Security software can not report SSH attacks

System administrators whose boxes are running on Linux have recently reported a massive wave of attacks on the famous SSH port (also known as Port 22).

Those of you who are unfamiliar with the terminology should take note that port 22 is being used for text-based administration tasks performed from remote locations.

This new type of coordinated attack tries to guess the server root password in three successive attempts from a single compromised computer. After the third unsuccessful login attempt, the compromised host is abandoned, but the attack is subsequently carried from other such zombie computers . The approach is extremely new, as remote attackers have built a large-scale, distributed brute-forcing mechanism that performs the malicious task from numerous IPs.

The first reports about the new wave of attacks came from IT consultant and software developer Nazar Aziz, who noticed suspicious entries in the access logs on some Linux boxes he manages. A closer look into the matter revealed a strange pattern of login attempts clustered in groups of three hits per IP.

The reduced number of brute-force attempts allows hackers to keep a low profile and prevents the security software running on the server to detect it as an intrusion, because most of such pieces of software are set to trigger at larger thresholds. More than that, the same security software could blacklist any login attempts from the suspicious IP, thus rendering the attack useless.

Unlike other attacks, this approach aims at breaking into systems that are protected with weak passwords, rather than exploiting zero-day security vulnerabilities. It seems like the new wave of attacks originates from a bot network of compromised Linux machines, but as of the moment of writing, there are few details about the attackers.

Aziz also wrote a small but efficient script that alerts system administrators about such attacks on their servers. It can be downloaded for free from the following address: http://panthersoftware.com/…automatically-report-all-ssh-brute-force-attacks-to-isps

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.