Re: Illegal user ssh probes

mike_at_genxweb.net
Date: 09/28/04

  • Next message: mghofran_at_caregroup.harvard.edu: "RE: Illegal user ssh probes"
    Date: Tue, 28 Sep 2004 07:54:08 -0400
    To: Frank Hamersley <terabite@bigpond.com>
    
    

    I would say about two months ago there was a rumor of a new ssh xpl;oit that was
    in the wild. A few days after the rumor post I started seeing the same scans
    come to all my servers. I searched around the net and found a new scanner was
    released for ssh.

    Now as far as scanning for those user accounts I am a bit baffled, unless these
    scans are not made for linux but the windows ssh server.

    On linux the admin account could possibly lead to access on the box. Many
    hosting software like directadmin (www.directadmin.com) and a few others use
    admin as the default master account with ssh enabled. Now if you combined that
    with a lazy user you can get the admin / admin combo.

    As far as the other usernmae and pass combos it looks like basic windows
    bruteforcing.

    That is just my two cents take it or leave. If any one knows more I be
    interested in hearing about it too.

    Thanks
    Mike

    Quoting Frank Hamersley <terabite@bigpond.com>:

    > On examining /var/log/secure for several firewalls I manage remotely using
    > ssh I have observed a recurrent pattern of probing over the last several
    > that attempts to connect using user id's in the following order...
    >
    > test / guest / admin / admin / user / test
    >
    > We are using SSH 2 RSA key ONLY authentication ie. password based login is
    > not accepted, and none of these user profiles exist on the host so I am not
    > too concerned.
    >
    > However I am wondering if anyone has characterised the probe and/or
    > performed a risk assessment/analysis? The rate of probes is very low so I
    > don't think there is a DOS attack just yet!
    >
    > Is it worth reporting the behaviour to the net block assignees in case they
    > aren't aware their server might be compromised?
    >
    > Is anybody else seeing this?
    >
    > Regards, Frank.
    >
    >
    >


  • Next message: mghofran_at_caregroup.harvard.edu: "RE: Illegal user ssh probes"

    Relevant Pages

    • Re: Eingehende Netzverbindung zu anderem Rechner tunneln
      ... > Zugang zum Internet via T-Online für den Admin ... > Der Server soll mit einer Firewall "dicht gemacht werden". ... > noch Zugriff via SSH, FTP und POP3 haben. ...
      (de.comp.os.unix.linux.misc)
    • Re: ssh/scp forwarding ???
      ... Ben schrieb: ... Once I've got a terminal up on B, I can then SSH to computer ... "extra permission" to directly access the data on C, ... If I were the admin, i wouldn't give you a direct access, I just would ...
      (comp.os.linux.networking)
    • RE: Apache config
      ... Do you mean access to the server for administration by SSH, or only the admin to access the website by HTTP? ... By default users are not allowed to access the apache configuration ...
      (RedHat)
    • RE: Illegal user ssh probes
      ... the attacked account names. ... Subject: Illegal user ssh probes ... On linux the admin account could possibly lead to access on the box. ...
      (SSH)
    • Re: SSH - MTU Problem
      ... > Ich versuche eine SSH Verbindung zwischen zwei Rechner herzustellen, ... > Auf dem Host habe ich Admin rechte,mich kann also auch am ssh Daemon ... die Verbindung funktioniert. ... hast du ja eine Loesung gefunden. ...
      (de.comp.os.unix.linux.misc)