Yes, I get scans every single day from all over the world as well. Run
your ssh server non an alternate port other than 22 and you will avoid
all the script kiddies.
-sb
-----Original Message-----
From: Alexandre H [mailto:alexandre.hamelin@gmail.com]
Sent: Thursday, March 02, 2006 6:08 PM
To: incidents@securityfocus.com
Subject: Internet SSH scans
Hi,
I've witnessed what I think is an increase in SSH scans over the
Internet in the past four or five weeks. The scan seems to originate
from various countries around the globe which makes me think of it to be
a worm-like spreading virus searching for vulnerable systems running the
SSH service. I confirmed the attack with a friend of mine who also
happens to run a SSH server at home. We both live in Montreal, QC,
Canada and are using the same ISP.
Since January 29 (maybe before), no less than 26000+ connection attempts
have been made on my system (which is running SSH) -- 4000 just in the
last three days. Each attempt tries to login with a specific username,
but many attempts are made in a short period of time (1 to 2 minutes)
with different usernames. I believe that the worm holds a list of common
usernames and passwords and successively tries to connect with each of
them when it finds a host with a port 22 open.
Typical attacks are similar to the following:
# grep Invalid /var/log/messages | head
Feb 26 15:06:12 localhost sshd[3500]: Invalid user delta from
194.44.247.243
Feb 26 15:06:14 localhost sshd[3502]: Invalid user admin from
194.44.247.243
Feb 26 15:06:16 localhost sshd[3504]: Invalid user test from
194.44.247.243
Feb 26 15:06:18 localhost sshd[3506]: Invalid user testing from
194.44.247.243
Feb 26 15:06:20 localhost sshd[3508]: Invalid user tester from
194.44.247.243
Feb 26 15:06:22 localhost sshd[3510]: Invalid user academy from
194.44.247.243
Feb 26 15:06:24 localhost sshd[3512]: Invalid user protector from
194.44.247.243
Feb 26 15:06:27 localhost sshd[3516]: Invalid user skylyn from
194.44.247.243
Feb 26 15:06:31 localhost sshd[3520]: Invalid user webmaster from
194.44.247.243
Feb 26 15:06:33 localhost sshd[3522]: Invalid user master from
194.44.247.243
In my attempt to get an initial idea of what it could be, I fired my
telnet client to connect to 2-3 random hosts among the addresses and
tried to see if their SSH service was up. Indeed they were, and their
banner shown what seemed to be an older version of SSH (seen OpenSSH 3.5
and 3.6). Also, one of these had the default Apache web page on its web
server.
I have attached a list of IP addresses from which the attack originated
so far. The text file contains the addresses from my system log files
and from my friend's log files. I have yet to contact the responsable
people of the corresponding domains.
Also, the list of different usernames is various -- I count 4712
different login names in my system log files. I attached a list of
usernames to this message. It may be a good idea to check your systems
to see if any of the provided usernames is present and has a weak
password.
A quick look on the web for a mention of this SSH scan didn't provide me
with a satisfying explanation.
Did anyone ever notice such abnormal traffic in their system logs? I'd
be interested to hear about it. Also, to read about it if any alert has
been published on the web.
Thanks.
Alexandre Hamelin
