Distributed SSH attack using large amount of names and many cracked / hacked systems

In my /var/log/messages a lot of unsollicited activity is reported:

Nov 25 07:00:30 pan sshd[70876]: error: PAM: authentication error for illegal user cal from mvx-200-196-50-26.mundivox.com
Nov 25 07:00:30 pan sshd[70875]: error: PAM: authentication error for illegal user cal from mvx-200-196-50-26.mundivox.com
Nov 25 07:00:32 pan sshd[70881]: error: PAM: authentication error for illegal user cal from mvx-200-196-50-26.mundivox.com
Nov 25 07:02:03 pan sshd[70885]: error: PAM: authentication error for illegal user cal from 190.34.164.139
Nov 25 07:02:06 pan sshd[70888]: error: PAM: authentication error for illegal user cal from 190.34.164.139
Nov 25 07:02:06 pan sshd[70889]: error: PAM: authentication error for illegal user cal from 190.34.164.139
Nov 25 07:03:35 pan sshd[70895]: error: PAM: authentication error for illegal user cal from 190.34.148.178
Nov 25 07:03:35 pan sshd[70896]: error: PAM: authentication error for illegal user cal from 190.34.148.178
Nov 25 07:03:35 pan sshd[70899]: error: PAM: authentication error for illegal user cal from 190.34.148.178
Nov 25 07:05:09 pan sshd[70904]: error: PAM: authentication error for illegal user cala from 200.62.142.212
Nov 25 07:05:09 pan sshd[70905]: error: PAM: authentication error for illegal user cala from 200.62.142.212
Nov 25 07:05:09 pan sshd[70906]: error: PAM: authentication error for illegal user cala from 200.62.142.212
Nov 25 07:06:50 pan sshd[70918]: error: PAM: authentication error for illegal user cala from adsl-75-24-138-85.dsl.chcgil.sbcglobal.net
Nov 25 07:08:21 pan sshd[70921]: error: PAM: authentication error for illegal user cala from 83.228.92.228
Nov 25 07:08:21 pan sshd[70923]: error: PAM: authentication error for illegal user cala from 83.228.92.228
Nov 25 07:08:22 pan sshd[70922]: error: PAM: authentication error for illegal user cala from 83.228.92.228
Nov 25 07:09:50 pan sshd[70932]: error: PAM: authentication error for illegal user calais from 64.149.146.242
Nov 25 07:09:50 pan sshd[70931]: error: PAM: authentication error for illegal user calais from 64.149.146.242
Nov 25 07:09:51 pan sshd[70930]: error: PAM: authentication error for illegal user calais from 64.149.146.242
Nov 25 07:11:24 pan sshd[70944]: error: PAM: authentication error for illegal user calais from 75.145.16.83
Nov 25 07:11:24 pan sshd[70945]: error: PAM: authentication error for illegal user calais from 75.145.16.83
Nov 25 07:11:24 pan sshd[70948]: error: PAM: authentication error for illegal user calais from 75.145.16.83

It looks like a distributed break in attempt from a lot of hacked machines, using a simple pattern, that is immediately visible from the above log extract.

For the pleasure of those interested I have filtered out the hosts involved, using cut and sort. They are:

1-1-4-27a.vhe.sth.bostream.se
10.230.102-84.rev.gaoland.net
116.228.7.233
116.39.30.124
118.218-119-85.cust.rackboost.net
118.32.4.141
120.red-80-59-254.staticip.rima-tde.net
121.138.216.194
121.200.64.152
121.33.199.37
121.33.199.39
121.33.199.40
122.224.128.222
123.14.10.64
123.222.broadband5.iol.cz
124.30.148.222
124.42.124.87
125.63.77.3
125.77.106.246
130.red-80-37-213.staticip.rima-tde.net
132.208.130.23
135.196.243.201
148.243.156.138
151.58.47.77
154.red-80-35-196.staticip.rima-tde.net
161.red-217-126-90.staticip.rima-tde.net
162.red-80-59-249.staticip.rima-tde.net
167.230.102-84.rev.gaoland.net
169.red-80-32-193.staticip.rima-tde.net
170.56.255.20
173-175-96-87.cust.blixtvik.se
179.26-246-81.adsl-static.isp.belgacom.be
188-120-207-85.vychcechy.adsl-llu.static.bluetone.cz
189-19-76-194.dsl.telesp.net.br
189-47-199-6.dsl.telesp.net.br
189-54-102-228-nd.cpe.vivax.com.br
189.134.1.254
189.134.6.148
189.16.248.251
189.17.209.130
189.17.23.210
189.43.21.244
189.43.224.130
189.56.92.42
189.red-80-39-105.staticip.rima-tde.net
19.crcr15.xdsl.nauticom.net
190.144.61.58
190.210.29.149
190.24.210.198
190.244.49.236
190.25.230.146
190.34.148.178
190.34.164.139
193.109.252.58
193.146.155.5
193.224.241.4
193.224.93.3
193.41.235.225
193.86.111.6
194.108.136.72
194.224.118.61
194.228.118.57
195.218.214.30
195.234.169.138
195.47.0.28.adsl.nextra.cz
196.211.154.74
196.211.242.178
196.211.46.50
196.211.53.74
196.212.63.10
196.25.224.126
196.47.178.77
198-110-207-82.ip.ukrtel.net
200-161-0-47.dsl.telesp.net.br
200-161-196-160.dsl.telesp.net.br
200-168-14-216.dsl.telesp.net.br
200-170-141-134.static.ctbctelecom.com.br
200-207-83-40.dsl.telesp.net.br
200-232-181-40.dsl.telesp.net.br
200.118.119.48
200.119.7.142
200.123.174.145
200.126.108.82
200.127.112.176
200.129.244.41
200.14.206.12
200.153.48.18
200.157.176.13
200.162.9.91
200.181.121.26
200.193.32.145
200.20.187.222
200.209.6.130
200.21.104.66
200.21.174.74
200.21.190.84
200.21.193.154
200.248.82.130
200.253.157.34
200.254.105.2
200.26.138.122
200.29.135.50
200.29.137.117
200.38.155.8
200.40.169.190
200.53.121.213
200.58.171.134
200.58.202.45
200.6.220.46
200.62.142.212
200.69.219.189
200.75.54.74
200.76.161.170
200.80.158.131.static.telmex.net.ar
200.81.233.18
200.87.234.170
200.93.147.114
200141223099.user.veloxzone.com.br
200141223106.user.veloxzone.com.br
201-016-168-017.xf-static.ctbcnetsuper.com.br
201-251-61-108.static.speedy.com.ar
201-26-169-3.dial-up.telesp.net.br
201-26-172-213.dial-up.telesp.net.br
201-34-104-246.paemt701.e.brasiltelecom.net.br
201-34-125-250.sance300.ipd.brasiltelecom.net.br
201.12.50.2
201.161.28.9
201.21.216.198
201.21.236.254
201.216.160.186
201.218.231.142
201.224.199.201
201.228.26.130
201.234.204.98
201.249.112.138
201.253.105.21
201.28.119.60
201.34.162.190
201.66.248.66
201.82.2.39
201.82.63.207
202.105.131.14
202.106.60.230
202.155.213.149
203.70.179.113
203.92.62.162
203.98.175.182
207-208-126-200.fibertel.com.ar
207-250-220-196.escient.com
207-47-162-126.prna.static.sasknet.sk.ca
208.87.4.7
209.203.56.150
210.187.18.199
210.187.78.195
210.187.78.200
210.193.36.178
211.154.128.158
211.154.254.120
211.154.254.89
211.189.213.48
211.35.142.37
212.1.235.25
212.116.138.26
212.160.157.41
212.165.184.179
212.24.177.170
212.46.24.146
212.9.253.218.iptelecom.net.ua
212.91.188.165
213-140-17-96.ip.fastwebnet.it
213-140-22-64.fastres.net
213-163-19-158.pool.invitel.hu
213-94-148-116-dynamic.b-ras1.lmk.limerick.eircom.net
213.136.105.130
213.150.184.130
213.150.184.70
213.8.59.133
213.94.214.50
216-164-162-138.pa.subnet.cable.rcn.com
217.133.88.24
217.220.122.58
217.70.67.131
217.76.34.230
217.96.70.66
218.108.238.140
218.201.201.6
218.248.69.185
218.248.79.251
218.28.143.246
218.80.215.198
219.93.187.38
22.26.50.84.sta.estpak.ee
220-135-28-233.hinet-ip.hinet.net
220.194.201.208
220.199.6.2
220.227.126.40
221.132.77.244
221.158.48.69
221.4.104.101
221.6.71.42
221.8.255.134
222.233.broadband9.iol.cz
23.red-80-24-4.staticip.rima-tde.net
239.253-136-217.adsl-static.isp.belgacom.be
24-181-23-242.static.gwnt.ga.charter.com
3e70de58.adsl.enternet.hu
3e70defd.adsl.enternet.hu
3w.upcc.com.tw
41.207.199.135
48-dom-14.acn.waw.pl
49.red-213-98-2.staticip.rima-tde.net
53.red-80-38-150.staticip.rima-tde.net
58.172.65.98
58.196.4.2
58.196.4.98
58.223.242.246
58.246.149.46
58.26.48.162
58.39.145.213
58.77.117.97
59-124-224-95.hinet-ip.hinet.net
59-125-226-213.hinet-ip.hinet.net
59.37.75.23
59.6.185.34
59.6.185.35
59.6.185.36
59.6.185.37
59.6.185.38
59.6.185.39
59.90.32.14
60.191.111.234
61.135.234.7
61.152.107.62
61.155.105.62
61.172.200.198
61.183.16.96
61.4.210.33
61.47.31.130
62-167-4-140.static.adslpremium.ch
62.141.38.151
62.167.16.53
62.221.52.4
62.225.15.82
62.28.36.136
62.61.141.93.generic-hostname.arrownet.dk
62.85.65.147
62.97.62.155
62.red-80-59-126.staticip.rima-tde.net
63.224.195.36
63.241.71.58
64.149.146.242
64.207.232.154
64.213.54.106
64.27.16.245
65.106.11.222.ptr.us.xo.net
65.113.227.26
65.203.231.41
65.79.201.56
67.179.190.90.sta.estpak.ee
67.40.86.204
68-112-227-2.static.oxfr.ma.charter.com
68.112.227.30
69.15.172.21
69.222-119-85.cust.rackboost.net
69.60.124.68
70-46-140-187.orl.fdn.com
70.107.248.126
70.19.245.63.alfanumeric.com.ni
70.91.173.153
74.95.165.97
75-49-251-71.lightspeed.snjsca.sbcglobal.net
75.145.16.83
75.147.27.85
75.22.172.193
75.24.138.85
77-97-36-16.cable.ubr01.dumb.blueyonder.co.uk
77.46.215.48
77.91.152.118
78-62-74-188.static.zebra.lt
79.120.226.174
80.118.132.88
80.191.108.130
80.240.214.74
80.51.31.84
81-208-90-63.ip.fastwebnet.it
81-208-92-170.ip.fastwebnet.it
81-7-76-88.static.zebra.lt
81.196.122.2
81.241.231.149
81.92.155.48
82.207.103.151
82.207.104.34
82.76.233.143
82.77.56.131
83-103-70-170.ip.fastwebnet.it
83-103-88-27.ip.fastwebnet.it
83.222.222.201
83.228.92.228
84.123.175.87.dyn.user.ono.com
84.232.150.18
84.234.110.86
85-18-102-76.ip.fastwebnet.it
85.198.121.54
85.21.182.2
86-41-193-68-dynamic.b-ras1.lmk.limerick.eircom.net
86-41-215-36-dynamic.b-ras1.lmk.limerick.eircom.net
87.241.208.253
87.255.246.1
88-196-206-58-dsl.hps.estpak.ee
88-196-54-98-dsl.trt.estpak.ee
88-199-28-3.tktelekom.pl
88.253.42.1
88.red-80-34-55.staticip.rima-tde.net
89-24-102-228.i4g.tmcz.cz
89-24-82-38.i4g.tmcz.cz
89-96-172-100.ip13.fastwebnet.it
89-97-62-16.ip16.fastwebnet.it
89.105.237.103
90.190.110.51
90.190.96.46
91-64-130-61-dynip.superkabel.de
91.135.200.86
92.50.243.18
93-152-36-122.bear.managedbroadband.co.uk
93.152.158.157
96-228-207-85.zapcechy.adsl-llu.static.bluetone.cz
abu66.internetdsl.tpnet.pl
acj114.internetdsl.tpnet.pl
adsl-068-157-239-147.sip.mem.bellsouth.net
adsl-068-213-208-164.sip.bct.bellsouth.net
adsl-070-154-244-035.sip.pfn.bellsouth.net
adsl-074-229-022-018.sip.mia.bellsouth.net
adsl-074-238-205-245.sip.mem.bellsouth.net
adsl-168-98.globonet.hu
adsl-68-89-45-103.dsl.hstntx.swbell.net
adsl-75-14-225-218.dsl.sfldmi.sbcglobal.net
adsl-75-22-172-193.dsl.sndg02.sbcglobal.net
adsl-75-24-138-85.dsl.chcgil.sbcglobal.net
adsl-75-38-40-51.dsl.klmzmi.sbcglobal.net
adsl-99-154-50-177.dsl.pltn13.sbcglobal.net
adsl-99-2-226-151.dsl.pltn13.sbcglobal.net
adsl-static-82-202-34-32.hk.tiscali.cz
amontsouris-156-1-62-246.w90-24.abo.wanadoo.fr
apothekix.diekreisapotheke.at
as5300-s47-050.cnt.entelchile.net
astro.kursastro.net
at1.ftc.agilent.com
bb-89-166-32-18.dsl.phnet.fi
bno-84-242-66-10.karneval.cz
bxn69.internetdsl.tpnet.pl
c-24-61-83-215.hsd1.ma.comcast.net
c-71-63-229-140.hsd1.mn.comcast.net
c-98-216-36-125.hsd1.ma.comcast.net
c90678d3.static.spo.virtua.com.br
chello080108099253.4.11.vie.surfer.at
chello084114015179.14.vie.surfer.at
chello087206101219.chello.pl
cm211030.red.mundo-r.com
coloc82-044.singnet.com.sg
correo.rufinocoop.com.ar
cpe-121-223-228-249.static.vic.bigpond.net.au
cpe-144-131-52-81.static.vic.bigpond.net.au
cpe001217e403b3-cm000f9fa6157c.cpe.net.cable.rogers.com
customer-200-79-25-39.uninet.net.mx
d51530a95.access.telenet.be
dan75-2-82-67-148-100.fbx.proxad.net
dialbs-213-023-175-198.static.arcor-ip.net
dsl-200-67-198-254.prod-empresarial.com.mx
dsl-217-155-184-54.zen.co.uk
dum11.internetdsl.tpnet.pl
dzu194.internetdsl.tpnet.pl
e-wolff-reporting.de
e210255180014.ec-userreverse.dion.ne.jp
eges.esstel.ru
eli18.internetdsl.tpnet.pl
em.asiban.ro
ex216126.uac63.hknet.com
fenyiro.hu
foghorn.delifarm.hu
foyer18rt.net1.nerim.net
fps.cherepovets.ru
gay130.internetdsl.tpnet.pl
gfx146.internetdsl.tpnet.pl
gve82.internetdsl.tpnet.pl
gw.hondatrading-romania.ro
h69-128-70-86.wyngmi.dedicated.static.tds.net
hld182.internetdsl.tpnet.pl
hoh234.internetdsl.tpnet.pl
horizonte.tcbsupermercados.com.br
host-200-76-176-37.block.alestra.net.mx
host-202-22-140-206.static.lagoon.nc
host.190.15.193.42.static.itcsa.net
host115-85-static.46-88-b.business.telecomitalia.it
host137-221-static.23-87-b.business.telecomitalia.it
host141-134-static.5-79-b.business.telecomitalia.it
host186-20-static.5-79-b.business.telecomitalia.it
host19-5-static.28-79-b.business.telecomitalia.it
host211-90-static.62-88-b.business.telecomitalia.it
host218-157-static.90-82-b.business.telecomitalia.it
host225-253-static.44-88-b.business.telecomitalia.it
host226-252-static.39-85-b.business.telecomitalia.it
host240-197-static.63-88-b.business.telecomitalia.it
host242-75-static.63-88-b.business.telecomitalia.it
host247-98-static.191-82-b.business.telecomitalia.it
host250.190-139-100.telecom.net.ar
host40-248-dynamic.53-82-r.retail.telecomitalia.it
host42-188-static.186-82-b.business.telecomitalia.it
host51-124-static.75-81-b.business.telecomitalia.it
host76-13-static.28-87-b.business.telecomitalia.it
host81-149-101-27.in-addr.btopenworld.com
host87-163-static.30-87-b.business.telecomitalia.it
host9-122-static.72-81-b.business.telecomitalia.it
hpclab.cs.tsinghua.edu.cn
hqm83.internetdsl.tpnet.pl
hte50.internetdsl.tpnet.pl
hydros.ibwpan.szczecin.pl
ibt130.internetdsl.tpnet.pl
ify218.internetdsl.tpnet.pl
iih70.internetdsl.tpnet.pl
ip-195-098-028-061.static.nextra.sk
ip4da21987.direct-adsl.nl
ipb50.internetdsl.tpnet.pl
kgs.interstrada.net
laubervilliers-151-13-107-27.w217-128.abo.wanadoo.fr
laubervilliers-153-51-28-191.w193-253.abo.wanadoo.fr
lnxweb002.globalweb.com.br
lputeaux-151-41-5-4.w217-128.abo.wanadoo.fr
lputeaux-151-43-2-155.w217-128.abo.wanadoo.fr
mail.at.com.pe
mail.clinandes.cl
mail.complaser.com.br
mail.cooperativalehmann.com.ar
mail.ecocoast.co.za
mail.egerfem.hu
mail.hierrobeco.com
mail.isinthe.us
mail.jandpgroup.com.na
mail.jocomvd.com.uy
mail.la-arch.com
mail.mavvagon.hu
mail.pddsl.de
mail.plasser.co.za
mail.pmasonengltd.co.uk
mail.remzestar.ru
mail.solgest.cl
mailgate.mirrorimageuk.co.uk
metis.we.po.opole.pl
mhp.continuum-books.com
mvx-200-196-50-26.mundivox.com
mx.mobilecod.com.br
n219076222027.netvigator.com
napali.ecm.ub.es
net135-235.4web.pl
ns.realtrade.lv
nskczn.siberia.net
p50997de0.dip0.t-ipconnect.de
p50997fe2.dip0.t-ipconnect.de
p578b0ad6.dip0.t-ipconnect.de
p578b352f.dip0.t-ipconnect.de
p578b4f0b.dip0.t-ipconnect.de
p578b6102.dip0.t-ipconnect.de
pd907ee1e.dip0.t-ipconnect.de
pd907fd08.dip0.t-ipconnect.de
pd956acba.dip0.t-ipconnect.de
pd95b609c.dip0.t-ipconnect.de
pd95b71b6.dip0.t-ipconnect.de
pd95b79ed.dip0.t-ipconnect.de
pns.mumbg.com
poczta.dls.pl
port-212-202-242-170.static.qsc.de
port-87-193-189-114.static.qsc.de
ppp-69-217-30-214.dsl.applwi.ameritech.net
ppp-88-217-28-58.dynamic.mnet-online.de
robert71.lnk.telstra.net
rrcs-64-183-133-194.west.biz.rr.com
rrcs-97-76-164-202.se.biz.rr.com
sd-1125.dedibox.fr
startowa.gda.pl
static-217-133-71-222.clienti.tiscali.it
static-70-107-248-126.ny325.east.verizon.net
static-71-117-126-102.snloca.dsl-w.verizon.net
static-71-119-17-26.lsanca.dsl-w.verizon.net
static-71-166-159-177.washdc.east.verizon.net
static-71-242-245-111.phlapa.east.verizon.net
static-72-66-191-175.ronkva.east.verizon.net
static-98-119-110-139.lsanca.dsl-w.verizon.net
static-adsl200-75-68-8.epm.net.co
static-adsl200-75-83-104.epm.net.co
static062038151143.dsl.hol.gr
static062038242231.dsl.hol.gr
tm.84.52.138.103.dc.cust.static.telemach.net
tombs.force9.co.uk
trismareperu.com
twe220.vtc.net
velosis.coprocenva.com.co
worleyassociates.com
www.cfse.gov.pr
www.francisadepoju.ie
www.worleyassociates.com
yankees.system-liberty.com

PLEASE, NOTE, ALL THE ABOVE SYSTEMS ARE (OR WERE RECENTLY) COMPROMISED

As you can see, it is from all over the world. ISPs who find their name, or one of their IPs in the above list, might consider taking action. And I do not mean sending me nasty emails. If I find time I will complete the list once more in the coming days. The attackers have now nearly reached P. I guess they will continue until they reach the end of the list of names, which they may very well have found on Yahoo (scroll down a bit to see it).

The above list of hosts contains all those attacking my machine until December 1. Since then very few new hosts can be added to the list. These are:

> 100.170.broadband2.iol.cz
> 12.182.37.155
> 189-19-85-237.dsl.telesp.net.br
> 200.187.4.4
> 200.93.142.166
> 203.70.246.146
> 234gis175.gulftel.com
> 36.249.97-84.rev.gaoland.net
> 58.140.141.200
> 62.72.110.203
> adsl-70-246-90-53.dsl.austtx.swbell.net
> cpe-60-230-184-143.static.vic.bigpond.net.au
> host-135-196-33-39.lines.viateldsl.com
> p50997bb3.dip0.t-ipconnect.de
> p5099bddf.dip0.t-ipconnect.de
> ppp-70-226-82-138.dsl.klmzmi.ameritech.net
> static-217-133-88-24.clienti.tiscali.it

294 hosts in the long list above have ceased operation. Not necessarily alltogether, though I cannot exclude that the people behind this cracking scheme, deleted the contents of 294 harddisks or ignated 294 CPUs. In any case, these 294 hosts are no longer in my logs. I guess they have been taken out of the scheme in some way or other. Perhaps thanks to a virus/malware scanner?

In the mean time I have (or I should say: I had) proof that I am not the only poor soul who is under attack. I got an email some weeks back from someone who had the same stuff in his logs. But I lost the email. Really.