version: 1)
4 comment(s)

SSH brute force password guessing attacks aren't really anything new. They have been going on for quite some time and whilst early July there was a small dip things seems to be getting back to normal.  One of our readers (thanks Robert) though noticed that the SSH brute forcing is coordinated between a number of IP addresses (118.97.8.28, 125.210.209.152, and 161.200.184.4).  If you have SSH open to the internet (honeypot or real) and you are able to share some log files I'd be interested to take a look at them.  Please upload them using the contact form or send them directly to markh.isc@gmail.com.

Log files will look something like this.

Username        SourceIPAddr    lPort Count TimeStamp
bette           118.97.8.28     22    1     09:51:05 EDT Sat Jul 16 2011
clairette       118.97.8.28     22    1     09:51:29 EDT Sat Jul 16 2011
clamens         118.97.8.28     22    1     09:51:33 EDT Sat Jul 16 2011
clarisse        118.97.8.28     22    1     09:51:37 EDT Sat Jul 16 2011
claude          118.97.8.28     22    1     09:51:41 EDT Sat Jul 16 2011
dumont          118.97.8.28     22    1     09:52:05 EDT Sat Jul 16 2011
duplo           118.97.8.28     22    1     09:52:09 EDT Sat Jul 16 2011
dupont          118.97.8.28     22    1     09:52:12 EDT Sat Jul 16 2011
durand          118.97.8.28     22    1     09:52:16 EDT Sat Jul 16 2011
farceur         118.97.8.28     22    1     09:52:40 EDT Sat Jul 16 2011
farucci         118.97.8.28     22    1     09:52:44 EDT Sat Jul 16 2011
faustine        118.97.8.28     22    1     09:52:48 EDT Sat Jul 16 2011

Mark

 

4 comment(s)
Diary Archives