[Dshield] ssh attacks
sshelton at aleron.com
Tue Oct 12 17:01:42 GMT 2004
We've seen hits since the beginning - middle of September. We had a customers host get compromised with Linux.RST.B and found several nasty features running on the host, scanning engine was source port 6 / victim ssh-22.
Random guessing began as root, admin and guest and has evolved into more of a dictionary approach. I've found the following link very helpful and all hosts running this sort of exploit has been listed here:
Other references I've found are:
I've even seen a few with moderate to heavy volume busy out all available vty's on a few devices.
Aleron Broadband Services, LLC.
From: Darin Fisher [mailto:pfm.net at gmail.com]
Sent: Tuesday, October 12, 2004 12:16 PM
To: General DShield Discussion List
Subject: Re: [Dshield] ssh attacks
Yes, I've been seeing a tremendous increase in attempts also.
A average of 0 - 10 per day is now averaging over 200 per day.
I didn't check your addresses but attempts on my sites all seem to be
coming from Asia; China and Korea.
I guess the hacker school
must be labs.
Any other thoughts?
On Tue, 12 Oct 2004 08:30:08 -0700, Barton L. Phillips
<admin at bartonphillips.com> wrote:
> In the last several days I have seen an increase in attempts to log into
> my server via SSH. Previously I was only seeing the "test" and "guest"
> attempts previously mentioned on this list. Here is an example of what I
> saw yesterday:
> Failed logins from these:
> Has anyone else been seeing this?
> Barton L. Phillips
> Applied Technology Resources, Inc.
> Tel: (818)652-9850
> Web: http://www.applitec.com
> DShield and the Internet Storm Center are sponsored by the SANS Institute.
> To learn more about current SANS training, see http://www.sans.org .
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
"Those who would give up essential liberty to purchase a little
temporary safety deserve neither liberty or safety."
- Benjamin Franklin
DShield and the Internet Storm Center are sponsored by the SANS Institute.
To learn more about current SANS training, see http://www.sans.org .
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
More information about the list