Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

SSH Brute Force attacks

Published: 2011-08-02
Last Updated: 2011-08-02 14:42:02 UTC
by Mark Hofman (Version: 1)
9 comment(s)

A little while ago I asked for some SSH logs and as per usual people responded with gusto. So first of all thanks to all of those that provided logs, it was very much appreciated.  Looking through the data it does look like everything is pretty much the same as usual. Get a userid, guess with password1, password2, password3, etc. 

One variation did show.  One of the log files showed that instead of the password changing the userid was changed. So pick a password and try it with userid1, userid2, userid3, etc, then pick password2 and rinse lather and repeat. Some of the other log files may have showed the same, but not all log files had userid and passwords available. 

A number of the IP addresses showed that they were using the same password list, indicating that either they were being generated by the same tool or might be part of the same bot net.  Quite a few IP addresses showed up in different logs submitted. 

The most common userids were, not unexpectedly, root, admin, administrator, mysql, oracle, nagios. A few more specific userids do creep in, but most are the standard ones.

So not earth shattering or even mildly surprising, but sometimes it is good to know that things haven't changed, much.

As for the attacking IPs. You can find the unique IP addresses performing SSH attacks here http://www.shearwater.com.au/uploads/files/MH/SSH_attacking_IPs.txt

A number of the logs were provided by the kippo SSH honeypot, which looks like it is well worth running if you want to collect your own info.

Thanks again and if I manage to dig out anything further I'll keep you up to date. 

Mark

Keywords: brute force SSH
9 comment(s)

Metsploit 4 hits the downloads

Published: 2011-08-02
Last Updated: 2011-08-02 03:26:00 UTC
by Mark Hofman (Version: 1)
0 comment(s)

One of my favourite tools has to be Metasploit and version 4 has been released and is available for download.

Updating an existing instance is a cinch, just run the msfupdate or SVN and you should be good to go. Alternatively you can get fresh install files from the metasploit web site. More info here --> https://community.rapid7.com/community/metasploit/blog/2011/08/01/metasploit-40-released?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+metasploit%2Fblog+%28Metasploit+Blog%29

Enjoy.

 

Mark

Keywords: metasploit
0 comment(s)
Diary Archives