Attack now
Attacks to date

2018-01-23 17:31:40

Author: Willie Stevenson


The past two years have seen a significant number of attacks announced affecting IoT devices. One of the biggest that made headlines was the leak of a list containing ~8000 telnet-accessible IoT devices [1] with mostly valid login credentials and corresponding ip addresses (Mirai is partially to blame). The release of such lists are almost always dubbed as bad because anyone with access to the list can start owning those devices. Once a nefarious individual does so, those devices can be added to a botnet under their control, become a c2 node, used as a vpn hopping point, or a place to stage remote attacks (but really, likely all of the above).

In a previous blog post I attempted to unmask ssh attack behavior by comparing the unique password list I have compiled, because logs ssh attempt passwords via a modified PAM library, with other widely used password lists. If this model found that 100% percent of the words in one of the chosen wordlists were present in livesshattack's unique password list, we would be able to say that has undergone numerous automated wordlist attacks. Only one instance out of six different wordlists comparisons was found to contain all words (passwords) in's unique password list, albeit a list containing 500 of some of the most common passwords. I would have thought for sure wordlist attacks would have been common. Thus playing around in that area became boring after I did not find the results I was looking for.

Fast forward to when the leaked list of telnet-accessible devices came out in August of last year. Wouldn't be interesting if any of those devices were commandeered to launch ssh attacks? Let's compare the set of unique hosts that has seen with those involved in the leak.

A whopping 0%.

Not interesting at all.

About ~30% percent of all of my ssh attacks come from China. Where are these telnet-accessible devices located? We can do a bulk whois lookup to find out.

The resulting output is in this form. The first column contains the ASN number, the second the IP being queried, and the third the network operator name. Note the network operator naming convention, which appends the country code to the end of each entry. This makes our lives easier if we want to glean a bit of info about this data with grep - which is exactly what I'll do.

What percentage of these devices are in China?

Forgetting to parse out the first line, which could have been done with the tail command, and with a lazy grep query, we can determine at the very least ~38.9% of those telnet devices are located in a Chinese ASN. So although about 1/3rd of all ssh traffic is from China, these IoT devices didn't take part in it...interesting.

Are there Digital Ocean (the vps provider for this service) nodes present with telnet open?

We weren't able to prove definitely if we were seeing attacks out of this study's IoT list, or show proof of being attacked by other IoT devices. In hindsight, it makes sense - the list only contained a minuscule number of hosts compared to the actual number of overtaken IoT devices that actually exist.

But it has been fun! I wrote a number of pretty cool bash and C scripts, which are super useful for gleaning stats and formatting and capturing data for logs. Most importantly - in the process I learned a lot about the Linux authentication stack. This will come in handy, for example, when goes multi-node to get a feel of ssh attacks on a global scale.