Server-Botnet with massive SSH-Brute-Force-Attacks (EN)

read german version


Starting with 8th December we register a massive increase of SSH-Brute-Force-Attacks in our Honeynets, going from 120 attacks/day to over 1700 attacks/day during the 8th and 9th december, as shown in the chart below.

A short analysis of participating ips and providers disclosed probably some kind of (web)server-based botnet. After accessinbg some of the Servers and belonging domain-names we found a wide range of webapps deployed, namely

We have some provider-ip-ranges registered in our Honeynet and see a massive increase for some european providers, while others doesnt seem to be infected that much:

Other providers like Rackspace (US), Cloudflare (US), Hetzner (DE) or Leaseweb (US) are within their normal range.

The Charts below are showing the abnormal behavior for some selected providers:

Schlund - 1und1

OVH

Hosteurope

Plusserver

Axarnet

Deutsche Telekom Static IPs


The Charts below are showing the normal behavior for some selected providers:

Rackspace

Hetzner

Cloudflare


Contact

date: 2014.12
tags: analyse brute-force hacker security server ssh taod

You code … we platform.