[BUGS] Constant SSH login spam

[Andrew Reilly]

Hi Jerahmy,

On Mon, 4 Feb 2008 03:53:16 +1100
Jerahmy Pocott <quakenet1 at optusnet.com.au> wrote:

> Is anyone else seeing massive amounts of SSH login attempts on their  
> servers?

Yes, but no more than usual.

> Is there some recent SSH vulnerability that I didn't hear  
> about? My firewall here is constantly blocking connections, around 200  
> or so per day.. Then on a server that actually allows remote ssh  
> connections I get security log files going into the megabytes listing  
> things like:

Don't you have newsyslog.conf set to limit their size?  My
auth.log files roll over at 100k.  The last one had 1200 Invalid
user lines over four days, though.  By comparison, I get twenty
times as much spam as that.

> Feb  3 03:31:57 beastie sshd[65656]: Invalid user a from 190.76.248.24
> Feb  3 03:32:00 beastie sshd[65658]: Invalid user b from 190.76.248.24
> Feb  3 03:32:02 beastie sshd[65660]: Invalid user c from 190.76.248.24

Not very bright, are they?

> Going through millions of names and this server requires an RSA key  
> pair to connect, yet they keep trying for hours and hours on end.. Is  
> there some sort of virus/botnet thing that does this automatically  
> trying to harvest logins and spread? It just seems too stupid even be  
> a person using some script..

It's got to be a robot.  No person is that persistent, or that
stupid.  I've just had one try fourty passwords against user
"c0linda54321 (yes, with the quote).  I'm pretty sure that was
the password of the pair, which means that the bot software is a
script written in a language that is sensitive to non-ascii or
punctuation (or otherwise just buggy.)

No, I have no idea what they're after, but they've been at it
for a long time.  Probably can't think of anything better to do
with the username/passwords that they've scraped from keyboards
in internet cafes.

Cheers,

-- 
Andrew


-- 
Andrew