On Thursday 02 March 2006 18:08, Alexandre H wrote: > Hi, > > I've witnessed what I think is an increase in SSH scans over the > Internet in the past four or five weeks. The scan seems to originate > from various countries around the globe which makes me think of it to be > a worm-like spreading virus searching for vulnerable systems running the > SSH service. I confirmed the attack with a friend of mine who also > happens to run a SSH server at home. We both live in Montreal, QC, > Canada and are using the same ISP.
We see such dictionary scans once or twice a week in any given network that we monitor. We have not noticed an _increase_ however. A combination of tight sshd_config settings, pam_tally, and connection rate throttling on the firewall are useful mitigation methods. We were recently asked to investigate a server which was successfully compromised by such a scan. The scan originated in 4 countries (2 of these _might_ be a coincidence), and the tool does not stop when it succeeds, instead it seems to log the results on the attacking machine which is then post-processed. The intruder quickly set up a backdoored sshd, an ssh scanner (presumably the same one that they were using), and proceeded to set up a phishing email generator. Skip -- Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647 Taygeta Network Security Services email: [EMAIL PROTECTED] 1340 Munras Ave., Suite 314 WWW: http://www.taygeta.net/ Monterey, CA. 93940
