Re: Weird SSH attack last night and this morning (still ongoing)

[Gary Baribault <gary () baribault net>]

I doubt it, that's a man in the middle attack if I understood, this is a 
kind of distributed brute force and as I said in a more recent post, 
they are no longer only trying Root, but are using a list of alphabetic 
logins so it has evolved.

Gary B




Mick Pollard wrote:
>  On Wed, 07 May 2008 08:27:15 -0400
>  Gary Baribault <gary () baribault net> wrote:
>
> > I don't know what is going on last night and this morning ... I have
> > three Linux servers facing the Internet, two on cable modems and another
> > on a static IP/commercial connection and this last one is a gateway to a
> > Web/FTP/SMTP/Pop3/NTP Linux based system.
> >
>
> > Of the three machines, one of them only had about 10 attempts, but the
> > other two had about 200 attempts .. all of them with only 1 try with the
> > user Root ..
> >
> > Is any one else seing this? or am I being targeted? This is still going
> > on now .. and it started arround 10:00 last night GMT+4
>  These aren't related to the recent openssh advisory for debian based
>  distros ? [USN-612-2] OpenSSH vulnerability
>  A bot looking for debian based servers with weak ssh keys ?
>  Just a thought.
>
>  -
>  Regards
>  Mick Pollard ( lunix )
>  ------------------------------------------------
>  BOFH Excuse of the day:
>  Extraneous Parity Interrupt