Odd new ssh scanning, possibly for D-Link devices
I noticed it in my own logs overnight and also had a couple of readers (both named Peter) report some odd new ssh scanning overnight. The scanning involves many sites, likely a botnet, attempting to ssh in as 3 users, D-Link, admin, and ftpuser. Given the first of those usernames, I suspect that they are targetting improperly configured D-Link routers or other appliances that have some sort of default password. The system that I have at home was not running kippo, so I didn't get the passwords that they were guessing and was not able to see what they might do if they succeed in ssh-ing in. If anyone out there has any more info on what exactly they are targetting, please let us know by e-mail, via the contact page, or by commenting on this post. I'll try to reconfigure a couple of kippo honeypots to see if I can capture the bad guys there and may update this post later.
---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu
LINUX Incident Response and Threat Hunting | Online | US Eastern | Jan 29th - Feb 3rd 2025 |
Comments
Anonymous
Dec 10th 2014
9 years ago
For the three or four weeks that I've been running this honeypot, all of the successful logins do one of two things:
1) look for /var/run/sftp.pid (apparently checking to see if sftp is installed and running)
2) execute "__install_di"
I've had 1 more interactive hit on the 29th where they started a download of a Ubuntu ISO. Then killed it, tried to "cat /etc/redhat-release", then executed "ifconfig" and logged off.
Anonymous
Dec 11th 2014
9 years ago
But looks like the "usual suspects"...got hammered by 144.0.0.xx yesterday..(china)
ftpuser name coming out of 222.178.184.xxx today,(also china),
But the D-link name is coming from 205.178.137.xx which is NetSol...
current logs, as of this posting showing apparent bot'ed machines from the Southern US, Florida..50.162.224.xx and Louisiana.. 64.91.28.xxx for the D-link name...
kinda unusual to see US IP's in the logs,normally all off shore..
even showing an SSH login attempt from an amazon IP... 54.227.30.xxx
so someone has started a big campaign ....
Anonymous
Dec 11th 2014
9 years ago
Something evil is afoot, smells like a worm to me.
Anonymous
Dec 11th 2014
9 years ago
Anonymous
Dec 11th 2014
9 years ago
Anonymous
Dec 11th 2014
9 years ago
> https://8ack.de/analysen/ssh_botnet_brute_force_attack_en
Anonymous
Dec 11th 2014
9 years ago
Anonymous
Dec 11th 2014
9 years ago
cat /var/log/auth.log | grep D-Link | wc -l
382
Wide variety of countries, lots of mail servers and nameservers, also plesk and cpanel mentioned a lot in the hostnames of the culprits. Not a lot of IPs assigned to home internet connections, these are all colo machines, vps and such.
Anonymous
Dec 12th 2014
9 years ago
denyhosts up from 10 to 100+ per day
Anonymous
Dec 12th 2014
9 years ago