[Dshield] SSH Bots

Kenton Smith listsks at yahoo.ca
Mon Mar 6 23:57:58 GMT 2006


I would guess that these are the same brute-force bots
that have been around for a while now. They just pick
on simple and default passwords and commone user names
(root, administrator, etc). We see a relatively
constant stream of these and I just ignore them (other
than making sure that they aren't targeted).

Kenton

--- "Jon R. Kibler" <Jon.Kibler at aset.com> wrote:

> Greetings,
> 
> We got a new phishing email this morning (so, what
> else is new?) that resulted in my learning of a new
> attack (well, at least new to me) against ssh. 
> 
> When I contacted the system's netblock owner, they
> indicated that the compromised box was a MacOS/X
> system and they had already shut down the box. I got
> to talking to their security person and he indicated
> that the box was compromised via a brute force ssh
> attack. Apparently, there are botnets that do
> distributed brute force ssh attacks, hitting on all
> possible combinations of password characters up
> through 14 character lengths. 
> 
> Anyone else heard of and/or been a victim of this
> attack? If so, would you be willing to share the
> details and new countermeasures implemented?
> 
> So, I guess it is time to change all of our ssh
> passwords to 15 or 16 chars! 
> 
> Or, I seem to remember that MD5 hashed *nix
> passwords can be up to 128 chars... so maybe our
> passwords should now become paragraphs?
> 
> I guess what is really needed is some PAM-based
> authentication failure account lockout schema. I
> don't see any modules to this in default FC/4 or
> Solaris 9/10 distros. Anyone know if this can be
> done and/or how to do it?
> 
> Thanks!
> Jon Kibler
> -- 
> Jon R. Kibler
> Chief Technical Officer
> A.S.E.T., Inc.
> Charleston, SC  USA
> (843) 849-8214
> 
> 
> 
> 
> ==================================================
> Filtered by: TRUSTEM.COM's Email Filtering Service
> http://www.trustem.com/
> No Spam. No Viruses. Just Good Clean Email.
> 
> > _________________________________________
> Learn about Intrusion Detection in Depth from the
> comfort of your own couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or
> unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


More information about the list mailing list