Security Incidents mailing list archives
SSH bruteforce on its way...
From: Volker Tanger <vtlists () wyae de>
Date: Wed, 19 Oct 2005 21:47:10 +0200
Greetings! In the last days I observed a rising number of SSH bruteforce attempts against my servers, trying to find valid user names. One distiguishing feature is a typo in the used names: "deutch" (instead of "deutsch", which is directly following its english translation "german"). It seems to work in 3 phases: a portscan, followed half a day later with a user name scan, which probably(*) followed by a passwort attack against harvested user names.
From what I was told the bot installs files into /var/tmp/.bash/, among
them an IRC-Bouncer. Entry to the infected system was gained via a successful SSH bruteforcing. (Un)fortunately I have to rely on second-hand reports on this worm, as I only have seen SSH bruteforce attempts increasing quite noticably on the last few days. My recommendations to discourage/prevent this SSH bruteforcing: 1.) Use key authentication and disable plain password logins. This way password bruteforcing itself is practically impossible. 2.) Running SSH on a port NOT tcp/22 - okay, that's just obfuscation, but false connects/scans dropped from a some attacking hosts an hour to zero. 3.) Another possibility to prevent (or at least: seriously delay) bruteforcing to be done successfully is to inhibit multiple connects within a given timeframe. See http://www.debian-administration.org/articles/187 4.) And of course: monitoring! Especially for illegal user logins or unsuccessful passwords. On the other side: has anyone been infected and/or had the chance to inspect the rootkit and/or the aims the people running the botnet try to achieve? Thanks Volker (*) Well, I was myself not affected, but often saw the connects. Alas only the first few ones before the transgressors were shut out for a few hours (see recommendation 3)... ;-) -- Volker Tanger http://www.wyae.de/volker.tanger/ -------------------------------------------------- vtlists () wyae de PGP Fingerprint 378A 7DA7 4F20 C2F3 5BCC 8340 7424 6122 BB83 B8CB
Current thread:
- SSH bruteforce on its way... Volker Tanger (Oct 19)
- Re: SSH bruteforce on its way... Paul Robertson (Oct 24)
- Re: [incidents] Re: SSH bruteforce on its way... Tim Kennedy (Oct 24)
- <Possible follow-ups>
- Re: SSH bruteforce on its way... foxxz . net (Oct 24)
- Re: SSH bruteforce on its way... jouser (Oct 24)
- Re: SSH bruteforce on its way... Justin (Oct 24)
- Re: SSH bruteforce on its way... Russell Fulton (Oct 25)
- Re: SSH bruteforce on its way... Valdis . Kletnieks (Oct 26)
- Re: SSH bruteforce on its way... Kurt Seifried (Oct 26)
- Re: SSH bruteforce on its way... Justin (Oct 26)
- Re: SSH bruteforce on its way... Daniel Cid (Oct 26)
- Re: SSH bruteforce on its way... Justin (Oct 24)
- Re: SSH bruteforce on its way... Paul Robertson (Oct 24)