Port 22 (tcp/udp) Attack Activity - SANS Internet Storm Center

Handler on Duty: Jesse La Grew

Threat Level: green

[get complete service list]

Port Information
Protocol	Service	Name
tcp	ssh	SSH Remote Login Protocol
udp	ssh	SSH Remote Login Protocol
tcp	Adoresshd	[trojan] Adore sshd
tcp	Shaft	[trojan] Shaft
udp	pcanywhere	PCAnywhere (deprecated)

Top IPs Scanning
Today	Yesterday
51.255.167.42 (96)	218.92.0.117 (49483)

Port diary mentions
URL
Brute-force SSH Attacks on the Rise
So Where Are Those OpenSSH Key-based Attacks?
Increase in ssh root access attempts
Cyber Security Awareness Month - Day 17 - Port 22SSH
SSH - new brute force tool?
Blocking SSH to Limit Security Exposures
Is SSH no more secure than telnet?
Does it matter if iptables isn't running on my honeypot?

Top of page

User Comments
Submitted By	Date
Comment
	2014-08-09 19:48:08
I am seeing this on my home network, the IP address is a new PS4 console.
Andrew Daviel	2010-08-13 00:17:14
We have also seen a big spike, maybe 50x baseline, in the last week. Of a few sources I checked, most seemed to be running opensshd. I suspect Linux boxes compromised via the same password guessing tool. Attempts I have captured in the past (http://andrew.triumf.ca/ssh_pass_file2.html) are mostly against root, so I suggest at the least blocking root password logins ("PermitRootLogin without-password" in OpenSSH sshd_config). We have also seen an ssh/sshd trojan on Linux boxes, a number of which were compromised (CVE-2009-2692) using the unusually robust escalation exploit "linux-sendpage3". This trojan logged passwords in and out, which were then used to attack other machines and gain root in turn on unpatched ones. The recent port 22 spike is I believe unrelated.
pq	2010-07-10 13:17:54
We have seen a huge amount off ssh attacks the last 2 weeks.
	2010-06-18 02:32:33
Anyone else seeing a HUGE number of SSH brute force attacks in the last 24 hours?
	2009-12-10 18:42:05
got a huge load of scans throughout the last weeks (up to 65000 entries an hour) luckily my boxes are NOT accessible via keyboard enabled authentication or PAM. ;)
	2009-10-04 18:45:22
The game Project Torque generate some requests on this port when a race is about to start. It seem to work fine when the request are blocked. At this moment, it is currently in "Closed Beta" state, but shortly it will become "Open Beta". The closed beta started at the begining of august.
pophop	2009-10-04 18:45:22
We had an ssh worm pop a box in mid October. Logs showed ssh scanning starting in late September through October. Box had trivial password for exposed service account. Appears that human attackers logged in day after worm and set box up as port 22 scanner. Ran for two days before we caught. Human logins came from Romania. This is what's intersting - we were seeing RST ACKS in ALL our logs globally as if we had been sending SYN packets from all our global IP space to a site in Texas (US). "Ronaldsrecordclub" - 67.15.83.36. Now moved. As if our space was being used in a DOS. Sample: "Deny TCP (no connection) from 67.15.83.36/22 to xxx.xxx.xxx.xxx/3072 flags RST ACK on interface outside" Source port was consistently 3072. Ronaldsrecord google hit talks of its site's "PayPal" enviroment being developed by its "Romanian Development" team. Activity stops in mid-October - about the time SSH worm hit us. I find it odd that we would see this RST ACK activity to port 22 AND have "Romania" associated with both things. Curious if the RST ACK was a DOS or a scan of some sort.
Chris Anderson	2007-04-17 02:08:43
I have seen this same attack on a server on my network. A weak password was expoited and a ssh scanner was downloaded from a .ro site. Also included was a list of common usernames and passwords. It appears that it was just checking to see if the password was the same as the username. Once in it starting trying to brute force the root password.
Johannes Ullrich	2004-11-10 22:04:01
frequently scanned to look for accounts with weak passwords.
Jason Testart	2004-11-09 18:00:01
We've been seeing an extreme amount of SSH scanning at our site over the past week, and just this weekend found a compromised Linux box doing the scanning. My investigation into the compromise found the usual stuff (sniffer, ssh backdoor, irc stuff, etc..) but I found a couple of things particularly interesting: - tools for exploting samba 2.2.x - what looks like a SYN scanner, binary named "ss" with a cover script with command line options for port "22" and a speed setting "6". - a binary named "lol". From what I can tell from the "strings" command and what we've seen, the binary does a dictionary attack to common accounts such as "root" and "test" using SSH. The tools used were downloaded from sites in the .ro domain (Romania?).

Top of page

CVE Links
CVE #	Description

Top of page