My next class:

Odd new ssh scanning, possibly for D-Link devices

Published: 2014-12-10. Last Updated: 2014-12-10 19:49:05 UTC
by Jim Clausing (Version: 1)
14 comment(s)

I noticed it in my own logs overnight and also had a couple of readers (both named Peter) report some odd new ssh scanning overnight.  The scanning involves many sites, likely a botnet, attempting to ssh in as 3 users, D-Link, admin, and ftpuser.  Given the first of those usernames, I suspect that they are targetting improperly configured D-Link routers or other appliances that have some sort of default password.  The system that I have at home was not running kippo, so I didn't get the passwords that they were guessing and was not able to see what they might do if they succeed in ssh-ing in.  If anyone out there has any more info on what exactly they are targetting, please let us know by e-mail, via the contact page, or by commenting on this post.  I'll try to reconfigure a couple of kippo honeypots to see if I can capture the bad guys there and may update this post later.

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

Keywords:
14 comment(s)
My next class:

Comments

I have seen a very large uptick in SSH attempts against my web server (I'm running denyhosts) and have noticed that the hosts running the 'attack' are searching for the following usernames: ftpuser, admin, D-Link. I have no other information to provide, but my denyhosts is currently banning 100+ IPs a day, up from <10/day.
My logs are showing two scans in the past 30 hours. No user of DLink but plenty admin and ftpuser. The logs show they're using either no password or a password of 'asteriskftp' for the ftpuser account. They're using the "top 100" passwords for the admin account.

For the three or four weeks that I've been running this honeypot, all of the successful logins do one of two things:
1) look for /var/run/sftp.pid (apparently checking to see if sftp is installed and running)
2) execute "__install_di"

I've had 1 more interactive hit on the 29th where they started a download of a Ubuntu ISO. Then killed it, tried to "cat /etc/redhat-release", then executed "ifconfig" and logged off.
Guess you could call me an advanced user, but YES, SSH was getting nailed so hard yesterday my lowly home 3 meg DSL connection pretty much seized up...thought I had gone back to dialup, I just stopped the service for a while.
But looks like the "usual suspects"...got hammered by 144.0.0.xx yesterday..(china)
ftpuser name coming out of 222.178.184.xxx today,(also china),
But the D-link name is coming from 205.178.137.xx which is NetSol...

current logs, as of this posting showing apparent bot'ed machines from the Southern US, Florida..50.162.224.xx and Louisiana.. 64.91.28.xxx for the D-link name...
kinda unusual to see US IP's in the logs,normally all off shore..
even showing an SSH login attempt from an amazon IP... 54.227.30.xxx
so someone has started a big campaign ....
Seeing this as well... a very significant increase in SSH scanning activity since December 9th across my network.

Something evil is afoot, smells like a worm to me.
And now it seems to have subsided, which is (perhaps) weirder. I wonder in my case if it's because each source stopped trying after Fail2Ban blocked it, or if it was actually just a brief surge, and it stopped naturally once all D-Link routers were pwned... ;-)
Just to add to the mix: I've seen the same attacks in logs on servers all over the world (Austria, Germany, Netherlands, United Kingdom, United States, Australia, Singapore, France). So it seems that somebody tried to bruteforce 0.0.0.0/0.
see it too in germany since the 8th, and it seems like a sever-botnet-scanning servers from this side


> https://8ack.de/analysen/ssh_botnet_brute_force_attack_en
I'm seeing the same here and in addition, I'm seeing login attempts for users karaf, dreamer, log, xbian, PlcmSpIp, pi, default, and arbab.
This is just since the 8th:

cat /var/log/auth.log | grep D-Link | wc -l
382

Wide variety of countries, lots of mail servers and nameservers, also plesk and cpanel mentioned a lot in the hostnames of the culprits. Not a lot of IPs assigned to home internet connections, these are all colo machines, vps and such.
I have the same result
denyhosts up from 10 to 100+ per day

Diary Archives