Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Odd new ssh scanning, possibly for D-Link devices - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Odd new ssh scanning, possibly for D-Link devices

I noticed it in my own logs overnight and also had a couple of readers (both named Peter) report some odd new ssh scanning overnight.  The scanning involves many sites, likely a botnet, attempting to ssh in as 3 users, D-Link, admin, and ftpuser.  Given the first of those usernames, I suspect that they are targetting improperly configured D-Link routers or other appliances that have some sort of default password.  The system that I have at home was not running kippo, so I didn't get the passwords that they were guessing and was not able to see what they might do if they succeed in ssh-ing in.  If anyone out there has any more info on what exactly they are targetting, please let us know by e-mail, via the contact page, or by commenting on this post.  I'll try to reconfigure a couple of kippo honeypots to see if I can capture the bad guys there and may update this post later.

Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS DFIR Summit & Training 2022


423 Posts
ISC Handler
Dec 10th 2014
I have seen a very large uptick in SSH attempts against my web server (I'm running denyhosts) and have noticed that the hosts running the 'attack' are searching for the following usernames: ftpuser, admin, D-Link. I have no other information to provide, but my denyhosts is currently banning 100+ IPs a day, up from <10/day.

7 Posts
My logs are showing two scans in the past 30 hours. No user of DLink but plenty admin and ftpuser. The logs show they're using either no password or a password of 'asteriskftp' for the ftpuser account. They're using the "top 100" passwords for the admin account.

For the three or four weeks that I've been running this honeypot, all of the successful logins do one of two things:
1) look for /var/run/ (apparently checking to see if sftp is installed and running)
2) execute "__install_di"

I've had 1 more interactive hit on the 29th where they started a download of a Ubuntu ISO. Then killed it, tried to "cat /etc/redhat-release", then executed "ifconfig" and logged off.

1 Posts
Guess you could call me an advanced user, but YES, SSH was getting nailed so hard yesterday my lowly home 3 meg DSL connection pretty much seized up...thought I had gone back to dialup, I just stopped the service for a while.
But looks like the "usual suspects" hammered by 144.0.0.xx yesterday..(china)
ftpuser name coming out of today,(also china),
But the D-link name is coming from 205.178.137.xx which is NetSol...

current logs, as of this posting showing apparent bot'ed machines from the Southern US, Florida..50.162.224.xx and Louisiana.. for the D-link name...
kinda unusual to see US IP's in the logs,normally all off shore..
even showing an SSH login attempt from an amazon IP...
so someone has started a big campaign ....

2 Posts
Seeing this as well... a very significant increase in SSH scanning activity since December 9th across my network.

Something evil is afoot, smells like a worm to me.

12 Posts
And now it seems to have subsided, which is (perhaps) weirder. I wonder in my case if it's because each source stopped trying after Fail2Ban blocked it, or if it was actually just a brief surge, and it stopped naturally once all D-Link routers were pwned... ;-)
Peter Bance

9 Posts
Just to add to the mix: I've seen the same attacks in logs on servers all over the world (Austria, Germany, Netherlands, United Kingdom, United States, Australia, Singapore, France). So it seems that somebody tried to bruteforce
see it too in germany since the 8th, and it seems like a sever-botnet-scanning servers from this side

I'm seeing the same here and in addition, I'm seeing login attempts for users karaf, dreamer, log, xbian, PlcmSpIp, pi, default, and arbab.
This is just since the 8th:

cat /var/log/auth.log | grep D-Link | wc -l

Wide variety of countries, lots of mail servers and nameservers, also plesk and cpanel mentioned a lot in the hostnames of the culprits. Not a lot of IPs assigned to home internet connections, these are all colo machines, vps and such.

7 Posts
I have the same result
denyhosts up from 10 to 100+ per day
7 Posts
To provide a little more insight on this. Our team has been able to examine about 10 servers all which were brute forcing SSH during the last couple days starting later in the day (EST) on Monday the 8th. On all servers that we examined the original POE was ShellShock with the actual scanner being placed in /var/tmp/.new# (with # being either 4 or 5) so I would expect this was the same group that popped all of them. I can confirm that these machines were using usernames such as D-Link and PlcmSpIp in there scans. My guess is that someone scanned went through and exploited as many servers as they could still vulnerable to ShellShock and used them for this mass scanning. Speaking on the cPanel/Plesk comment most of the servers examined were running one of these. As these by default include externally accessible CGI scripts and people with control panels are normally the last to update if its not being done automatically they make them easy targets for ShellShock.
Mike M

5 Posts
It appears, at least from what I've seen, that the scan has terminated or it's mission was accomplished or whatever but I haven't logged a single attempt for a D-Link login all day.

7 Posts
I believe the scan is over. Whatever woke up has gone back to sleep.

7 Posts

Sign Up for Free or Log In to start participating in the conversation!