神刀安全网

3 months and 1 Million SSH attempts later

I have a few VPSs over at Digital Ocean. They are, and have been a great cloud vm provider for hosting small projects. Check them out here or via my referral link here . Anyway, to get to the real matter, Digital Ocean is a hosting company with many data-centers, which means they own IP space. Who owns what IP space is almost always public data. If you do a little digging you can usually obtain this information fairly easily. If you do a whois on digitalocean (-H removes legal disclaimers), you get the following:

3 months and 1 Million SSH attempts later

3 months and 1 Million SSH attempts later

Nothing particularly useful regarding what IP space Digital Ocean owns, however we find that the domain was registered through Godaddy and that Digital ocean is affiliated with New York in some way. If you do a Google search you will find that they headquartered there and primarily based in America. So, with this information, let’s consult our friends over at the American Registry for Internet Numbers (ARIN). They may be able to provide us with some better information. Fire up Chrome and search "arin digital ocean".

3 months and 1 Million SSH attempts later

Click the top link.

3 months and 1 Million SSH attempts later

Here we begin to find some useful information. We begin to find net ranges, possibly data-center identifiers (DIGITALOCEAN-4), and AS Numbers. AS numbers are numbers that are assigned to (multiple) blocks of IP space that are controlled under a large network operator, for example, an ISP (you can learn more about AS numbers on wikipedia). However, let’s take a look at information regarding the company through its ORG-ID DO-13 first.

3 months and 1 Million SSH attempts later

Here we find nothing new. We basically find the same information that our whois query returned. However, we do get a related networks link at the bottom. We are interested in networks, so let’s click that.

3 months and 1 Million SSH attempts later

Bingo. We have found exactly what we are looking for. This is a list of IP space that Digital Ocean uses, DIGITALOCEAN-X probably relating to a specific data-center. Now this is all good and merry and everything, but let’s think about this for a second. Since this information is public data, Digital Ocean and data-centers alike could become a target of attack. Just look at what happened to Linode, but…that’s another story. So, everybody owning a Digital Ocean instance including me, and in fact everybody connected to the internet has the chance of being attacked. But I know you already know this information. I won’t bore you with it.

I once took a cybersecurity class at my university. My professor at the time during the beginning of the semester introduced us to shodan and another interesting net reconnaissance site norsemap . I almost couldn’t believe how many attacks were occurring on a regular basis.

Fast-forward two years and I’ve gotten myself into web development/cyber security. One day a few months back, I decided to implement a smaller scale version of norsemap. I was really interested in seeing if connected devices really do get attacked as often as the internet, news, norsemap, say we do. So based on the premise that digital ocean has multiple data-centers who’s IP space we all know just waiting to be attacked, I decided to setup an ssh honeypot with a livefeed into it.

Almost instantly I was attacked.

3 months and 1 Million SSH attempts later

The beginning of the log (opened in sublime)

If you do a lookup on that IP, it resolves to somewhere in China. Figures. It only further proved what the internet and the news had been saying. Some of the log is pretty interesting. I will share my findings with you.

He just wouldn’t quit.

3 months and 1 Million SSH attempts later

Diffie-hellman-group-exchange-sha11 … why would anyone use that as their password?

3 months and 1 Million SSH attempts later

Glordboy.com … this is laughable. It’s up to you if you want to browse to there or not.

3 months and 1 Million SSH attempts later

He’s still going at it 100,000 ssh attempts later. However this time he choses to use … many interesting sites as passwords. Make sure to hop on a vpn and disable javascript before browsing there if you choose to :)

3 months and 1 Million SSH attempts later

Interesting…

3 months and 1 Million SSH attempts later

Brute force/dictionary attack

A dictionary attack. There are a plethora of these.

3 months and 1 Million SSH attempts later

Sometimes even more interesting to see is the user names they try to use. I was curious, so I popped that IP into the browser.

3 months and 1 Million SSH attempts later

Hilarious. Even more hilarious is this:

3 months and 1 Million SSH attempts later

Wait, wait, wait. What is this?

Hilarious. Even more hilarious is this:

3 months and 1 Million SSH attempts later

A public facing router?? OMG. Let’s do some research.

3 months and 1 Million SSH attempts later

Haha.

3 months and 1 Million SSH attempts later

Hahahahahaha, a successful login (Note: This is all done over a VPN). This is why you should change your password. However, this is not what we are after.

3 months and 1 Million SSH attempts later

I don’t even want to know.

3 months and 1 Million SSH attempts later

3 months and 1 Million SSH attempts later

3 months and 1 Million SSH attempts later

Red Hat Linux servers and Chinese internet backbones. Hm.

3 months and 1 Million SSH attempts later

It just doesn’t get old.

3 months and 1 Million SSH attempts later

The time I got pwned by XSS

3 months and 1 Million SSH attempts later

This was a fairly odd password. So, I looked it up.

3 months and 1 Million SSH attempts later

Now I know where some of these attacks come from.

3 months and 1 Million SSH attempts later

So, there’s more, but, those are my findings in a nutsheel. You can find cool graphs, and other statisticshere andhere.

Since release, which was three months ago, there have been over 1,000,000 ssh attempts into my VPS. It’s been real interesting to see what kind of results I’ve obtained. I’ve had hosts from .edu domains and amazon ec2 instances attack me, and I’ve even been ddosed, twice. And I’m just a nobody minding my business on the internet. It just goes to show what kind of attacks connected devices are under.

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » 3 months and 1 Million SSH attempts later

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址
分享按钮