Re: Internet SSH scans

On Thursday 02 March 2006 18:08, Alexandre H wrote:
> Hi,
>
> I've witnessed what I think is an increase in SSH scans over the
> Internet in the past four or five weeks. The scan seems to originate
> from various countries around the globe which makes me think of it to be
> a worm-like spreading virus searching for vulnerable systems running the
> SSH service. I confirmed the attack with a friend of mine who also
> happens to run a SSH server at home. We both live in Montreal, QC,
> Canada and are using the same ISP.

We see such dictionary scans once or twice a week in any given network that
we monitor.  We have not noticed an _increase_ however.

A combination of tight sshd_config settings, pam_tally, and connection rate
throttling on the firewall are useful mitigation methods.

We were recently asked to investigate a server which was successfully
compromised by such a scan.  The scan originated in 4 countries
(2 of these _might_ be a coincidence), and the tool does not stop when
it succeeds, instead it seems to log the results on the attacking machine
which is then post-processed.   The intruder quickly set up a backdoored
sshd, an ssh scanner (presumably the same one that they were using),
and proceeded to set up a phishing email generator.



Skip


--
 Dr. Everett (Skip) Carter           Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Network Security Services   email: skip@...
 1340 Munras Ave., Suite 314         WWW: http://www.taygeta.net/
 Monterey, CA. 93940