Results 1 to 6 of 6

Thread: Distributed SSH scanning

  1. #1
    Member elazar's Avatar
    Join Date
    Sep 2007
    Posts
    217

    Default Distributed SSH scanning

    http://isc.sans.org/diary.html?storyid=3529
    FYI, you may want to pay a little more attention to your Firewall/IDS logs...

    E
    dd if=/dev/urandom of=/mybrain

  2. #2
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    I've seen a lot of this on the web servers that I manage.... is the Chinaman from what my logs tell me ..... hence China is about 75% banned on my servers
    dd if=/dev/swc666 of=/dev/wyze

  3. #3
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    I had an SSH server opened to the outside, but no where else on the inside of my network for a little while. Within minutes of it being put on the outside, I'd see brute force attacks against it.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  4. #4
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Thanks for the heads up.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  5. #5
    Junior Member
    Join Date
    Jan 2010
    Posts
    66

    Default

    Good to know. I'm in the process now of setting up ssh on my wrt54gs, looks like I'll be adding srelay to move port 22 to port 1080. That should fix that.

  6. #6
    Member elazar's Avatar
    Join Date
    Sep 2007
    Posts
    217

    Default

    Quote Originally Posted by streaker69 View Post
    I had an SSH server opened to the outside, but no where else on the inside of my network for a little while. Within minutes of it being put on the outside, I'd see brute force attacks against it.
    Yea, they have been doing this for years, but apparently there is a real interest in it now, to the point that it is distributed.

    Quote Originally Posted by thorin
    Thanks for the heads up.
    Quote Originally Posted by beakmyn
    Good to know. I'm in the process now of setting up ssh on my wrt54gs, looks like I'll be adding srelay to move port 22 to port 1080. That should fix that.
    Your welcome

    If the mods don't mind a little plug(delete this if you do): you can help SANS track this by sending your firewall/IDS logs to DShield(www.DShield.org), they need logs, home users especially...
    dd if=/dev/urandom of=/mybrain

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •