This report identifies hosts that have been observed performing brute force attacks, using SISSDEN’s network of honeypots.
Description
One of these honeypot type sensors is dedicated to detecting SSH and telnet attacks against network devices. These attacks typically involve brute-forcing credentials to obtain access.
Once access has been obtained, the devices are used for other attacks, which may involve installing malicious software that enables the device to function as part of a botnet. For example, the well-known Mirai botnets were used in this way to launch DDoS attacks.
Hacked devices may also be used to launch scans on other vulnerable Internet devices. In still other cases, using brute force to breach networking devices may enable a criminal to attempt financial theft. By inserting rogue DNS server entries into a home router’s network configuration, they can redirect user traffic to malicious webpages, making phishing attacks on the home network user.
When we detect brute force attacks, our system reports them to the owners of the network from which the attacks originate, or to the National CERTs responsible for that network.
Fields
Field | Description |
timestamp | Time that the attack was performed in UTC+0 |
ip | The IP address performing the attack |
port | The source port used in the attack |
asn | ASN announcing the attacking IP |
geo | Country where the attacking IP resides |
region | State / Province / Administrative region where the attacking IP resides |
city | ASN of where the attacking IP resides |
hostname | PTR record of the attacking IP |
dest_ip | Country where the device in question resides |
dest_port | Destination port used in the attack |
dest_asn | ASN announcing the target IP |
dest_geo | Country where the target IP resides |
dest_dns | FQDN of the target, if applicable and recorded |
service | The type of service that was attacked, i.e. SSH, RDP, Telnet, etc |
naics | North American Industry Classification System Code of the attacking IP |
sic | Standard Industrial Classification System Code of the attacking IP |
dest_naics | North American Industry Classification System Code of the target IP |
dest_sic | Standard Industrial Classification System Code of the target IP |
sector | Sector the attacking IP belongs to |
dest_sector | Sector the target IP belongs to |
public_source | Source of the data, for cases where the source accepts being credited |
start_time | Timestamp of last activity seen in the attack |
end_time | Timestamp of last activity seen in the attack |
client_version | The version string served by the attacker, if applicable and recorded |
username | The first username that was attempted, if recorded |
password | The first password that was attempted, if recorded |
payload_url | If a payload was downloaded onto the target, the URL where the payload was downloaded from, if recorded |
payload_md5 | The md5sum of the payload downloaded onto the target, if recorded. |
Delivery Mechanism
The report is sent out daily via The Shadowserver Foundation’s free victim remediation reporting service. All events coming from SISSDEN are clearly marked as “SISSDEN” for every event reported.
Sample Report
"timestamp","ip","port","asn","geo","region","city","hostname","dest_ip","dest_port","dest_asn","dest_geo","dest_dns","service","naics","sic","dest_naics","dest_sic","sector","dest_sector","public_source","start_time","end_time","client_version","username","password","payload_url","payload_md5" "2017-04-27 00:00:06","185.38.148.3",4428,200039,"UK","BRISTOL","BRISTOL","3.148.38.185.dedicated.zare.com","158.255.215.199",22,39326,"FR",,"ssh",0,0,0,0,,"Information Technology","SISSDEN","2017-04-27T00:00:06.971212Z","2017-04-27T00:00:07.946253Z","SSH-2.0-paramiko_2.1.2",,,, "2017-04-27 00:00:55","200.175.184.148",16503,18881,"BR","DISTRITO FEDERAL","BRASILIA","200.175.184.148.dynamic.dialup.gvt.net.br","5.28.63.131",22,35425,"UK",,"ssh",0,0,0,0,,,"SISSDEN","2017-04-27T00:00:55.344307Z","2017-04-27T00:01:04.196272Z","SSH-2.0-libssh2_1.7.0","operator","operator",, "2017-04-27 00:01:45","186.52.245.178",32941,6057,"UY","MONTEVIDEO","MONTEVIDEO","r186-52-245-178.dialup.adsl.anteldata.net.uy","5.28.63.131",2223,35425,"UK",,,0,0,0,0,,,"SISSDEN","2017-04-27T00:01:45.602193Z","2017-04-27T00:03:30.883850Z",,"admin","password",, "2017-04-27 00:05:45","77.126.141.114",56133,9116,"IL","HAMERKAZ","KEFAR SAVA",,"158.255.215.199",2223,39326,"FR",,,0,0,0,0,,"Information Technology","SISSDEN","2017-04-27T00:05:45.934820Z","2017-04-27T00:05:49.645513Z",,,,, "2017-04-27 00:07:34","212.3.34.144",53558,39155,"ES","GRANADA","FUENTE CAMACHO","212-3-34-144.jetnet.es","5.28.63.131",2223,35425,"UK",,,0,0,0,0,,,"SISSDEN","2017-04-27T00:07:34.986231Z","2017-04-27T00:07:45.124409Z",,,,, "2017-04-27 00:09:55","180.169.17.83",58809,4812,"CN","SHANGHAI","SHANGHAI",,"37.235.56.119",22,57169,"AT",,"ssh",0,0,0,0,"Communications",,"SISSDEN","2017-04-27T00:09:55.571712Z","2017-04-27T00:09:58.888294Z","SSH-2.0-sshlib-0.1",,,, "2017-04-27 00:13:31","197.46.62.186",56735,8452,"EG","AL QAHIRAH","CAIRO","host-197.46.62.186.tedata.net","158.255.215.199",2223,39326,"FR",,,0,0,0,0,,"Information Technology","SISSDEN","2017-04-27T00:13:31.036802Z","2017-04-27T00:13:35.144108Z",,,,, "2017-04-27 00:14:56","84.172.148.54",3316,3320,"DE","BADEN-WURTTEMBERG","SCHRIESHEIM","p54AC9436.dip0.t-ipconnect.de","37.235.56.119",22,57169,"AT",,"ssh",541690,874899,0,0,,,"SISSDEN","2017-04-27T00:14:56.303344Z","2017-04-27T00:15:28.185185Z","SSH-2.0-sshlib-0.1","admin",12345,, "2017-04-27 00:16:29","171.231.155.225",56158,7552,"VN","BINH DINH","QUI NHON",,"5.28.63.131",22,35425,"UK",,"ssh",0,0,0,0,"Communications",,"SISSDEN","2017-04-27T00:16:29.168579Z","2017-04-27T00:18:29.170243Z","SSH-2.0-Granados-1.0","admin","admin",,