Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Dense Distributed SSH bruteforce attempts

Published: 2008-02-29
Last Updated: 2008-02-29 22:58:44 UTC
by donald smith (Version: 2)
4 comment(s)

A contributor (Ben) wrote in with an unusually dense distributed ssh scan.

“We noticed an interesting ssh probe attempt today.
In order to prevent iptables blocking based on the number of probes per
minute, each address in an entire Class C block generated only one or
two probes SSH each. These probes all came from 58.147.10.0/24”

Based on the information Ben shared with us it appeared to come from
most of the ips in a /24 cidr block. The last octet is fairly random.
There is some clustering such as a "run" of 200's but that could still
be psuedo random. So who owns that cidr block?

Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 58.147.0.0 -58.147.127.255
netname: TTTNET
descr: Maxnet, Internet Service Provider, Bangkok
descr: under management by TT&T co,.ltd Thailand
country: TH
<SNIP>
e-mail: noc@tttmaxnet.com
address: 252/30 Muang Thai Phatra Complex Tower 1, 22nd Fl., Ratchadaphisek
Rd.,Huaykwang, Bangkok 10320 Thailand
phone: +66-2-693-2100
fax-no: +66-2-693-2100
country: TH
changed: wichaip@ttt.co.th 20060410
mnt-by: MAINT-NEW
source: APNIC

 Traceroute shows them near singapore so Thailand is reasonable.

Tracing route to mx-ll-58.147.10-115.tttmaxnet.com [58.147.10.115]
over a maximum of 30 hops:
1 2 ms 1 ms 1 ms 192.168.0.1
<SNIP>
13 332 ms 334 ms 336 ms ix-2-1-1.core1.S9R-Singapore.Teleglobe.net [209.58.82.26]
14 353 ms 356 ms 512 ms mx-ll-58.147.0-45.tttmaxnet.com [58.147.0.45]
15 393 ms 368 ms 334 ms mx-ll-58.147.0-61.tttmaxnet.com [58.147.0.61]
16 337 ms 339 ms 339 ms mx-ll-58.147.0-85.tttmaxnet.com [58.147.0.85]
17 341 ms 340 ms 338 ms mx-ll-58.147.0-21.tttmaxnet.com [58.147.0.21]
18 mx-ll-58.147.4-118.tttmaxnet.com [58.147.4.118] reports: Destination host
unreachable. 
I seem to be the handler who gets the distributed ssh scan reports.
I wrote a diary about a some seen last year that appeared to be
distributed and coordinated (share a dictionary across multiple hosts)
http://isc.incidents.org/diary.html?storyid=3529

Jim Owens and  Jeanna Matthews of Clarkson Univ. reported on a similar,
though somewhat cruder attack in a paper they recently submitted to Usenix LEET '08.

http://people.clarkson.edu/~owensjp/pubs/leet08.pdf

Keywords:
4 comment(s)

Smiling Bob or Lying Bob you decide.

Published: 2008-02-29
Last Updated: 2008-02-29 19:57:46 UTC
by donald smith (Version: 2)
1 comment(s)

The makers of Enzyte have been convicted of conspiracy and fraud.
From:
http://cincinnati.fbi.gov/doj/pressrel/2008/ci022608.htm
“The company's scheme involved false advertising which included
made-up claims about size increases, fake customer satisfaction
ratings, and fictitious doctors who the ads falsely claimed
collaborated for 13 years to develop Enzyte, the company's
leading male enhancement product. The false ads also contained
representations about money-back guarantees that the company
as a matter of practice would not honor. As part of the scheme,
the conspirators placed many consumers who responded to
free-trial solicitations on an automatic shipment program
without the customer's authorization, knowledge, or consent.
Berkeley would then send the product to the consumer and bill
the consumer's credit card regularly. When customers
called to cancel, the conspirators employed various means to
delay or hinder any returns or cancellations from occurring.
The trial included testimony from 22 customers from across
the country, witnesses from the Better Business Bureau,
law enforcement agencies, and copies of internal documents
including emails outlining the scheme.“

What is enzyte? USA today ran an article that included a list of ingredients.
http://www.usatoday.com/news/health/drugs/2002-04-18-enzyte.htm
They include some quotes from real doctors that state
that the claims made make no sense. Their site is still up
they still answer the phone and offer to sell you their product.

Gary Warner also covered this in his cybercrime blog.
http://garwarner.blogspot.com/

Keywords:
1 comment(s)
Diary Archives