Increasing SSH Brute Force Attempts

As mentioned in my Tweet post, the 16 Jun, our HoneyNet has reveal increasing SSH Brute Force Attempts. These scans have been confirmed by Internet Storm Center (ISC), the 18 Jun from other sources. These scans made me remember last year and the incredible SSH 0Day rumor, and also the Zero For Owneds, Summer of Hax, also knows as ZF05. Maybe another try to own security experts infrastructures before DefCon & BlackHat ?

We have a clear difference with ISC alert around the increasing SSH Brute Force Attempts. On our HoneyNet all the source IP addresses have only focus on the root user and really try to password brute force the root account.

You follow the SSH Brute Force Attempts in our Use Case SUC015 with real time life data’s.

SUC016 : User-Agent “Toata dragostea mea pentru diavola” scanner

  • Use Case Reference : SUC016
  • Use Case Title : User-Agent “Toata dragostea mea pentru diavola” Scanner
  • Use Case Detection : HTTP Logs / IDS
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : Toata Scanner
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP
Possible(s) correlation(s) :
  • Toata scanner

Source(s) :

Surely during your daily HTTP log check, you have detect theses kind of patterns.

...
208.109.154.147 - - [25/May/2010:01:20:15 +0200] "GET HTTP/1.1 HTTP/1.1" 400 226 "-" "Toata dragostea mea pentru diavola"
208.109.154.147 - - [25/May/2010:01:20:15 +0200] "GET /e107_files/e107.css HTTP/1.1" 404 27348 "-" "Toata dragostea mea pentru diavola"
208.109.154.147 - - [25/May/2010:01:20:16 +0200] "GET /db/e107_files/e107.css HTTP/1.1" 404 27348 "-" "Toata dragostea mea pentru diavola"
208.109.154.147 - - [25/May/2010:01:20:17 +0200] "GET /e107/e107_files/e107.css HTTP/1.1" 404 27348 "-" "Toata dragostea mea pentru diavola"
208.109.154.147 - - [25/May/2010:01:20:18 +0200] "GET /site/e107_files/e107.css HTTP/1.1" 404 27348 "-" "Toata dragostea mea pentru diavola"
208.109.154.147 - - [25/May/2010:01:20:18 +0200] "GET /web/e107_files/e107.css HTTP/1.1" 404 27348 "-" "Toata dragostea mea pentru diavola"
208.109.154.147 - - [25/May/2010:01:20:19 +0200] "GET /forum/e107_files/e107.css HTTP/1.1" 404 27348 "-" "Toata dragostea mea pentru diavola"
...

Theses patterns are related to Toata Scanner, an Web scanner specialized in Web applications discovery. Originally this Web scanner was targeting Roundcube Webmail installation files in order to exploit CVE-2008-5619. You can see with theses logs samples that Toata is no more only targeting Roundcube, but is also used to detect installation of e107, for example. We have publish yesterday (24 Mai 2010) an security alert regarding e107, toata is surely using a google dorking feature to find his target.

Theses scans are detected by Emerging Threats Snort rules, more precisely the 2009159SCAN Toata Scanner User-Agent Detected“.

Here under you can find the latest statistics for Toata scanner activities.

1 Month SIG 2009159 events activities
1 Month SIG 2009159 events activities
One year SIG 2009159 events activities
One year SIG 2009159 events activities
1 Month TOP 10 source IPs for SIG 2009159
1 Month TOP 10 source IPs for SIG 2009159
TOP 20 source countries for SIG 2009159
TOP 20 source countries for SIG 2009159

SQL injection against services fingerprinting and informations gathering

After the discovery of a new car license plate type, created to fight, with SQL injection method, the unpopular fixed radar system, mikkohypponen a security specialist has report a funny method to SQL inject services fingerprinting.
The concerned service is the HTTP service of www.reddit.com website. Normally the HTTP service should return things like “Apache” or “ISS”, but here you can find a dedicated fingerprint.
SQL injection against fixed radar systems
SQL injection against fixed radar systems
SQL injection against services fingerprinting
SQL injection against services fingerprinting
Most of time, fingerprinting method are done with nmap like tools, and the results could be stored into a database. ERIPP is also well know to create a database of 4 Billion routable IP addresses with the associated most common services fingerprints. SHODAN is also a similar database type than ERIPP, how is a computer search engine permitting to find computers running certain software (HTTP, FTP, etc). Imagine that the crawler code has some sql injection flaw… oups your database has gone cause the fingerprint contains some sql injection code 🙂
For Reddit, we have search the “CREATE TABLE servertypes” on Google, and find one services fingerprinting crawler using a database called “servertypes” and targeting Reddit 🙂
banthar gist HTTP service fingerprinting crawler
banthar gist HTTP service fingerprinting crawler
Is Reddit protecting him self against information gathering or just an sysadmin funny joke.

SUC004 : phpMyAdmin User-Agent Revolt Scanner

  • Use Case Reference : SUC004
  • Use Case Title : phpMyAdmin User-Agent Revolt Scanner
  • Use Case Detection : HTTP Logs / IDS
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : Revolt Scanner
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random port, but static source port when scan is initiated
  • Destination Port(s) : 80/TCP, 443/TCP
Possible(s) correlation(s) :
  • phpMyAdmin scanner

Source(s) :

Surely during your daily HTTP log check, you have detect theses kind of patterns.

...
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/mysql/sqlmanager/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/mysql/mysqlmanager/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpmyadmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpMyadmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpMyAdmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpmyAdmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpmyadmin2/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/2phpmyadmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpmy/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phppma/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/myadmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/MyAdmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/program/ HTTP/1.1" 301 - "-" "revolt"
...

Theses patterns are related to Revolt Scanner, an Web scanner specialized in phpMyAdmin installation discovery. When the scanner is started the source port will stay static during the complete web directory discovery brute forcing. Also, this scanner is only targeting the IN A IP address of the domain he is asking.

Theses scans are detected by Emerging Threats Snort rules, more precisely the 2009288WEB_SERVER Attack Tool Revolt Scanner“.

You can find here, the typical list of directories how are scanned by revolt.

Here under you can find the latest statistics for Revolt Agent activities.

1 Month SIG 2009288 events activities
1 Month SIG 2009288 events activities
One year SIG 2009288 events activities
One year SIG 2009288 events activities
1 Month TOP 10 source IPs for SIG 2009288
1 Month TOP 10 source IPs for SIG 2009288
TOP 20 source countries for SIG 2009288
TOP 20 source countries for SIG 2009288