JP Vossen on 7 Jun 2012 18:09:10 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] SSH brute force attacks using PlcmSpIp 

May be of special interest to VoIP folks...
Today a non-public server I manage on a Comcast residential DHCP IP in NJ saw a small SSH brute-force attack from Virpus Networks. My own Linode hosted server was also attacked by them in Jan & Feb from 50.115.166.129 and 50.115.166.147. Today's attack was from 50.115.168.188.
Virpus was unresponsive when I reported the attacks in January. They claimed they opened a ticket, but the attacks didn't stop, so I blacklisted them. I didn't bother to report it again today, I just blacklisted them again on the other server. 

What is interesting is that:
* I run SSH on a very high, non-standard port, not TCP/22
* These guys are the *only* SSH brute force attacks in my recent memory
* There is nothing to connect these 2 servers, so this is a wide-spread scan
* This new attack uses root and:
	5 test		Duh
	2 user
	2 oracle	Duh
	2 guest		Duh
	1 PlcmSpIp	Default user/pass on Polycom phones
	1 aaron
	1 admin		Duh
	1 apache	Duh
	1 gary
	1 gt05		Maybe a Panasonic display device
	1 iraf		Maybe http://en.wikipedia.org/wiki/IRAF
	1 lab
	1 pos
	1 production	Duh
	1 stephanie
	1 stud
	1 svn		Duh
	1 swsoft	Maybe http://en.wikipedia.org/wiki/SWSOFT
	1 trash
	1 william
1 zabbix enterprise-class open source distributed monitoring solution for networks and applications 

Later,
JP
----------------------------|:::======|-------------------------------
JP Vossen, CISSP            |:::======|      http://bashcookbook.com/
My Account, My Opinions     |=========|      http://www.jpsdomain.org/
----------------------------|=========|-------------------------------
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug