Re: Weird SSH attack last night and this morning (still ongoing)

[Brent Kearney <brentk () birs ca>]

I noticed the same thing starting yesterday.  On the surface it  
appears to be a distributed attack from a botnet.  Attempts are made  
at 2-3 minute intervals.  At a glance, they look like random IPs, but  
out of 436 attempts since yesterday evening, there are only 198 unique  
source IP addresses.

Has anyone checked out what data they are sending for a password?

Brent

On May 7, 2008, at 06:27 , Gary Baribault wrote:

> I don't know what is going on last night and this morning ... I have  
> three Linux servers facing the Internet, two on cable modems and  
> another on a static IP/commercial connection and this last one is a  
> gateway to a Web/FTP/SMTP/Pop3/NTP Linux based system.
>
> I have DenyHosts installed on all three and have blocked about 75  
> attempts ..  from known compromised adresses .. The log shows  
> (obviously) that there where even more attempts from adresses that  
> are unknown to DenyHosts but there was only one login attemps per  
> adress and it was with the Root account .. which is obviously  
> blocked in my sshd config ..
>
> Of the three machines, one of them only had about 10 attempts, but  
> the other two had about 200 attempts .. all of them with only 1 try  
> with the user Root ..
>
> Is any one else seing this? or am I being targeted? This is still  
> going on now .. and it started arround 10:00 last night GMT+4



--
Systems Analyst
Banff International Research Station
http://www.birs.ca
+1 403 763 6997