FritzFrog botnet

Hi @hochd
Are you saying that you've found SSH brute force attempts to the alternate port that KH configures? Because I haven't seen any at all myself other than a few random attempts here and there...

Very interesting read, thanks!
 
Hi @hochd
Are you saying that you've found SSH brute force attempts to the alternate port that KH configures? Because I haven't seen any at all myself other than a few random attempts here and there...

Very interesting read, thanks!
No, as I understand that writeup, use of port 1234 happens only after they have breached an ssh server through bruteforce (and then uploaded their own public key for return access). In my case, I have the ssh server set to key authentication-only, so password-based brute force attacks will never succeed. Hence, no alternate ports on my VPS. However I'm getting dozens of bruteforce attempts a day. I have csf configured to block for an hour after 5 of those attempts and then permblock after four of those cycles of five attempts.

However, I can report from my logs that the brute force attacks themselves take place on random high-numbered ports, which puzzles me because I didn't think ssh even listens on those ports, and the default firewall setup really excludes all but a few commonly used ports any way. The brute force attacks often (but not always) use what I suppose are common user names for services I don't even run like Oracle or Hadoop etc. I suppose they are looking for unmodified default passwords on services like that, and then once they break in, they're off to the crypto-mining races with their own configured public key and custom port.

Any way, KH support has confirmed for me that even with the firewall swatting away dozens of these a day, resource usage is negligible, so I'm trying not to worry about it. However, given the number of unpatched/sloppy installations out in the world, I would expect these attacks to continue to grow on some kind of exponential curve.
 
Thought I’d comment on the “random high-numbered ports”.

This is the remote port that the remote connection is connecting from - not the local SSH port it’s attempting to connect with. That should always be the SSH port you have configured. :)
 
Thought I’d comment on the “random high-numbered ports”.

This is the remote port that the remote connection is connecting from - not the local SSH port it’s attempting to connect with. That should always be the SSH port you have configured. :)

Thanks! I realized that after I posted, but I do appreciate the correction.

Also since I posted, these ssh bruteforce attacks have dropped off. It was wild for a few days, but now relatively quiet.
 
Top