Security Incidents mailing list archives
RE: SSH attacks?
From: "M Shirk" <shirkdog_linux () hotmail com>
Date: Fri, 30 Jul 2004 07:16:52 -0400
There are couple things that come to mind about this activity:1. This is incredibly noisy and sloppy. http://isc.incidents.org has already posted an analysis of a root comprised box in which it appeared to be someone with not alot of skill due to typos and the commands used to install the rootkit. Also, the only reason it was exploited was because someone had a BLANK ROOT PASSWORD (grins).
2. Do these attackers even know that this activity has been discovered, and that admins are on the alert? This ssh activity has been discussed for a number of days now. If they are really l33t, they will also be reading this very mailing list. (however, the evidence presented here and at the ISC points to the fact that they are more then likely script kiddies)
3. Just as one of the postings here said, the admin was upset they did not try to logon as root. I can not ever remember having a default guest or test account on a unix system. It would be interesting if these attacks were profiled against a single compromised host, and that profile used as an attack signature for everyone else on the Internet.
If possible, change your SSHD port as discussed in which you will avoid any of these types of scans.
Shirkdog http://www.shirkdog.us -----Original Message----- From: jyri.hovila () iki fi [mailto:jyri.hovila () iki fi] Sent: Wednesday, July 28, 2004 2:43 PM To: incidents () securityfocus com Subject: Re: SSH attacks? Importance: Low Hi! I collect logs from a bunch of OpenBSD hosts. Below is what I found (sorry about the messy format). Most of the hosts doing the scans seem to be running sshd. I'm afraid this could mean there is a new SSH exploit out in the wild. I think admins would do wisely restricting SSH logins to known IP addresses (or subnets) when possible. - Jyri _________________________________________________________________Is your PC infected? Get a FREE online computer virus scan from McAfee® Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
Current thread:
- Re: SSH attacks?, (continued)
- Re: SSH attacks? brandy (Jul 28)
- Re: SSH attacks? Andrew J Caines (Jul 29)
- Re: SSH attacks? Marcus Merrin (Jul 29)
- Re: SSH attacks? Robin (Jul 30)
- RE: SSH attacks? Herman Frederick Ebeling Jr. (Jul 30)
- Re: SSH attacks? Brian C. Lane (Jul 30)
- Re: SSH attacks? Andrew J Caines (Jul 29)
- Re: SSH attacks? Mike Whitley (Jul 29)
- Re: SSH attacks? brandy (Jul 28)
- Re: SSH attacks? David Block (Jul 29)
- Re: SSH attacks? Bulgaro (Jul 29)
- Re: SSH attacks? John Bossert (Jul 30)
- RE: SSH attacks? M Shirk (Jul 30)
- Re: SSH attacks? Valdis . Kletnieks (Jul 31)
- Re: SSH attacks? Skip Carter (Jul 30)
- Re: SSH attacks? Alexander Klimov (Jul 31)