Date: Wed, 6 Apr 2005 12:55:58 -0300 From: Luiz Eduardo Roncato Cordeiro <cordeiro@nic.br> To: freebsd-security@freebsd.org Subject: Re: What is this Very Stupid DOS Attack Script? Message-ID: <200504061255.59142.cordeiro@nic.br> In-Reply-To: <200504061549.j36Fn8Y5082507@dc.cis.okstate.edu> References: <200504061549.j36Fn8Y5082507@dc.cis.okstate.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, Probably, what you have seen is a force brute attack against your sshd. Unfortunately, this kind of attack still works. Regards, Cordeiro On Wednesday April 6 2005 12:49, Martin McCormick <Martin McCormick <martin@dc.cis.okstate.edu>> wrote: > We have been noticing flurries of sshd reject messages in > which some system out there in the hinterlands hits us with a flood of > ssh login attempts. An example: > > Apr 6 05:41:51 dc sshd[88763]: Did not receive identification > string from 67.19.58.170 > Apr 6 05:49:42 dc sshd[12389]: input_userauth_request: illegal > user anonymous > Apr 6 05:49:42 dc sshd[12389]: Failed password for illegal user > anonymous from 67.19.58.170 port 32942 ssh2 > Apr 6 05:49:42 dc sshd[12389]: Received disconnect from > 67.19.58.170: 11: Bye Bye > Apr 6 05:49:42 dc sshd[12406]: input_userauth_request: illegal > user bruce > Apr 6 05:49:42 dc sshd[12406]: Failed password for illegal user > bruce from 67.19.58.170 port 32983 ssh2 > Apr 6 05:49:42 dc sshd[12406]: Received disconnect from > 67.19.58.170: 11: Bye Bye > Apr 6 05:49:42 dc sshd[12422]: input_userauth_request: illegal > user chuck > > You get the idea. This goes on for 3 or 4 minutes and then > just stops for now. I can almost promise that later, another attack > will start from some other IP address and blaze away for a few > minutes. > > Other than spewing lots of entries in to syslog, what is the > purpose of the attack? Are they just hoping to luck in to an open > account? The odds of guessing the right account name and then guessing > the correct password are astronomical to say the least. > Direct root logins are not possible so there is another roadblock. > > This seems on the surface to be aimed at simply filling up the /var > file system, but it is so stupid as to make me wonder if there is > something else more sophisticated that we truly need to be trembling > in our shoes over. > > I notice from the syslog servers, here, that the same system > is hammering other sshd applications on those devices at the same time > it is hitting this system so what ever script it is is probably just > trolling our network, looking for anything that answers. > > Thanks for any useful information as to the nature of what > appears to be more of a nuisance than a diabolical threat to security. > > Martin McCormick WB5AGZ Stillwater, OK > OSU Information Technology Division Network Operations Group > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200504061255.59142.cordeiro>