Security Incidents mailing list archives
Re: SSH attacks?
From: "George Georgalis" <george () galis org>
Date: Fri, 30 Jul 2004 14:37:09 -0400
On Tue, Jul 27, 2004 at 01:15:30PM -0500, Paul Schmehl wrote:
--On Tuesday, July 27, 2004 10:59:07 AM +1200 Robin <robin () kallisti net nz> wrote:While looking through the logs after someone ran over my system with Nessus, I noticed some odd ones from sshd (that don't seem to be related to the nessus scan): Jul 27 03:12:25 kallisti sshd[16471]: error: Could not get shadow information for NOUSER Does anyone know why this would appear all of a sudden?Yes. These are compromised hosts that are being used to probe for vulnerable versions of sshd. The login is irrelevant. The banner tells they what they need to know.
Sounds like a reasonable assertion, but dshield reports a _very_ small number of sources doing the scanning. If it is a worm, it would appear to be funneling through hosts that won't be under some AUP. (It might be a worm if compromised hosts are controlling the scanners, and getting a db of nearby compromised machines...) http://www.dshield.org/port_report.php?port=22&recax=1&tarax=2&srcax=2&percent=N&days=70&Redraw= I'm curious what's happening to honey pots? A look at the 10 day graph shows slight rise (from near zero) and fall in the number of sources, hardly detectable but indicating someone is at the controls, maybe. Unfortunately, the people not updating their sshd are also probably not reading the incidents list. If infected hosts aren't doing the scanning they won't be easy to identify, unless they participate in a DDoS. Which makes me wonder, is there any kind of contingency plan, anywhere, to coordinate quick removal (ie null route, confiscate hardware) of hosts that participate in DDoS or other destructive activities? // George -- George Georgalis, Architect and administrator, Linux services. IXOYE http://galis.org/george/ cell:646-331-2027 mailto:george () galis org Key fingerprint = 5415 2738 61CF 6AE1 E9A7 9EF0 0186 503B 9831 1631
Current thread:
- Re: SSH attacks? alann lopes (Aug 01)
- <Possible follow-ups>
- Re: SSH attacks? Jyri Hovila (Aug 01)
- Re: SSH attacks? George Georgalis (Aug 01)
- Re: SSH attacks? Juri Haberland (Aug 01)