SSH bruteforce on its way...

From: Volker Tanger (vtlists_at_wyae.de)
Date: 10/19/05

Next message: foxxz.net_at_gmail.com: "Re: SSH bruteforce on its way..."

Previous message: crusher_at_spamcop.net: "Re: RE: Odd Increase in Malformed Packets Aimed at Port 0"
Next in thread: foxxz.net_at_gmail.com: "Re: SSH bruteforce on its way..."
Maybe reply: foxxz.net_at_gmail.com: "Re: SSH bruteforce on its way..."
Maybe reply: jouser_at_gmail.com: "Re: SSH bruteforce on its way..."
Reply: Paul Robertson: "Re: SSH bruteforce on its way..."
Maybe reply: Michael.Lang_at_jackal-net.at: "Re: SSH bruteforce on its way..."
Maybe reply: Michael Lang: "Re: SSH bruteforce on its way..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 19 Oct 2005 21:47:10 +0200
To: incidents@securityfocus.com

Greetings!

In the last days I observed a rising number of SSH bruteforce attempts
against my servers, trying to find valid user names. One distiguishing
feature is a typo in the used names: "deutch" (instead of "deutsch",
which is directly following its english translation "german"). It seems
to work in 3 phases: a portscan, followed half a day later with a user
name scan, which probably(*) followed by a passwort attack against
harvested user names.

From what I was told the bot installs files into /var/tmp/.bash/, among
them an IRC-Bouncer. Entry to the infected system was gained via a
successful SSH bruteforcing. (Un)fortunately I have to rely on
second-hand reports on this worm, as I only have seen SSH bruteforce
attempts increasing quite noticably on the last few days.

My recommendations to discourage/prevent this SSH bruteforcing:

1.) Use key authentication and disable plain password logins. This
way password bruteforcing itself is practically impossible.

2.) Running SSH on a port NOT tcp/22 - okay, that's just obfuscation,
but false connects/scans dropped from a some attacking hosts an
hour to zero.

3.) Another possibility to prevent (or at least: seriously delay)
    bruteforcing to be done successfully is to inhibit multiple
    connects within a given timeframe. See
    http://www.debian-administration.org/articles/187

4.) And of course: monitoring! Especially for illegal user logins or
unsuccessful passwords.

On the other side: has anyone been infected and/or had the chance to
inspect the rootkit and/or the aims the people running the botnet try
to achieve?

Thanks

Volker

(*) Well, I was myself not affected, but often saw the connects. Alas
only the first few ones before the transgressors were shut out for
a few hours (see recommendation 3)... ;-)

-- 
Volker Tanger    http://www.wyae.de/volker.tanger/
--------------------------------------------------
vtlists@wyae.de                    PGP Fingerprint
378A 7DA7 4F20 C2F3 5BCC  8340 7424 6122 BB83 B8CB

Next message: foxxz.net_at_gmail.com: "Re: SSH bruteforce on its way..."

Previous message: crusher_at_spamcop.net: "Re: RE: Odd Increase in Malformed Packets Aimed at Port 0"
Next in thread: foxxz.net_at_gmail.com: "Re: SSH bruteforce on its way..."
Maybe reply: foxxz.net_at_gmail.com: "Re: SSH bruteforce on its way..."
Maybe reply: jouser_at_gmail.com: "Re: SSH bruteforce on its way..."
Reply: Paul Robertson: "Re: SSH bruteforce on its way..."
Maybe reply: Michael.Lang_at_jackal-net.at: "Re: SSH bruteforce on its way..."
Maybe reply: Michael Lang: "Re: SSH bruteforce on its way..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]