Educause Security Discussion mailing list archives
Re: Ongoing distributed Linux SSH dictionary attack
From: Andrew Daviel <advax () TRIUMF CA>
Date: Fri, 17 Apr 2009 01:00:22 -0700
On Thu, 16 Apr 2009, Pete Hickey wrote:
We're seeing a large increase of ssh dictionary attacks this week. Although it's coming from a number of different machines, I wouldn't call it a large enough number to consider it a distributed attack.
Semantics :-) Surely "distributed", but not "massively distributed". We see about 480 attacking one machine. Most of them are listed in http://danger.rulez.sk/projects/bruteforceblocker/blist.php I managed to talk to an admin at one of the attacking hosts. He'd found an IRC-controlled scan tool that was installed via a vulnerability in the "roundcube" webmail program. So it's not a worm as I had conjectured (using it's own exploit to spread exponentially), just someone targetting us with a smallish botnet. Most of the SSH attacks I've seen have come from a single machine, and try some 100 passwords for "root". This one seems to be trying hundreds of different usernames - about 900 in A and B so far, with perhaps 10 guesses each. The scanner found at the one site is a thing called "dt_ssh5", which downloads target addresses from port 44321 on a configured server -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 (Pacific Time) Network Security Manager
Current thread:
- Ongoing distributed Linux SSH dictionary attack Andrew Daviel (Apr 16)
- <Possible follow-ups>
- Re: Ongoing distributed Linux SSH dictionary attack Pete Hickey (Apr 16)
- Re: Ongoing distributed Linux SSH dictionary attack Ken Connelly (Apr 16)
- Re: Ongoing distributed Linux SSH dictionary attack Andrew Daviel (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Michael Horne (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Kevin Wilcox (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Russell Fulton (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Daly, Douglas (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Andrew Daviel (Apr 18)
- Re: Ongoing distributed Linux SSH dictionary attack Andrew Daviel (Apr 18)