Security Incidents mailing list archives
Re: Internet SSH scans
From: "Jamie Riden" <jamie.riden () gmail com>
Date: Sat, 4 Mar 2006 13:34:05 +1300
[sorry, I managed to cc this to bugtraq rather than incidents first time around] On 03/03/06, Alexandre H <alexandre.hamelin () gmail com> wrote:
Hi, I've witnessed what I think is an increase in SSH scans over the Internet in the past four or five weeks. The scan seems to originate from various countries around the globe which makes me think of it to be a worm-like spreading virus searching for vulnerable systems running the SSH service. I confirmed the attack with a friend of mine who also happens to run a SSH server at home. We both live in Montreal, QC, Canada and are using the same ISP.
I think I've been seeing scans for a year or two now, but the password guessing seemed to be fairly plentiful for the whole of last year. I saw a couple of boxes compromised through 'temporary' accounts like upload/upload which had escaped the admin's notice. My suggested mitigation is to move SSH to an alternate port, possibly go to key pair authentication rather than password, restrict what IP addresses are allowed to connect to sshd as far as possible and/or use crack/john to ensure that people don't set dumb passwords. cheers, Jamie (In case anyone is interested in the gory details - one compromised box had some privilege escalation exploits uploaded, someone tried to use it for sending ebay phishing emails, and then started it scanning for other weak ssh passwords as well - http://www.infosecwriters.com/texts.php?op=display&id=402 )
Current thread:
- Internet SSH scans Alexandre H (Mar 02)
- RE: Internet SSH scans Tom Frerichs (Mar 02)
- RE: Internet SSH scans terry white (Mar 03)
- Re: Internet SSH scans Jonathan Nichols (Mar 03)
- RE: Internet SSH scans terry white (Mar 03)
- Re: Internet SSH scans Skip Carter (Mar 03)
- Re: Internet SSH scans Daniel Cid (Mar 03)
- Message not available
- Re: Internet SSH scans Jamie Riden (Mar 03)
- RE: Internet SSH scans Tom Frerichs (Mar 02)
- Re: Internet SSH scans Matt Rae (Mar 03)
- Re: Internet SSH scans Hugo J. Curti (Mar 06)
- <Possible follow-ups>
- RE: Internet SSH scans steve (Mar 02)
- RE: Internet SSH scans Peter Bassill (Mar 03)
- Re: RE: Internet SSH scans admin (Mar 03)
- Re: RE: Internet SSH scans Daxomatic (Mar 03)
- Re: RE: Internet SSH scans Christine Kronberg (Mar 03)
- Re: Internet SSH scans JK Adams (Mar 03)
- Re: RE: Internet SSH scans joakim . berge (Mar 03)
- Re: Re: RE: Internet SSH scans mrbits (Mar 03)