Incidents
Re: Weird SSH attack last night and this morning (still ongoing) May 07 2008 04:54PM
Gary Baribault (gary baribault net) (1 replies)
Re: Weird SSH attack last night and this morning (still ongoing) May 07 2008 06:02PM
Bartholomew Mallio (bmallio mail rockefeller edu)
Hi everyone--

In the last month, I've started to see distributed / co-ordinated SSH
login attempts not unlike the one Gary is describing. However, I have
seen a handful of hosts attempt this, but have yet to see a really large
number attempt one password each.

Thanks,
--bart

Gary Baribault wrote:
> I'm hit all the time too, but it's usually scripted, and they'll try 6
> - 8 logins before my DenyHosts script bans the IP address. In this
> case, there is only one login attempt, and it with root .. then that
> source IP doesn't try again .. it's as if someone just got some
> default password or maybe a blank one and has asked an entire botnet
> to try it once for all machines on the Internet .. it's weird!
>
> Gary B
>
> bigbadhoss (at) gmail (dot) com [email concealed] wrote:
>> These happen all the time on my servers, probably just background
> noise, but it could be something else.
>> Sent from my Verizon Wireless BlackBerry
>>
>> -----Original Message-----
>> From: Gary Baribault <gary (at) baribault (dot) net [email concealed]>
>>
>> Date: Wed, 07 May 2008 08:27:15
>> To:incidents (at) securityfocus (dot) com [email concealed]
>> Subject: Weird SSH attack last night and this morning (still ongoing)
>>
>>
>> I don't know what is going on last night and this morning ... I have
>> three Linux servers facing the Internet, two on cable modems and
>> another
>> on a static IP/commercial connection and this last one is a gateway
>> to a
>> Web/FTP/SMTP/Pop3/NTP Linux based system.
>>
>> I have DenyHosts installed on all three and have blocked about 75
>> attempts .. from known compromised adresses .. The log shows
>> (obviously) that there where even more attempts from adresses that are
>> unknown to DenyHosts but there was only one login attemps per adress
>> and
>> it was with the Root account .. which is obviously blocked in my sshd
>> config ..
>>
>> Of the three machines, one of them only had about 10 attempts, but the
>> other two had about 200 attempts .. all of them with only 1 try with
>> the
>> user Root ..
>>
>> Is any one else seing this? or am I being targeted? This is still going
>> on now .. and it started arround 10:00 last night GMT+4
>>
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus