[Dshield] ssh attacks

Steve Shelton sshelton at aleron.com
Tue Oct 12 17:01:42 GMT 2004


Yes, indeed!

We've seen hits since the beginning - middle of September.  We had a customers host get compromised with Linux.RST.B and found several nasty features running on the host, scanning engine was source port 6 / victim ssh-22.

Random guessing began as root, admin and guest and has evolved into more of a dictionary approach.  I've found the following link very helpful and all hosts running this sort of exploit has been listed here:

http://www.mynetwatchman.com/incidentsbyport.asp?range=0&SID=0x060016&ServiceName=tcp/22

Other references I've found are:

http://www.dslreports.com/forum/remark,10854834~mode=flat~days=9999
http://seclists.org/lists/fulldisclosure/2004/Jul/1243.html

I've even seen a few with moderate to heavy volume busy out all available vty's on a few devices.

Steve Shelton
Aleron Broadband Services, LLC.


-----Original Message-----
From: Darin Fisher [mailto:pfm.net at gmail.com]
Sent: Tuesday, October 12, 2004 12:16 PM
To: General DShield Discussion List
Subject: Re: [Dshield] ssh attacks


Yes, I've been seeing a tremendous increase in attempts also.
A average of 0 - 10 per day is now averaging over 200 per day.

I didn't check your addresses but attempts on my sites all seem to be
coming from Asia; China and Korea.

I guess the hacker school
(http://it.slashdot.org/article.pl?sid=04/10/05/0314258&tid=172&tid=1)
must be labs.

Any other thoughts?

D


On Tue, 12 Oct 2004 08:30:08 -0700, Barton L. Phillips
<admin at bartonphillips.com> wrote:
> In the last several days I have seen an increase in attempts to log into
> my server via SSH. Previously I was only seeing the "test" and "guest"
> attempts previously mentioned on this list. Here is an example of what I
> saw yesterday:
> 
> Failed logins from these:
> 
> ...
>
> Has anyone else been seeing this?
> 
> --
> ----------------
> Barton L. Phillips
> Applied Technology Resources, Inc.
> Tel: (818)652-9850
> Web: http://www.applitec.com 
> 
> _______________________________________________
> DShield and the Internet Storm Center are sponsored by the SANS Institute.
> To learn more about current SANS training, see http://www.sans.org .
> 
> _______________________________________________
> send all posts to list at lists.dshield.org 
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list 
> 


-- 
"Those who would give up essential liberty to purchase a little
temporary safety deserve neither liberty or safety."
 - Benjamin Franklin
_______________________________________________
DShield and the Internet Storm Center are sponsored by the SANS Institute.
To learn more about current SANS training, see http://www.sans.org .

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list