New, odd SSH brute force behavior
Over the past 72 hours, I've noticed a shift in the types of brute force attacks I'm seeing on my SSH honeypot. Generally, SSH attacks consist of hundreds (or thousands) of authentication attempts, each using a different username/password combination. Over the past few days, however, I'm seeing multiple IP addresses attempting to use *one* password against *one* account: root/ihatehackers.
In a sense, a single IP address taking a "one-off" shot at root doesn't really even qualify as "brute-force" and is... well... barely an attack. What I find interesting about this new behavior is the number of different sources I'm seeing for this single, somewhat lame hack.
So, how widespread is this behavior? Is anyone else seeing it? Also, does anyone have any idea what this attack is about? As I said, on the surface, this looks kinda lame, but perhaps someone out there knows something I don't...
Tom Liston
Senior Security Analyst - InGuardians, Inc.
SANS ISC Handler
Twitter: @tliston
UPDATE: I was asked to provide sanitized logs:
2011-11-03 17:41:25+0000 [61.78.62.43] root - password used: ihatehackers
2011-11-03 18:30:00+0000 [218.1.67.151] root - password used: ihatehackers
2011-11-03 19:18:39+0000 [189.14.99.226] root - password used: ihatehackers
2011-11-03 20:07:04+0000 [210.202.196.250] root - password used: ihatehackers
2011-11-03 21:59:28+0000 [69.162.65.138] root - password used: ihatehackers
2011-11-03 23:34:51+0000 [69.162.70.2] root - password used: ihatehackers
2011-11-04 01:13:52+0000 [58.63.241.209] root - password used: ihatehackers
2011-11-04 02:58:31+0000 [213.151.174.158] root - password used: ihatehackers
2011-11-04 04:36:07+0000 [210.42.35.1] root - password used: ihatehackers
2011-11-04 05:30:05+0000 [218.1.67.151] root - password used: ihatehackers
2011-11-04 09:56:59+0000 [122.70.144.168] root - password used: ihatehackers
2011-11-04 18:11:26+0000 [122.70.144.168] root - password used: ihatehackers
2011-11-04 19:32:57+0000 [83.3.229.114] root - password used: ihatehackers
2011-11-04 20:55:07+0000 [69.162.70.2] root - password used: ihatehackers
2011-11-04 22:16:54+0000 [69.162.70.2] root - password used: ihatehackers
2011-11-05 03:54:31+0000 [69.162.70.2] root - password used: ihatehackers
2011-11-05 10:49:53+0000 [189.14.99.226] root - password used: ihatehackers
2011-11-05 13:17:03+0000 [122.70.144.168] root - password used: ihatehackers
2011-11-05 17:59:59+0000 [83.3.229.114] root - password used: ihatehackers
I've checked, and each of these IP addresses is publicly (f)logged elsewhere as performing SSH attacks, so I decided that "sanitizing" the attacker's address wasn't really necessary.
Additionally, by following public mentions of these addresses, I believe I've found more information on this phenomenon. In a series of blog posts on his "That Grumpy BSD Guy" site, Peter Hansteen discusses what he calls the "Hail Mary Cloud." Interesting reading.
Finally, for whatever it's worth, my honeypot system tweets a delayed feed of many attacks (but, sadly not SSH currently... I'll try to remedy that). You can see what's happening by following @netmenaces on Twitter.
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago