Re: Illegal user ssh probes
Date: Tue, 28 Sep 2004 07:54:08 -0400 To: Frank Hamersley <firstname.lastname@example.org>
I would say about two months ago there was a rumor of a new ssh xpl;oit that was
in the wild. A few days after the rumor post I started seeing the same scans
come to all my servers. I searched around the net and found a new scanner was
released for ssh.
Now as far as scanning for those user accounts I am a bit baffled, unless these
scans are not made for linux but the windows ssh server.
On linux the admin account could possibly lead to access on the box. Many
hosting software like directadmin (www.directadmin.com) and a few others use
admin as the default master account with ssh enabled. Now if you combined that
with a lazy user you can get the admin / admin combo.
As far as the other usernmae and pass combos it looks like basic windows
That is just my two cents take it or leave. If any one knows more I be
interested in hearing about it too.
Quoting Frank Hamersley <email@example.com>:
> On examining /var/log/secure for several firewalls I manage remotely using
> ssh I have observed a recurrent pattern of probing over the last several
> that attempts to connect using user id's in the following order...
> test / guest / admin / admin / user / test
> We are using SSH 2 RSA key ONLY authentication ie. password based login is
> not accepted, and none of these user profiles exist on the host so I am not
> too concerned.
> However I am wondering if anyone has characterised the probe and/or
> performed a risk assessment/analysis? The rate of probes is very low so I
> don't think there is a DOS attack just yet!
> Is it worth reporting the behaviour to the net block assignees in case they
> aren't aware their server might be compromised?
> Is anybody else seeing this?
> Regards, Frank.