ssh scanning on the rise
I'm seeing about four times as many attempts at ssh entry & scanning in logs on various, mostly-unrelated servers.. I wonder if there's some vulnerability that has not been reported yet?
Something is definitely going on... are others seeing this too?
Edit: found it.
Comments
Yeah, it's been going on for several weeks now. I have three servers with close-but-not-contiguous IP numbers, and usually all three get scanned by the same IP on the same day.
If I have time, I report the IP to the netblock owner; a few have responded that they found the zombie machine and took it off line. But they seem to be multiplying.
Posted by: pjm | September 11, 2004 04:47 PM
There is a big thread on DSLR about it too..a lot of people have been cracked it seems..
Posted by: david | September 11, 2004 08:11 PM
There's been a rash of brute force attempts the last few weeks- there is a comment at http://isc.sans.org//index.php if you would like to read more...
Posted by: packet-strangler | September 11, 2004 09:16 PM
Am I the only one amused by the utter braindeadedness of that brute-force program? I'm seriously tempted to contact the so-called programmer who wrote it and show him how to scan /usr/share/dict/words, or maybe even attach a file descriptor to stdio of a dictionary-based password generator, just because the code is that offensively stupid.
Posted by: fluffy | September 12, 2004 07:58 PM