On February 3rd, ICS-CERT issued an alert concerning SSH scans. The alert at least implied that utilities were being targeted. In the absence of other evidence, I have a difficult time imaging this is the case. But that’s okay, the message is still a good one.
I run a small, internet-facing server. Administering an internet-connected box is a great way to collect information about attacks of the day. I’m known to occasionally run Nepenthes on my box for grabbing worm samples, as well as a few handwritten honeypot’ish Python scripts.
I do allow SSH access attempts. A long time ago I even had log monitors to watch for brute-force attempts against the server, which would send me a text message if the login failure rate hit a certain threshhold. Many years ago, I turned it off: SSH scans are commonplace on the Internet anymore.
On February 3rd, my SSH server logged just over 6000 brute-force attempts. The accounts attempted really aren’t that surprising:
$ cat /var/log/auth.log.1|grep “Feb 3″|grep “Invalid user”|awk ‘{print $8}’|uniq -c|sort|tail -18 # Wow, that’s a long command
144 ftp
145 mailtest
145 spam
145 squid
145 tomcat
145 vsifax
146 guest
147 administrator
147 jboss
150 admin
151 ubuntu
155 prueba
156 secure
160 vmail
166 teamspeak
177 oracle
180 test
199 nagios
The attacks came entirely from just three IP addresses that day: one belonging to IWEB Technologies (USA), one owned by Inulogic (a French company), and one owned by ChinaComm Communications (China, obviously). 6000 attempts is about average for what I call ‘attack days.’ Attack days occur about every other day. Occasionally I’ll go two days attack-free, with only a dozen login attempts. On attack days, the IP addresses do appear to coordinate — they often attempt logins using the same userids. IP addresses are generally China, Korea, US universities, and for some reason that company in France. It’s likely that the source of the attacks are just compromised boxen in these various locations. Note to self: write some automated scripts to email abuse@ from the source of attacks, to let them know they have a hacked box (or a bad employee).
My server is a fairly generic system located in a large data center. It would be interesting to see some more detail about if and why the attacks cited are believed to be ICS-specific. My guess is that they are just typical background noise, and that a control systems end user noticed. I view this as a positive sign, actually — someone is looking at their logs and noticing that the Internet is a scary place. My hope in blogging about this is to put out a little signal to whoever called ICS-CERT: Yep, you’re under attack. Nope it’s not unusual. It may or may not be targetted (if the above accounts list are also in your top list of attempts, then it probably isn’t targetted). Please keep reporting, and please keep checking your logs for unusual activity.
Putting out the alert is a good thing in my opinion. Even if the attack is just some bots trying to add to their botnet, the attackers may change their tune if they get access to an electric company or water utility computer and figure that out. It’s definitely a nice reminder for asset owners to check themselves out, and to make sure that no unexpected services are internet-facing.
Photo by gasheadsteve
