Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Weird SSH attack last night and this morning (still ongoing)

from [Bartholomew Mallio] Network Security [Permanent Link]
Subject: Re: Weird SSH attack last night and this morning (still ongoing)
Date: Wed, 07 May 2008 14:02:59 -0400 
Hi everyone--

In the last month, I've started to see distributed / co-ordinated SSH login attempts not unlike the one Gary is describing. However, I have seen a handful of hosts attempt this, but have yet to see a really large number attempt one password each.

Thanks,
--bart

Gary Baribault wrote:
I'm hit all the time too, but it's usually scripted, and they'll try 6 - 8 logins before my DenyHosts script bans the IP address. In this case, there is only one login attempt, and it with root .. then that source IP doesn't try again .. it's as if someone just got some default password or maybe a blank one and has asked an entire botnet to try it once for all machines on the Internet .. it's weird!

Gary B

bigbadhoss@gmail.com wrote:
These happen all the time on my servers, probably just background
noise, but it could be something else. 
 Sent from my Verizon Wireless BlackBerry

 -----Original Message-----
 From: Gary Baribault <gary@baribault.net>

 Date: Wed, 07 May 2008 08:27:15
 To:incidents@securityfocus.com
 Subject: Weird SSH attack last night and this morning (still ongoing)


I don't know what is going on last night and this morning ... I have
three Linux servers facing the Internet, two on cable modems and another
on a static IP/commercial connection and this last one is a gateway to a
Web/FTP/SMTP/Pop3/NTP Linux based system.

I have DenyHosts installed on all three and have blocked about 75
attempts .. from known compromised adresses .. The log shows
(obviously) that there where even more attempts from adresses that are
unknown to DenyHosts but there was only one login attemps per adress and
it was with the Root account .. which is obviously blocked in my sshd
config ..

Of the three machines, one of them only had about 10 attempts, but the
other two had about 200 attempts .. all of them with only 1 try with the
user Root ..

 Is any one else seing this? or am I being targeted? This is still going
 on now .. and it started arround 10:00 last night GMT+4



[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Weird SSH attack last night and this morning (still ongoing), Erin Carroll
Next by Date:  Re: Weird SSH attack last night and this morning (still ongoing), Valdis . Kletnieks
Previous by Thread:  Re: Weird SSH attack last night and this morning (still ongoing), Gary Baribault
Next by Thread:  RE: Weird SSH attack last night and this morning (still ongoing), Erin Carroll
Indexes:  [Date] [Thread] [Top] [All Lists]