[Dshield] SSH Bots

Stef stefmit at gmail.com
Tue Mar 7 11:58:53 GMT 2006


On 3/6/06, Fergie <fergdawg at netzero.net> wrote:
> Hi Jon,
>
> I encourage you (and any other folks intrested) to report botnets,
> or even just post information & ask questions, over on teh botnet
> list:
>
>  botnets at whitestar.linuxbox.org
>
> More info available on subscribing at:
>
>  http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
>
> Cheers!
>
> - ferg
>
>
>
> -- "Jon R. Kibler" <Jon.Kibler at aset.com> wrote:
>
> Greetings,
>
> We got a new phishing email this morning (so, what else is new?) that resulted in my learning of a new attack (well, at least new to me) against ssh.
>
> When I contacted the system's netblock owner, they indicated that the compromised box was a MacOS/X system and they had already shut down the box. I got to talking to their security person and he indicated that the box was compromised via a brute force ssh attack. Apparently, there are botnets that do distributed brute force ssh attacks, hitting on all possible combinations of password characters up through 14 character lengths.
>
> Anyone else heard of and/or been a victim of this attack? If so, would you be willing to share the details and new countermeasures implemented?
>
> So, I guess it is time to change all of our ssh passwords to 15 or 16 chars!
>
> Or, I seem to remember that MD5 hashed *nix passwords can be up to 128 chars... so maybe our passwords should now become paragraphs?
>
> I guess what is really needed is some PAM-based authentication failure account lockout schema. I don't see any modules to this in default FC/4 or Solaris 9/10 distros. Anyone know if this can be done and/or how to do it?
>
> Thanks!
> Jon Kibler
> --
> Jon R. Kibler
> Chief Technical Officer
> A.S.E.T., Inc.
> Charleston, SC  USA
> (843) 849-8214
>
>
>
>
> ==================================================
> Filtered by: TRUSTEM.COM's Email Filtering Service
> http://www.trustem.com/
> No Spam. No Viruses. Just Good Clean Email.
>
>
> --
> "Fergie", a.k.a. Paul Ferguson
>  Engineering Architecture for the Internet
>  fergdawg at netzero.net or fergdawg at sbcglobal.net
>  ferg's tech blog: http://fergdawg.blogspot.com/
>
>

... or the newly created one here (which seems to be very active, even
if it is only a few weeks old):

To report a botnet PRIVATELY please email: c2report at isotf.org
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

Stef



More information about the list mailing list