On Tue, Jul 27, 2004 at 01:15:30PM -0500, Paul Schmehl wrote:
>--On Tuesday, July 27, 2004 10:59:07 AM +1200 Robin <robin (at) kallisti.net (dot) nz [email concealed]>
>wrote:
>>
>>While looking through the logs after someone ran over my system with
>>Nessus, I noticed some odd ones from sshd (that don't seem to be related
>>to the nessus scan):
>>Jul 27 03:12:25 kallisti sshd[16471]: error: Could not get shadow
>>information for NOUSER
>>
>>Does anyone know why this would appear all of a sudden?
>
>Yes. These are compromised hosts that are being used to probe for
>vulnerable versions of sshd. The login is irrelevant. The banner tells
>they what they need to know.

Sounds like a reasonable assertion, but dshield reports a _very_ small
number of sources doing the scanning. If it is a worm, it would appear
to be funneling through hosts that won't be under some AUP. (It might be
a worm if compromised hosts are controlling the scanners, and getting a
db of nearby compromised machines...)

http://www.dshield.org/port_report.php?port=22&recax=1&tarax=2&srcax=2&p
ercent=N&days=70&Redraw=

I'm curious what's happening to honey pots?

A look at the 10 day graph shows slight rise (from near zero) and fall
in the number of sources, hardly detectable but indicating someone is at
the controls, maybe.

Unfortunately, the people not updating their sshd are also probably not
reading the incidents list. If infected hosts aren't doing the scanning
they won't be easy to identify, unless they participate in a DDoS.

Which makes me wonder, is there any kind of contingency plan, anywhere,
to coordinate quick removal (ie null route, confiscate hardware) of hosts
that participate in DDoS or other destructive activities?

// George

--
George Georgalis, Architect and administrator, Linux services. IXOYE
http://galis.org/george/ cell:646-331-2027 mailto:george (at) galis (dot) org [email concealed]
Key fingerprint = 5415 2738 61CF 6AE1 E9A7 9EF0 0186 503B 9831 1631

[ reply ]