Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: SSH Bruteforce Uptick Anyone? SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
SSH Bruteforce Uptick Anyone?
Anyone else seeing a huge uptick in ssh bruteforce attempts? In the last 24 hours I've gone from an average of a couple thousand in a 24 hour period to over 500K. Here are the major contributing IPs and Domains from this uptick:

------------ logs ------------
By Source
Count SourceIP LastDateSeen (CDT) OrgName (Country)
4,492 162.212.181.244 2014-09-30 01:00:35 HOSTSPACE NETWORKS LLC (US)
40,913 162.212.182.223 2014-09-30 04:11:38 HOSTSPACE NETWORKS LLC (US)
44,491 162.212.182.14 2014-09-30 04:11:38 HOSTSPACE NETWORKS LLC (US)
45,826 162.212.180.192 2014-09-30 04:18:32 HOSTSPACE NETWORKS LLC (US)
128,456 162.212.181.186 2014-09-30 04:16:13 HOSTSPACE NETWORKS LLC (US)
134,865 162.212.182.16 2014-09-30 04:12:45 HOSTSPACE NETWORKS LLC (US)
137,410 192.126.112.118 2014-09-30 04:15:50 NexteCloud L.L.C. (US)

By Domain
Count CIDR LastDateSeen (CDT) OrgName (Country)
137,410 192.126.112.0/20 2014-09-30 04:15:50 NexteCloud L.L.C. (US)
399,043 162.212.180.0/22 2014-09-30 04:18:32 HOSTSPACE NETWORKS LLC (US)
Philip

1 Posts
Quoting Philip:Anyone else seeing a huge uptick in ssh bruteforce attempts? In the last 24 hours I've gone from an average of a couple thousand in a 24 hour period to over 500K. Here are the major contributing IPs and Domains from this uptick:

------------ logs ------------
By Source
Count SourceIP LastDateSeen (CDT) OrgName (Country)
4,492 162.212.181.244 2014-09-30 01:00:35 HOSTSPACE NETWORKS LLC (US)
40,913 162.212.182.223 2014-09-30 04:11:38 HOSTSPACE NETWORKS LLC (US)
44,491 162.212.182.14 2014-09-30 04:11:38 HOSTSPACE NETWORKS LLC (US)
45,826 162.212.180.192 2014-09-30 04:18:32 HOSTSPACE NETWORKS LLC (US)
128,456 162.212.181.186 2014-09-30 04:16:13 HOSTSPACE NETWORKS LLC (US)
134,865 162.212.182.16 2014-09-30 04:12:45 HOSTSPACE NETWORKS LLC (US)
137,410 192.126.112.118 2014-09-30 04:15:50 NexteCloud L.L.C. (US)

By Domain
Count CIDR LastDateSeen (CDT) OrgName (Country)
137,410 192.126.112.0/20 2014-09-30 04:15:50 NexteCloud L.L.C. (US)
399,043 162.212.180.0/22 2014-09-30 04:18:32 HOSTSPACE NETWORKS LLC (US)



We were attacked today by them
Joe

1 Posts
My small little website, run from my home laptop, has had over 45k brute force attempts in the last week. Though not the same IPs, over half were from the 192.126.x.x, 4k from 117.21.191.197, plus a hand full of other IPs, which stopped about 20 min ago. I can get a breakdown if you want all of them. ucnt

2 Posts

Sign Up for Free or Log In to start participating in the conversation!