Today, I wanted to take a deeper dive into several port 22 (SSH) scans that a single HoneyPoint deployment received over the last 24 hours. SSH scanning is very common thing right now and our HoneyPoints and firewalls continually experience scans from hosts around the world.
The particular HoneyPoint we are using for this look at the issue is located outside of the US on a business-class network in South America.
Over the last 24 hours this HoneyPoint received SSH probes from 4 specific hosts. These hosts are detailed below:
60.191.x.x – a Linux system located in China on a telecomm company’s network
83.16.x.x – an unknown system located on a consumer (DHCP) iDSL segment in Poland – we could go no further with this host since it is likely to have changed IP addresses since the probe…
218.108.x.x – another Chinese Linux system on yet another Chinese telecomm company’s network (is there anything else in China??? )
216.63.x.x – a NAT device that is front-ending a business network and web server deployment for an optical company in El Paso, TX, USA
The pattern of the probes in each case was the same. Each host completed the 3 way TCP handshake and waited for the banner of the responding daemon. The system then disconnected and repeated the process again in about 90-120 seconds. Basically, simple banner grabbing. The probing system did not send any traffic, just grabbed the banner and moved on.
The HoneyPoint in question was configured to emulate the current version of OpenSSH, so the banner may not have been what the probing attack tool was looking for. It has since been reconfigured to emulate historic versions with known security vulnerabilities.
But, what of the hosts performing the scans? Well, all 3 of them that could be reliably analyzed were found to be running OpenSSH. Two were running 3.6.1p2 and the other was running 3.4p1. Both of these are older versions with known issues.
It is very likely that these are worm/bot infected hosts and the malware is merely looking for new hosts to spread to. Interestingly, 2 of these hosts appeared to be used for regular commerce. Both were acting as a primary web server for the company and one of them even had an e-commerce site running (it also had MySQL exposed to the Internet). No doubt, any commercial activity taking place on the device is also compromised.
MSI has alerted the relevant owners of these systems and at least one of them is moving to handle the security incident. Hopefully, their damage will be minimal and they can rebuild the system easily, since at this point it is likely to also be infected with a root kit. We will advise them as they need help and assist them until they get their problem solved.
In the meantime, I hope this gives you a better look at some of the SSH scanning that goes on routinely. On average, this particular HoneyPoint deployment is scanned for SSH every 5.25 hours. This time varies from locale to locale, with US sites getting scanned more often, particularly on commercial networks. The majority of these scans come from China, with Eastern Europe pulling a distant second. In some cases, some of our US HoneyPoint deployments get scanned for SSH every 1.5 hours on average, so it is a very common attack, indeed.
Obviously, you should check your own network for SSH exposures. You should also take a look at your logs and see if you can identify how your site stacks up against the average time between scans. Feel free to post comments with any insights or time averages you come up. It could make for some interesting reading.