Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Illegal user ssh probes

from [Frank Hamersley] Network Security [Permanent Link]
Subject: RE: Illegal user ssh probes
Date: Wed, 29 Sep 2004 13:41:55 +1000 
Thanks Mike et al,

In summary this seems a most likely explanation given "root" is not one of
the attacked account names.

If it starts to get out of hand I will add some code to automatically add a
DROP iptables rule for the source IP just to quench the log entries.

At the moment the signature is so obvious and infrequent that I won't change
anything.  But if it starts to pollute /var/log/secure to the point of
masking other possible hack attempts then it will cop a bullet!

Re the netblock abuse reporting it seems this is just a lip service feature
these days!

Cheers,
Frank.


-----Original Message-----
From: mike@genxweb.net [mailto:mike@genxweb.net]
Sent: Tuesday, 28 September 2004 9:54 PM
To: Frank Hamersley
Cc: Ssh List (E-mail)
Subject: Re: Illegal user ssh probes


I would say about two months ago there was a rumor of a new ssh xpl;oit that
was
in the wild. A few days after the rumor post I started seeing the same scans
come to all my servers. I searched around the net and found a new scanner
was
released for ssh.

Now as far as scanning for those user accounts I am a bit baffled, unless
these
scans are not made for linux but the windows ssh server.

On linux the admin account could possibly lead to access on the box. Many
hosting software like directadmin (www.directadmin.com) and a few others use
admin as the default master account with ssh enabled. Now if you combined
that
with a lazy user you can get the admin / admin combo.

As far as the other usernmae and pass combos it looks like basic windows
bruteforcing.

That is just my two cents take it or leave. If any one knows more I be
interested in hearing about it too.

Thanks
Mike

Quoting Frank Hamersley <terabite@bigpond.com>:


On examining /var/log/secure for several firewalls I manage remotely using
ssh I have observed a recurrent pattern of probing over the last several
that attempts to connect using user id's in the following order...

test / guest / admin / admin / user / test

We are using SSH 2 RSA key ONLY authentication ie. password based login is
not accepted, and none of these user profiles exist on the host so I am

not

too concerned.

However I am wondering if anyone has characterised the probe and/or
performed a risk assessment/analysis?  The rate of probes is very low so I
don't think there is a DOS attack just yet!

Is it worth reporting the behaviour to the net block assignees in case

they

aren't aware their server might be compromised?

Is anybody else seeing this?

Regards, Frank.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: PubkeyAuthentication for Specific User Only, tdotzauer@online.de
Next by Date:  Using wrappers w/ssh, Bill Edison
Previous by Thread:  Re: Illegal user ssh probes, mike
Next by Thread:  Re: Illegal user ssh probes, Rob Hughes
Indexes:  [Date] [Thread] [Top] [All Lists]