Location-Based Dictionary Attacks


I get daily security reports from the hosts I manage. Typically these contain invalid user attempts for users like guest, www, and root. (Although FreeBSD doesn't allow remote logins for root, I was surprised to find out that many Linux distributions allow them.)

Today's log surprised me, because it contained only Greek names. Here is an excerpt from the log.

Aug  1 00:19:42 istlab sshd[22137]: Invalid user achaikos from
Aug  1 00:19:45 istlab sshd[22191]: Invalid user achilleus from
Aug  1 00:19:48 istlab sshd[22218]: Invalid user actaeon from
Aug  1 00:19:51 istlab sshd[22244]: Invalid user acteon from
Aug  1 00:19:55 istlab sshd[22279]: Invalid user adelpha from
Aug  1 00:19:58 istlab sshd[22302]: Invalid user adelphe from
Aug  1 00:20:01 istlab sshd[22321]: Invalid user adelphie from
Aug  1 00:20:04 istlab sshd[22353]: Invalid user adonia from
Aug  1 00:20:08 istlab sshd[22387]: Invalid user adonis from
Aug  1 00:20:11 istlab sshd[22400]: Invalid user adrasteia from
Aug  1 00:20:14 istlab sshd[22417]: Invalid user adrastos from
The attack came from a Hong-Kong-based machine, and the list contained many exotic names while also missing many common ones. Therefore, I doubt that this was a local attack. A Google search revealed that the name list was obtained by merging male Greek names and female Greek names from http://www.20000-names.com. Most probably an attack tool contains lists of names for specific countries (the same site also provides, African, Chinese, English, French, German, Hebrew, Irish, Italian, Japanese, Polish, Spanish, and Welsh names). The tool also maps the IP address of the host it attacks to a specific country, for instance, through the geolocation data of the IP-to-Country databases. Finally, the attack tool uses the country-specific list for trying to log in to those accounts. Attackers seem to be getting more sophisticated with every passing day.

Comments   Toot! Share

Last modified: Thursday, August 2, 2007 10:01 am

Creative Commons Licence BY NC

Unless otherwise expressly stated, all original material on this page created by Diomidis Spinellis is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.