Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: New, odd SSH brute force behavior - Internet Security | DShield SANS ISC InfoSec Forums

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
New, odd SSH brute force behavior

Over the past 72 hours, I've noticed a shift in the types of brute force attacks I'm seeing on my SSH honeypot.  Generally, SSH attacks consist of hundreds (or thousands) of authentication attempts, each using a different username/password combination. Over the past few days, however, I'm seeing multiple IP addresses attempting to use *one* password against *one* account: root/ihatehackers.

In a sense, a single IP address taking a "one-off" shot at root doesn't really even qualify as "brute-force" and is... well... barely an attack. What I find interesting about this new behavior is the number of different sources I'm seeing for this single, somewhat lame hack.

So, how widespread is this behavior?  Is anyone else seeing it?  Also, does anyone have any idea what this attack is about?  As I said, on the surface, this looks kinda lame, but perhaps someone out there knows something I don't...

Tom Liston
Senior Security Analyst - InGuardians, Inc.
SANS ISC Handler
Twitter: @tliston


160 Posts
ISC Handler
I actually saw this behavior around Oct 11th and asked if anyone notice something similar. I noticed that it avoided (on purpose or not) triggering an alerting mechanism.
I meant to say any alerting mechanism.
I can't say much about specific user/password combos, but I've seen distributed attempts off and on for a year or two... They do it to keep people from using fail2ban (or similar).
This may be related to a fake exploit. Author look for victims. Usually this is done along with classic bruteforce, which is why is it uncommon, but this one has decided otherwise.

7 Posts
Yup, seeing the same thing on my side. Doing a little digging as we speak. Any chance you could share some more info from your side ? I'd like to see if I could track the attacks.

2 Posts
Thanks for linking to my blog! I would be a tad reluctant to call this a new phenomenon, however: we started noticing those attempts back in 2008, and we've been seeing them on and off since then. I've blogged about some of the attacks, and the data I've accumulated (and keep accumulating for that matter) is of course available to anyone who wants to do a proper analysis. In fact, if data from several sources is available, that would be even better.

- Peter

4 Posts
Peter - Your site was very Interesting reading. By the way, I thought that the grumpy BSD guy was Theo...

160 Posts
ISC Handler
Hey, Tom, I started seeing the same thing yesterday, knowing you were running an SSH honeypot, I was going to ask you about it tomorrow via e-mail to see if you were seeing it. :)

405 Posts
ISC Handler
I run a project since Summer 2007 that identifies SSH (and telnet) scanning machines from our netflows and machine logs and notifies whois/abusix given contacts for that IP very much similar to the efforts starting here to eliminate the sql-slammer.

So I had a look into my notifications for all the IPs that were given here and for all but one ( of them I have sent already notifications out. Interestingly the majority of the mentioned IPs was noticed first last year on Oct 27 2010 on the same day.

My guess is that we have here an IRC coordinated botnet at work.

Regarding distributed SSH scanning we have seen such attempts already in Oct 2007 when I got the logs of a a machine in our networks where nearly 600 machines where probing the "mysq"l account within 48h.

42 Posts
The thing that comes to mind for me is a botnet looking for a particular set of trojanised SSH-servers where that password works.
I mean the odds of hitting it off on a random server with that password must be next to zero unless they are looking for something specific.

Same **EXACT** thing on my SSH Honeypot, to include same order of source IP addresses.

2011-11-03 07:41:13[3527,][root/ihatehackers]
2011-11-03 08:29:47[3528,][root/ihatehackers]
2011-11-03 09:18:16[3529,][root/ihatehackers]
2011-11-03 10:06:27[3530,][root/ihatehackers]
2011-11-03 11:59:13[3531,][root/ihatehackers]
2011-11-03 13:34:43[3532,][root/ihatehackers]
2011-11-03 15:13:39[3533,][root/ihatehackers]
2011-11-03 16:57:31[3534,][root/ihatehackers]
2011-11-03 18:35:54[3535,][root/ihatehackers]
2011-11-03 19:29:51[3536,][root/ihatehackers]
2011-11-03 23:56:05[3537,][root/ihatehackers]
2011-11-04 08:10:46[3538,][root/ihatehackers]
2011-11-04 09:34:02[3539,][root/ihatehackers]
2011-11-04 10:54:58[3540,][root/ihatehackers]
2011-11-04 12:16:46[3541,][root/ihatehackers]
2011-11-04 16:37:47[3542,][root/ihatehackers]
2011-11-04 17:54:22[3543,][root/ihatehackers]
2011-11-05 00:49:34[3544,][root/ihatehackers]
2011-11-05 03:16:20[3545,][root/ihatehackers]
2011-11-05 07:58:47[3546,][root/ihatehackers]

Very interesting. I saw 12 unique IP connections over the same period, 7 of which are on your list.

I guess we will never know.

2 Posts
Could this be an attempt to leverage an existing SSH backdoor password? One common thing I see is intruders downloading modified SSH source code containing a static backdoor password. I've not seen 'ihatehackers' used but the idea of scanning for a leaked backdoor password seems a sound one. Capitalising on the success of others makes a lot of sense.

6 Posts
With only minor interruptions, they're still at it, new data available now from If anybody else has similar data collected from other sites and/or want to do analyses, I'd be very happy to hear from you.

@Jim, if a back door exists, would it not be hiding in plain sight in the sshd source code?

4 Posts
They could be exploiting a log viewer bug, kwrite,wordpad, or root is dword that should be a valued user and exploit it "" if you send "root\x31\x11\x11\x11AAAAAAAAAAAAA it might play havic or user\x31.. username\x31..
It could be the same for linux
1 Posts
and just as like that it stops again (on my system anyway)

405 Posts
ISC Handler
I am a bit late on posting on this but over all the SSH honeypots I run also noticed attempts on the user/pass combo above but from other IP address too, all of which were reported.

Now they have just stopped :-)
3 Posts

Sign Up for Free or Log In to start participating in the conversation!