The slow brutes learned and went away

Jan 22, 2009, 21:32 (0 Talkback[s])
(Other stories by Peter Hansteen)

[ Thanks to Peter N. M. Hansteen for this link. ]

"One of my predictions about the distributed, slow ssh bruteforce attempts we started seeing in November of 2008 was that at the rate they were going at the time, it would be well into the new year before we would see the end of their alphabetic progression. As it turns out, they stopped just before year end, before even reaching the 'T's. The last attempt recorded was this:

"Dec 30 11:09:03 filehut sshd[54981]: error: PAM: authentication error for illegal user sophia from static-98-119-110-139.lsanca.dsl-w.verizon.net

"The full collection of raw data is available here, with a .csv summarising number of attempts, user names and hosts per day here."

Complete Story

Related Stories:

• Security: A Low Intensity, Distributed Bruteforce Attempt(Dec 03, 2008)
• IETF Failed to Account For Greylisting(Oct 21, 2008)
• "Name and Shame", or Socially Responsible Use of Your Log Data(Sep 23, 2008)