|I am seeing this on my home network, the IP address is a new PS4 console.
|We have also seen a big spike, maybe 50x baseline, in the last week. Of a few sources I checked, most seemed to be running opensshd. I suspect Linux boxes compromised via the same password guessing tool. Attempts I have captured in the past (http://andrew.triumf.ca/ssh_pass_file2.html) are mostly against root, so I suggest at the least blocking root password logins ("PermitRootLogin without-password" in OpenSSH sshd_config). We have also seen an ssh/sshd trojan on Linux boxes, a number of which were compromised (CVE-2009-2692) using the unusually robust escalation exploit "linux-sendpage3". This trojan logged passwords in and out, which were then used to attack other machines and gain root in turn on unpatched ones. The recent port 22 spike is I believe unrelated.
|We have seen a huge amount off ssh attacks the last 2 weeks.
|Anyone else seeing a HUGE number of SSH brute force attacks in the last 24 hours?
|got a huge load of scans throughout the last weeks (up to 65000 entries an hour) luckily my boxes are NOT accessible via keyboard enabled authentication or PAM. ;)
|The game Project Torque generate some requests on this port when a race is about to start. It seem to work fine when the request are blocked. At this moment, it is currently in "Closed Beta" state, but shortly it will become "Open Beta". The closed beta started at the begining of august.
|We had an ssh worm pop a box in mid October. Logs showed ssh scanning starting in late September through October. Box had trivial password for exposed service account. Appears that human attackers logged in day after worm and set box up as port 22 scanner. Ran for two days before we caught. Human logins came from Romania. This is what's intersting - we were seeing RST ACKS in ALL our logs globally as if we had been sending SYN packets from all our global IP space to a site in Texas (US). "Ronaldsrecordclub" - 188.8.131.52. Now moved. As if our space was being used in a DOS. Sample: "Deny TCP (no connection) from 184.108.40.206/22 to xxx.xxx.xxx.xxx/3072 flags RST ACK on interface outside" Source port was consistently 3072. Ronaldsrecord google hit talks of its site's "PayPal" enviroment being developed by its "Romanian Development" team. Activity stops in mid-October - about the time SSH worm hit us. I find it odd that we would see this RST ACK activity to port 22 AND have "Romania" associated with both things. Curious if the RST ACK was a DOS or a scan of some sort.
|I have seen this same attack on a server on my network. A weak password was expoited and a ssh scanner was downloaded from a .ro site. Also included was a list of common usernames and passwords. It appears that it was just checking to see if the password was the same as the username. Once in it starting trying to brute force the root password.
|frequently scanned to look for accounts with weak passwords.
|We've been seeing an extreme amount of SSH scanning at our site over the past week, and just this weekend found a compromised Linux box doing the scanning. My investigation into the compromise found the usual stuff (sniffer, ssh backdoor, irc stuff, etc..) but I found a couple of things particularly interesting: - tools for exploting samba 2.2.x - what looks like a SYN scanner, binary named "ss" with a cover script with command line options for port "22" and a speed setting "6". - a binary named "lol". From what I can tell from the "strings" command and what we've seen, the binary does a dictionary attack to common accounts such as "root" and "test" using SSH. The tools used were downloaded from sites in the .ro domain (Romania?).