sshCrazies: Son of sshPscyho?

Since the beginning of this year there has been yet another botnet coming out of China, and since they (apparently) have not been named yet, I’m calling them sshCrazies.

As of May 2nd, they have performed 10975 attacks with a total of 6,784,525 ssh login attempts against my honeypots. While there have only been 30 IP addresses associated with them (so far) (listed below) they have 6.4 times the number of login attempts as the second place class C subnet, and 14.8 times the number of login attempts as the second place class C subnet. (See http://longtail.it.marist.edu/honey/class_c_hall_of_shame.shtml for more details.)

What sets these bad actors apart from the original sshPsychos is that their first password tried has almost always (>99% of the time) been !@ (Exclamation mark and an Ampersand), followed by:
123456
password
root
wubao
jiamima

The passwords wubao and jiamima were hallmarks of the sshPscyho team. It appears (IMHO) that another team of hackers now has a new password (Exclamation mark and an Ampersand), hat they set root to when they have hacked a server,
and then they try to steal the old sshPsycho servers.

Another difference is that where the sshPsychos were attacking from 4 class c subnets, I have only seen 30 IP addresses from sshCrazies so far. This MIGHT be indicative of them better distributing their attacks so there were not as many repeat attacks as with sshPsychos.


Whois information

[username@longtail attacks_purdue]$ whois 183.3.202.190

[Querying whois.arin.net]

[Redirected to whois.apnic.net]

[Querying whois.apnic.net]

[whois.apnic.net]

% [whois.apnic.net]

% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

% Information related to ‘183.0.0.0 – 183.63.255.255’

inetnum: 183.0.0.0 – 183.63.255.255

netname: CHINANET-GD

descr: CHINANET Guangdong province network

descr: Data Communication Division

descr: China Telecom

country: CN

admin-c: IC83-AP

tech-c: IC83-AP

status: ALLOCATED PORTABLE

remarks: service provider

remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

remarks: To report network abuse, please contact the IRT

remarks: For troubleshooting, please contact tech-c and admin-c

remarks: For assistance, please contact the APNIC Helpdesk

remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

mnt-by: APNIC-HM

mnt-lower: MAINT-CHINANET-GD

source: APNIC

mnt-irt: IRT-CHINANET-CN

changed: hm-changed@apnic.net 20091009

irt: IRT-CHINANET-CN

address: No.31 ,jingrong street,beijing

address: 100032

e-mail: anti-spam@ns.chinanet.cn.net

abuse-mailbox: anti-spam@ns.chinanet.cn.net

admin-c: CH93-AP

tech-c: CH93-AP

auth: # Filtered

mnt-by: MAINT-CHINANET

changed: anti-spam@ns.chinanet.cn.net 20101115

source: APNIC

person: IPMASTER CHINANET-GD

nic-hdl: IC83-AP

e-mail: gdnoc_HLWI@189.cn

address: NO.18,RO. ZHONGSHANER,YUEXIU DISTRIC,GUANGZHOU

phone: +86-20-87189274

fax-no: +86-20-87189274

country: CN

changed: ipadm@189.cn 20110418

changed: zhengzm@gsta.com 20140922

mnt-by: MAINT-CHINANET-GD

remarks: IPMASTER is not for spam complaint,please send spam complaint to abuse_gdnoc@189.cn

abuse-mailbox: antispam_gdnoc@189.cn

source: APNIC

% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (UNDEFINED)

[username@longtail attacks_purdue]$


IP addresses associated with sshCrazies
183.3.202.88
183.3.202.101
183.3.202.102
183.3.202.103
183.3.202.104
183.3.202.105
183.3.202.106
183.3.202.107
183.3.202.108
183.3.202.109
183.3.202.110
183.3.202.112
183.3.202.113
183.3.202.114
183.3.202.119
183.3.202.120
183.3.202.170
183.3.202.178
183.3.202.183
183.3.202.184
183.3.202.185
183.3.202.187
183.3.202.189
183.3.202.190
183.3.202.191
183.3.202.192
183.3.202.197
183.3.202.199
183.3.202.200
183.3.202.201


Comments, as always are welcome. Please post them to https://groups.google.com/forum/#!forum/longtail-log-analyzer

Advertisements