biting kneecaps

"The best firewalls won't save you from a weak password."

So said someone who was compromised a few weeks ago by this attack....

What is it?  It's a botnet of several hundred compromised machines, centrally controlled to perform dictionary attacks against other machines.

It looks like this from the server side. If you ignore the source address, it's a clear dictionary attack, trying common names, even in alphabetical order.  The 'distributed' part is that each host only tries one name, and is then silent for usually a couple of hours before it tries again.  On a per-host level, it's just noise... stepping back, you can see the full attack.

Invalid user anthony from 195.228.227.98
Invalid user anthony from 202.102.245.109
Invalid user barbara from 218.248.69.185
Invalid user betty from 81.199.47.9
Invalid user betty from 200.40.48.14
Invalid user brian from 219.94.123.134
Invalid user brian from 200.35.163.197
Invalid user carol from 95.224.183.23
Invalid user carol from 99.63.133.121
Invalid user charles from 80.152.136.83
Invalid user charles from 82.207.106.77
Invalid user christopher from 187.0.197.67
Invalid user daniel from 189.114.40.162
Invalid user daniel from 201.232.33.35
Invalid user david from 190.69.248.110
Invalid user deborah from 62.245.244.233
Invalid user deborah from 189.221.152.247
Invalid user donald from 201.57.47.228
Invalid user donald from 85.126.166.90
Invalid user donna from 190.78.24.191
Invalid user dorothy from 213.97.122.126
Invalid user dorothy from 61.139.142.20
Invalid user edward from 61.166.150.245
Invalid user elizabeth from 200.241.61.130
Invalid user elizabeth from 202.144.155.9
Invalid user george from 202.100.98.13
Invalid user george from 85.186.35.217
Invalid user helen from 89.96.140.154
Invalid user helen from 82.76.170.45
Invalid user james from 58.62.239.150
Invalid user james from 213.144.228.190
Invalid user jason from 90.182.107.194
Invalid user jason from 200.182.177.132
Invalid user jeff from 61.139.142.20
Invalid user jennifer from 85.158.92.243
Invalid user jennifer from 195.56.79.83
Invalid user john from 61.172.200.198
Invalid user john from 211.137.70.137
Invalid user joseph from 78.43.153.131
Invalid user joseph from 61.131.208.44
Invalid user kenneth from 202.97.0.76
Invalid user kenneth from 212.175.47.29
Invalid user kevin from 203.157.173.2
Invalid user kevin from 62.225.63.99
Invalid user kim from 86.35.93.36
Invalid user kim from 95.225.246.60
Invalid user kimberly from 58.62.239.150
Invalid user kimberly from 24.123.34.157
Invalid user linda from 217.86.188.168
Invalid user linda from 79.124.12.33
Invalid user lisa from 62.56.130.1
Invalid user lisa from 85.126.166.90
Invalid user margaret from 115.168.35.219
Invalid user margaret from 80.255.179.150
Invalid user mark from 219.134.65.39
Invalid user mark from 89.96.140.154
Invalid user michael from 12.174.15.209
Invalid user michael from 201.67.138.190
Invalid user michelle from 219.234.95.164

The hosts involved are from all over the world.  They're all running a variety of SSH versions, and from what I have gleaned from compromised hosts: they all have had weak passwords (ie, user michael with a password of michael and other such abominations of basic security).

A couple of them are US Based Pharmacies.  A utility district was on that list, as was the transmitter control for a radio station, several school districts.

But the winner for cluelessness is this one:

network:Class-Name:network
network:ID:NETBLK-ISRC-24.123.0.0/17
network:Auth-Area:24.123.34.128/26
network:Network-Name:TWCABLE---ENGINEERING-24.123.34.128
network:IP-Network:24.123.34.128/26
network:IP-Network-Block:24.123.34.128 - 24.123.34.191
network:Organization;I:TWCABLE---ENGINEERING
network:Tech-Contact;I:ipaddreg@rr.com
network:Admin-Contact;I:IPADD-ARIN
network:AbuseEmail:tim.archer@twcable.com
network:Created:20091028
network:Updated:20091028
network:Updated-By:ipaddreg@rr.com