Security Incidents mailing list archives
Re: SSH attacks?
From: Paul Schmehl <pauls () utdallas edu>
Date: Tue, 27 Jul 2004 13:15:30 -0500
--On Tuesday, July 27, 2004 10:59:07 AM +1200 Robin <robin () kallisti net nz> wrote:
While looking through the logs after someone ran over my system with Nessus, I noticed some odd ones from sshd (that don't seem to be related to the nessus scan): Jul 27 03:12:25 kallisti sshd[16471]: error: Could not get shadow information for NOUSER Does anyone know why this would appear all of a sudden?
Yes. These are compromised hosts that are being used to probe for vulnerable versions of sshd. The login is irrelevant. The banner tells they what they need to know.
You're not alone. We're seeing them regularly. And reporting them. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/
Current thread:
- Re: SSH attacks?, (continued)
- Re: SSH attacks? Merlijn Tishauser (Jul 30)
- Re: SSH attacks? Tom Laermans (Jul 27)
- Re: SSH attacks? buzz (Jul 27)
- Re: SSH attacks? Jyri Hovila (Jul 29)
- Re: SSH attacks? Chris Brenton (Jul 29)
- Re: SSH attacks? Valdis . Kletnieks (Jul 30)
- Re: SSH attacks? Thomas Hochstein (Jul 30)
- Re: SSH attacks? Matt Beland (Jul 30)
- Re: SSH attacks? Jyri Hovila (Jul 29)
- Re: SSH attacks? Jyri Hovila (Jul 29)
- Re: SSH attacks? Jason Falciola (Jul 27)
- Re: SSH attacks? Paul Schmehl (Jul 27)
- Re: SSH attacks? brandy (Jul 28)
- Re: SSH attacks? Andrew J Caines (Jul 29)
- Re: SSH attacks? Marcus Merrin (Jul 29)
- Re: SSH attacks? Robin (Jul 30)
- RE: SSH attacks? Herman Frederick Ebeling Jr. (Jul 30)
- Re: SSH attacks? Brian C. Lane (Jul 30)
- Re: SSH attacks? Andrew J Caines (Jul 29)
- Re: SSH attacks? Mike Whitley (Jul 29)
- Re: SSH attacks? David Block (Jul 29)
- Re: SSH attacks? Bulgaro (Jul 29)
- Re: SSH attacks? John Bossert (Jul 30)