Re: Internet SSH scans
- From: Skip Carter <skip@xxxxxxxxxxx>
- Date: Fri, 3 Mar 2006 07:06:02 -0800
On Thursday 02 March 2006 18:08, Alexandre H wrote:
Hi,
I've witnessed what I think is an increase in SSH scans over the
Internet in the past four or five weeks. The scan seems to originate
from various countries around the globe which makes me think of it to be
a worm-like spreading virus searching for vulnerable systems running the
SSH service. I confirmed the attack with a friend of mine who also
happens to run a SSH server at home. We both live in Montreal, QC,
Canada and are using the same ISP.
We see such dictionary scans once or twice a week in any given network that
we monitor. We have not noticed an _increase_ however.
A combination of tight sshd_config settings, pam_tally, and connection rate
throttling on the firewall are useful mitigation methods.
We were recently asked to investigate a server which was successfully
compromised by such a scan. The scan originated in 4 countries
(2 of these _might_ be a coincidence), and the tool does not stop when
it succeeds, instead it seems to log the results on the attacking machine
which is then post-processed. The intruder quickly set up a backdoored
sshd, an ssh scanner (presumably the same one that they were using),
and proceeded to set up a phishing email generator.
Skip
--
Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647
Taygeta Network Security Services email: skip@xxxxxxxxxxx
1340 Munras Ave., Suite 314 WWW: http://www.taygeta.net/
Monterey, CA. 93940
- References:
- Internet SSH scans
- From: Alexandre H
- Internet SSH scans
- Prev by Date: RE: Internet SSH scans
- Next by Date: Re: Internet SSH scans
- Previous by thread: Re: Internet SSH scans
- Next by thread: Re: Internet SSH scans
- Index(es):
Relevant Pages
|
