Re: Anyone else seeing SSH scans?

[Hossein Rafighi <Hossein.Rafighi () triumf ca>]

This latest scan has nothing to do with badly configured sshd! They are 
looking for nix boxes with
username: guest, test and user, with passwords set to be the same as the 
username if any?
Once they're in then they install rootkits and IRCs. In one case they 
had installed irc.so from:
sirzion.illusivecreations.com hosted by irc.hertza.ro in Romania

We are in the process of investigating this more!

Stay tuned.
Hossein



sk () onlaw at wrote:

> Hi!
>
> I've also encountered these scans twice a day from different IPs.
> Remarkable is that these scans alle originate from different Asian
> countries 
> (mostly.jp && .kr).
>
>  
>
> > Is this something new, or just people looking for badly configured
> >    
> machines?
>
> I can't think of an sshd configured that badly, but who knows...
>
> Stefan
>
> -----Original Message-----
> Von: Matthew Dharm [mailto:mdharm () one-eyed-alien net] 
> Gesendet: Dienstag, 27. Juli 2004 19:00
> An: incidents () securityfocus com
> Betreff: Anyone else seeing SSH scans?
>
> I've noticed that several *NIX machines I have running (all of which are
> located in the same IP block) are periodically getting scanned via ssh
> for the accounts 'test' and 'guest'.
>
> The source IP varies with each scan.  But I'm getting about one of these
> a day now.  Obviously, I don't have accounts with that name on my
> systems, but still....
>
> Is this something new, or just people looking for badly configured
> machines?
>
> Matt
>
>  

--
_____  _____   _____  _   _  _   _  ____ Hossein Rafighi
|_   _||  _  \ |_   _|| | | || \_/ ||  __|TRIUMF, 4004 Wesbrook Mall
 | |  | |_|  )  | |  | | | ||     || |__ Vancouver BC, Canada, V6T 2A3
 | |  |  _  /   | |  | \_/ || \_/ ||  __|Voice: (604) 222-1047
 | |  | | \ \  _| |_ |     || | | || |   Fax:   (604) 222-1074
 |_|  |_|  \_\|_____| \___/ |_| |_||_|   Website: http://www.triumf.ca