Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Illegal user ssh probes

from [Robert Schultz] Network Security [Permanent Link]
Subject: RE: Illegal user ssh probes
Date: Wed, 29 Sep 2004 10:50:59 -0400 (EDT) 
i wrote this to frank directly but the wider group may find it of
interest.  the attack origins are not limited to one geopolitical region:
........
hi frank -
i saw this came up last month on my logs and it was noted on the NetSec
list, which fwd'd the EDUCAUSE Security list msgs:
http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind0408&L=security&T=0&F=&S=&P=11857
http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind0408&L=security&T=0&F=&S=&P=19493

hope this helps    -robert

On Tue, 28 Sep 2004, Huijsmans, JCM (Jan) wrote:


On examining /var/log/secure for several firewalls I manage
remotely using
ssh I have observed a recurrent pattern of probing over the
last several
that attempts to connect using user id's in the following order...

test / guest / admin / admin / user / test


We are seeing the same on 1 of the systems of my private company, coming from 
several systems from the former eastern europe. (mostly 80.x.x.x) In our set 
of users they try are also the user root and an attempt without a user 
(NO_USER or something like that, I don't have access to the logs right now)


However I am wondering if anyone has characterised the probe and/or
performed a risk assessment/analysis?  The rate of probes is
very low so I don't think there is a DOS attack just yet!


Not yet, but on our system we're see a probe pop up every 2-3 hours. (started 
with 1 every 2-3 days)


Is it worth reporting the behaviour to the net block
assignees in case they
aren't aware their server might be compromised?


I think we should at least compare the ip blocks off list to see if there are 
similarities.

Jan Huijsmans


================================================
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en
is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht
onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en
de afzender direct te informeren door het bericht te retourneren.
================================================
The information contained in this message may be confidential
and is intended to be exclusively for the addressee. Should you
receive this message unintentionally, please do not use the contents
herein and notify the sender immediately by return e-mail.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Blocking ssh but not sftp/scp, Shane I. Hoffman
Next by Date:  RE: Locking down ssh config in large env, Michael Shirk
Previous by Thread:  RE: Illegal user ssh probes, Huijsmans, JCM (Jan)
Next by Thread:  sftp access, Penza Kenneth at MITTS
Indexes:  [Date] [Thread] [Top] [All Lists]