Re: SSH attacks?

From: George Georgalis (george_at_galis.org)
Date: 07/30/04

  • Next message: Jyri Hovila: "Re: SSH attacks?" 
    Date: Fri, 30 Jul 2004 14:37:09 -0400
To: incidents@securityfocus.com

    On Tue, Jul 27, 2004 at 01:15:30PM -0500, Paul Schmehl wrote:
    >--On Tuesday, July 27, 2004 10:59:07 AM +1200 Robin <robin@kallisti.net.nz>
    >wrote:
    >>
    >>While looking through the logs after someone ran over my system with
    >>Nessus, I noticed some odd ones from sshd (that don't seem to be related
    >>to the nessus scan):
    >>Jul 27 03:12:25 kallisti sshd[16471]: error: Could not get shadow
    >>information for NOUSER
    >>
    >>Does anyone know why this would appear all of a sudden?
    >
    >Yes. These are compromised hosts that are being used to probe for
    >vulnerable versions of sshd. The login is irrelevant. The banner tells
    >they what they need to know.

    Sounds like a reasonable assertion, but dshield reports a _very_ small
    number of sources doing the scanning. If it is a worm, it would appear
    to be funneling through hosts that won't be under some AUP. (It might be
    a worm if compromised hosts are controlling the scanners, and getting a
    db of nearby compromised machines...)

    http://www.dshield.org/port_report.php?port=22&recax=1&tarax=2&srcax=2&percent=N&days=70&Redraw=

    I'm curious what's happening to honey pots?

    A look at the 10 day graph shows slight rise (from near zero) and fall
    in the number of sources, hardly detectable but indicating someone is at
    the controls, maybe.

    Unfortunately, the people not updating their sshd are also probably not
    reading the incidents list. If infected hosts aren't doing the scanning
    they won't be easy to identify, unless they participate in a DDoS.

    Which makes me wonder, is there any kind of contingency plan, anywhere,
    to coordinate quick removal (ie null route, confiscate hardware) of hosts
    that participate in DDoS or other destructive activities?

    // George 

    -- 
George Georgalis, Architect and administrator, Linux services. IXOYE
http://galis.org/george/  cell:646-331-2027  mailto:george@galis.org
Key fingerprint = 5415 2738 61CF 6AE1 E9A7  9EF0 0186 503B 9831 1631
  • Next message: Jyri Hovila: "Re: SSH attacks?"

    Relevant Pages

    • Re: Question on keeping Fedora 7 secure while connected to Internet
      ... constrain access to a nominated group ... I have to telnet in from one of the two trusted hosts and restart sshd). ...
      (comp.os.linux.security)
    • Re: sshd known_hosts query
      ... >>> hosts that sshd will accept connections from. ... only connections from hosts listed in it will be accepted. ... > manpages more than once to get the gist. ...
      (uk.comp.os.linux)
    • Re: I love IP Tables....
      ... Such programs help you save the CPU time of sshd answering the ... guessing attacks from 10,000 different hosts. ... I don't know if any of the attacking hosts are ...
      (Fedora)
    • Re: sshd known_hosts query
      ... This works like you describe and automatically collects the keys for the hosts you connect to with your ssh client. ... If it is present it restricts the hosts that sshd will accept connections from. ... Mine says pretty much the opposite, but it does rather lump hosts.allow|deny in with hosts.equiv as well as saying that sshd will use the public key in ssh_known_hosts to permit access. ... martin@ | Martin Gregorie gregorie. ...
      (uk.comp.os.linux)
    • Re: http://www.worm.com/default.ida? requests
      ... or is this a scanner trying to detect compromised hosts? ... the hosts trying to access it matched almost exactly ... requests over a 30 hour period. ... Oxford University Computing Services ...
      (Incidents)