Incidents
Re: Weird SSH attack last night and this morning (still ongoing) May 07 2008 06:01PM
Gary Baribault (gary baribault net)
I haven't had any luck getting the attack code either .. it's clearly
automated and I've had many replies saying that others have been hit the
same over the last 18 hours .. it's actually a rather stupid attack,
since it only tries root and only once..

Gary Baribault
Courriel: gary (at) baribault (dot) net [email concealed]
GPG Key: 0x4346F013
GPG Fingerprint: BCE8 2E6B EB39 9B23 6904 1DF4 C4E6 2CF7 4346 F013

seg wrote:
> Gary Baribault wrote:
>
> > I don't know what is going on last night and this morning ... I have
> > three Linux servers facing the Internet, two on cable modems and another
> > on a static IP/commercial connection and this last one is a gateway to a
> > Web/FTP/SMTP/Pop3/NTP Linux based system.
>
> > I have DenyHosts installed on all three and have blocked about 75
> > attempts .. from known compromised adresses .. The log shows
> > (obviously) that there where even more attempts from adresses that are
> > unknown to DenyHosts but there was only one login attemps per adress and
> > it was with the Root account .. which is obviously blocked in my sshd
> > config ..
>
> > Of the three machines, one of them only had about 10 attempts, but the
> > other two had about 200 attempts .. all of them with only 1 try with the
> > user Root ..
>
> > Is any one else seing this? or am I being targeted? This is still going
> > on now .. and it started arround 10:00 last night GMT+4
>
> Hi,
>
> have seen the same just recently! Around the same no. of attempts, every
> one coming from a different host and all tries against the root account.
>
> I haven't seen this before myself and I don't think it's generated by the
> same ssh brute forcing malware practically every attackers seems to be
> using.
> Anyone having followed up on this with the originating site and was
> able to
> get the malware? (A colleague of mine is trying that right now but the
> chances of getting the malware are slim ...)
>
> Regards,
> Andreas Bunten
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus