Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Has anyone seen this SSH Scanner tool?

  1. #1
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323

    Has anyone seen this SSH Scanner tool?

    I've found a variety of references to this but haven't seen any official announcements (unless I missed it). I did find this help (?) file but was curious if anyone has actually heard/seen the tool.

    For those that haven't seen it, check your SSH logs for something along the following (ips are possibly different and I just grabbed a "slice" of my auth.log):

    Oct 16 10:45:23 MsMittens sshd[3560]: password authentication failed. Login to account cyrus not allowed or account non-existent.
    Oct 16 10:45:26 MsMittens sshd[116]: connection from "222.118.5.179"
    Oct 16 10:45:26 MsMittens sshd[3562]: WARNING: DNS lookup failed for "222.118.5.179".
    Oct 16 10:45:31 MsMittens sshd[3562]: Wrong password given for user 'www'.
    Oct 16 10:45:33 MsMittens sshd[116]: connection from "222.118.5.179"
    Oct 16 10:45:33 MsMittens sshd[3564]: WARNING: DNS lookup failed for "222.118.5.179".
    Oct 16 10:45:37 MsMittens sshd[3564]: password authentication failed. Login to account wwwrun not allowed or account non-existent.
    Oct 16 10:45:39 MsMittens sshd[116]: connection from "222.118.5.179"
    Oct 16 10:45:39 MsMittens sshd[3566]: WARNING: DNS lookup failed for "222.118.5.179".
    Oct 16 10:45:42 MsMittens sshd[3566]: password authentication failed. Login to account matt not allowed or account non-existent.
    Oct 16 10:45:45 MsMittens sshd[116]: connection from "222.118.5.179"
    Oct 16 10:45:45 MsMittens sshd[3568]: WARNING: DNS lookup failed for "222.118.5.179".
    Oct 16 10:45:48 MsMittens sshd[3568]: password authentication failed. Login to account test not allowed or account non-existent.
    Oct 16 10:45:51 MsMittens sshd[116]: connection from "222.118.5.179"
    Oct 16 10:45:51 MsMittens sshd[3570]: WARNING: DNS lookup failed for "222.118.5.179".
    Oct 16 10:45:54 MsMittens sshd[3570]: password authentication failed. Login to account test not allowed or account non-existent.
    Oct 16 10:45:57 MsMittens sshd[116]: connection from "222.118.5.179"
    Oct 16 10:45:57 MsMittens sshd[3572]: WARNING: DNS lookup failed for "222.118.5.179".
    Oct 16 10:46:01 MsMittens sshd[3572]: password authentication failed. Login to account test not allowed or account non-existent.
    Oct 16 10:46:04 MsMittens sshd[116]: connection from "222.118.5.179"
    Oct 16 10:46:04 MsMittens sshd[3574]: WARNING: DNS lookup failed for "222.118.5.179".
    Oct 16 10:46:07 MsMittens sshd[3574]: password authentication failed. Login to account test not allowed or account non-existent.
    Oct 16 10:46:10 MsMittens sshd[116]: connection from "222.118.5.179"
    Oct 16 10:46:10 MsMittens sshd[3576]: WARNING: DNS lookup failed for "222.118.5.179".
    Oct 16 10:46:13 MsMittens sshd[3576]: password authentication failed. Login to account www-data not allowed or account non-existent.
    Oct 16 10:46:15 MsMittens sshd[116]: connection from "222.118.5.179"
    Oct 16 10:46:15 MsMittens sshd[3578]: WARNING: DNS lookup failed for "222.118.5.179".
    Oct 16 10:46:19 MsMittens sshd[3578]: password authentication failed. Login to account mysql not allowed or account non-existent.
    Oct 16 10:46:21 MsMittens sshd[116]: connection from "222.118.5.179"
    Oct 16 10:46:21 MsMittens sshd[3580]: WARNING: DNS lookup failed for "222.118.5.179".
    Oct 16 10:46:25 MsMittens sshd[3580]: Wrong password given for user 'operator'.
    Oct 16 10:46:28 MsMittens sshd[116]: connection from "222.118.5.179"
    Oct 16 10:46:28 MsMittens sshd[3582]: WARNING: DNS lookup failed for "222.118.5.179".
    Oct 16 10:46:31 MsMittens sshd[3582]: password authentication failed. Login to account adm not allowed or account non-existent.
    Oct 16 10:46:34 MsMittens sshd[116]: connection from "222.118.5.179"
    Oct 16 10:46:34 MsMittens sshd[3584]: WARNING: DNS lookup failed for "222.118.5.179".
    Oct 16 10:46:37 MsMittens sshd[3584]: password authentication failed. Login to account apache not allowed or account non-existent.
    Oct 16 10:46:40 MsMittens sshd[116]: connection from "222.118.5.179"
    Oct 16 10:46:40 MsMittens sshd[3586]: WARNING: DNS lookup failed for "222.118.5.179".
    Oct 16 10:46:43 MsMittens sshd[3586]: password authentication failed. Login to account irc not allowed or account non-existent.
    Oct 16 10:46:45 MsMittens sshd[116]: connection from "222.118.5.179"
    Oct 16 10:46:46 MsMittens sshd[3588]: WARNING: DNS lookup failed for "222.118.5.179".
    Oct 16 10:46:49 MsMittens sshd[3588]: password authentication failed. Login to account irc not allowed or account non-existent.
    Oct 16 10:46:51 MsMittens sshd[116]: connection from "222.118.5.179"
    Oct 16 10:46:51 MsMittens sshd[3590]: WARNING: DNS lookup failed for "222.118.5.179".
    Oct 16 10:46:54 MsMittens sshd[3590]: password authentication failed. Login to account adm not allowed or account non-existent.
    Oct 16 10:46:57 MsMittens sshd[116]: connection from "222.118.5.179"
    Oct 16 10:46:57 MsMittens sshd[3592]: WARNING: DNS lookup failed for "222.118.5.179".
    Oct 16 10:47:00 MsMittens sshd[3592]: Wrong password given for user 'root'.
    Oct 16 10:47:03 MsMittens sshd[116]: connection from "222.118.5.179"
    Oct 16 10:47:03 MsMittens sshd[3594]: WARNING: DNS lookup failed for "222.118.5.179".
    Oct 16 10:47:06 MsMittens sshd[3594]: Wrong password given for user 'root'.
    Oct 16 10:47:09 MsMittens sshd[116]: connection from "222.118.5.179"
    Oct 16 10:47:09 MsMittens sshd[3596]: WARNING: DNS lookup failed for "222.118.5.179".
    Oct 16 10:47:14 MsMittens sshd[3596]: Wrong password given for user 'root'.
    Oct 16 10:47:17 MsMittens sshd[116]: connection from "222.118.5.179"
    Oct 16 10:47:17 MsMittens sshd[3598]: WARNING: DNS lookup failed for "222.118.5.179".
    Oct 16 10:47:20 MsMittens sshd[3598]: password authentication failed. Login to account jane not allowed or account non-existent.
    Oct 16 10:47:23 MsMittens sshd[116]: connection from "222.118.5.179"
    Oct 16 10:47:23 MsMittens sshd[3600]: WARNING: DNS lookup failed for "222.118.5.179".
    Oct 16 10:47:26 MsMittens sshd[3600]: password authentication failed. Login to account pamela not allowed or account non-existent.
    Oct 16 10:47:28 MsMittens sshd[116]: connection from "222.118.5.179"
    Oct 16 10:47:28 MsMittens sshd[3602]: WARNING: DNS lookup failed for "222.118.5.179".
    Oct 16 10:47:32 MsMittens sshd[3602]: Wrong password given for user 'root'.
    Oct 16 10:47:34 MsMittens sshd[116]: connection from "222.118.5.179"
    Oct 16 10:47:34 MsMittens sshd[3604]: WARNING: DNS lookup failed for "222.118.5.179".
    Oct 16 10:47:37 MsMittens sshd[3604]: Wrong password given for user 'root'.
    Oct 16 10:47:40 MsMittens sshd[116]: connection from "222.118.5.179"
    Oct 16 10:47:40 MsMittens sshd[3606]: WARNING: DNS lookup failed for "222.118.5.179".
    Oct 16 10:47:43 MsMittens sshd[3606]: Wrong password given for user 'root'.
    Oct 16 10:47:46 MsMittens sshd[116]: connection from "222.118.5.179"
    Oct 16 10:47:46 MsMittens sshd[3608]: WARNING: DNS lookup failed for "222.118.5.179".
    Oct 16 10:47:49 MsMittens sshd[3608]: Wrong password given for user 'root'.
    Oct 16 10:47:52 MsMittens sshd[116]: connection from "222.118.5.179"
    Oct 16 10:47:52 MsMittens sshd[3610]: WARNING: DNS lookup failed for "222.118.5.179".
    Oct 16 10:47:55 MsMittens sshd[3610]: Wrong password given for user 'root'.
    Oct 16 10:47:58 MsMittens sshd[116]: connection from "222.118.5.179"
    Oct 16 10:47:58 MsMittens sshd[3612]: WARNING: DNS lookup failed for "222.118.5.179".
    Oct 16 10:48:01 MsMittens sshd[3612]: password authentication failed. Login to account cosmin not allowed or account non-existent.
    [Edit]

    I did visit Incidents.org and checked on Port 22. While most attacks appeared in mid-late September this one seems to still be going on (perhaps looking for a specific machine!?).
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  2. #2
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    seen it? hah. I've seen it since june. it's progressing in to a real tool now. Suspects are romanian afaik.
    mynetwatchman and isc have had some good info on the subject.
    Let's not forget that suckIT & or other rootkits gets installed if successful. Apparently the people responsible have read emails, sniffed passwords, stolen pgp keys...it's ugly, and taunted people as well on the phone.
    One of our attacks looked like this:
    [EDIT]
    I parsed out the built in accounts..oops.
    here are those:nobody,root,operator,adm,apache
    [/EDIT]
    22:01:08 ::ffff:211.248.38.252
    22:01:11 user patrick
    22:01:13 ::ffff:211.248.38.252
    22:01:16 user patrick
    22:01:45 ::ffff:211.248.38.252
    22:01:47 user rolo
    22:01:49 ::ffff:211.248.38.252
    22:01:52 user iceuser
    22:01:54 ::ffff:211.248.38.252
    22:01:56 user horde
    22:01:58 ::ffff:211.248.38.252
    22:02:01 user cyrus
    22:02:03 ::ffff:211.248.38.252
    22:02:05 user www
    22:02:07 ::ffff:211.248.38.252
    22:02:10 user wwwrun
    22:02:12 ::ffff:211.248.38.252
    22:02:15 user matt
    22:02:17 ::ffff:211.248.38.252
    22:02:20 user test
    22:02:22 ::ffff:211.248.38.252
    22:02:24 user test
    22:02:26 ::ffff:211.248.38.252
    22:02:29 user test
    22:02:31 ::ffff:211.248.38.252
    22:02:34 user test
    22:02:36 ::ffff:211.248.38.252
    22:02:38 user www-data
    22:02:40 ::ffff:211.248.38.252
    22:02:43 user mysql
    22:03:00 ::ffff:211.248.38.252
    22:03:02 user irc
    22:03:04 ::ffff:211.248.38.252
    22:03:07 user irc
    22:03:28 ::ffff:211.248.38.252
    22:03:31 user jane
    22:03:33 ::ffff:211.248.38.252
    22:03:36 user pamela
    22:04:03 ::ffff:211.248.38.252
    22:04:05 user cosmin
    22:07:08 ::ffff:211.248.38.252
    22:07:11 user cip52
    22:07:13 ::ffff:211.248.38.252
    22:07:15 user cip51
    22:07:23 ::ffff:211.248.38.252
    22:07:25 user noc
    22:07:47 ::ffff:211.248.38.252
    22:07:50 user webmaster
    22:07:52 ::ffff:211.248.38.252
    22:07:54 user data
    22:07:56 ::ffff:211.248.38.252
    22:07:59 user user
    22:08:01 ::ffff:211.248.38.252
    22:08:04 user user
    22:08:06 ::ffff:211.248.38.252
    22:08:08 user user
    22:08:10 ::ffff:211.248.38.252
    22:08:13 user web
    22:08:15 ::ffff:211.248.38.252
    22:08:18 user web
    22:08:23 ::ffff:211.248.38.252
    22:08:25 user oracle
    22:08:27 ::ffff:211.248.38.252
    22:08:30 user sybase
    22:08:32 ::ffff:211.248.38.252
    22:08:35 user master
    22:08:37 ::ffff:211.248.38.252
    22:08:39 user account
    22:08:42 ::ffff:211.248.38.252
    22:08:44 user backup
    22:08:46 ::ffff:211.248.38.252
    22:08:49 user server
    22:08:51 ::ffff:211.248.38.252
    22:08:53 user adam
    22:08:55 ::ffff:211.248.38.252
    22:08:58 user alan
    22:09:00 ::ffff:211.248.38.252
    22:09:02 user frank
    22:09:04 ::ffff:211.248.38.252
    22:09:07 user george
    22:09:09 ::ffff:211.248.38.252
    22:09:11 user henry
    22:09:13 ::ffff:211.248.38.252
    22:09:16 user john
    22:09:43 ::ffff:211.248.38.252
    22:09:45 user test
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  3. #3
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Interesting. I'm not getting as many variations on names and most of what I'm seeing is coming from Korea.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  4. #4
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    a lot of them are "from" korea(we've seen a fair share from there as well), but who can say if that's really where it's from.
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  5. #5
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Originally posted here by hogfly
    seen it? hah. I've seen it since june. it's progressing in to a real tool now. Suspects are romanian afaik.
    mynetwatchman and isc have had some good info on the subject.
    Let's not forget that suckIT & or other rootkits gets installed if successful. Apparently the people responsible have read emails, sniffed passwords, stolen pgp keys...it's ugly, and taunted people as well on the phone.
    One of our attacks looked like this:
    [EDIT]
    I parsed out the built in accounts..oops.
    here are those:nobody,root,operator,adm,apache
    [/EDIT]
    22:01:08 ::ffff:211.248.38.252
    22:01:11 user patrick
    <SNIP>
    22:09:43 ::ffff:211.248.38.252
    22:09:45 user test
    Read here, this is the best information I have seen publically released about this group and what they have been doing:

    http://securecomputing.stanford.edu/...-6apr2004.html

    If I was a betting man, you will hear much about this sometime in the future.

    Oh and MsMittens...there are some references to SSH scans but unfortunately I could only see them saying 'we found what was causing it' but they didn't say what
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  6. #6
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    stanford..haha they have had more systems compromised by this tool than anyone else..hence all of their knowledge about the subject.
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  7. #7
    Senior Member kr5kernel's Avatar
    Join Date
    Mar 2004
    Posts
    347
    Ditto logs here, I made a post about this a while ago, I was told and later verified it as exploit againt ssh, make sure you are only allowing ssh2 connections and deny access to root. Thats what I was told at least. We still get invalid login attempts everday around 4 am. They come from Korea, and taiwan.
    kr5kernel
    (kr5kernel at hotmail dot com)
    Linux: Making Penguins Cool Since 1994.

  8. #8
    Junior Member
    Join Date
    Dec 2003
    Posts
    12
    Just block Korea. ( I have. ) Much "****" has dissapared since then.

  9. #9
    Junior Member
    Join Date
    Jul 2003
    Posts
    18
    i have been getting the same stuff on my bsd firewall for the past month or so most of mine are comming from china or newyork.

  10. #10
    PHP/PostgreSQL guy
    Join Date
    Dec 2001
    Posts
    1,164
    Same here...gonna do some homework tonight on the ISP that's handling the ones I've been getting and see if something can be done. I have something like 40+ pages backdating two months of this stuff....turned off ssh on the router so I don't get hammered anymore until I figure out what's going on.
    We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •