MORE SSH Hacking: heads-up

Brian Fahrlander brian at fahrlander.net
Sat Jul 31 06:08:06 UTC 2004 

On Fri, 2004-07-30 at 04:45, Brian Fahrlander wrote:
>     From last night's LogWatch:
> --------------------------------------------------------------------------
> 
> sshd:
>    Invalid Users:
>       Unknown Account: 7 Time(s) (You know the message; snipped)

    I have a friend in Indy that recognizes the logins as being part of
Cisco's "Catalyst" series routers. For some reason I've lived through
all of the dot-bomb era without ever needing to use their routers, so
I'm taking his word for it.

    The plan seems to be to look for machines where the ssh port
responds to their enquiries, and I suppose compromise it somehow.

    I've been at work all night, so I'll just post the various replies
from the previous message here:

    Port 22: I use SSH on port 22 for the same reason we use FTP on 21,
SMTP on 25, and DNS on 53 and Apache on 80; anarchy isn't the answer.
Hardening the services is.  Besides, if they really want an opening
they'll just do a long, slow port scan and see how it responds.  Moving
SSH elsewhere just slows them down.  I'm not _worried_ that there's a
hole in SSH, just concerned that I'm ready when they start pounding SSH
with (well how many Windows boxes are there?) against my ports.

    Addresses:  I'm not so sure that the addresses make that much
difference- they _could_ be testing with addresses they bought, but it's
more likely a worm that checks every subnet- they've visited here a LOT
more than necessary for a beta/alpha test, and it looks more like
something that checks all the addresses it can find, ya know?  I'll
record the addresses, but I doubt their owners know anything about it.

    Government/Corporate involvement: I have one machine on a known
domain name (or two or three), the other machine is just another cable
modem system with a long, ugly address.  Nah, this just looks like a
worm or something; governments and corporations are usually inclined to
use a sniperscope, not a shotgun.

    As to the Romanians reporting this on an archived mailing list;
they're seeing the same thing we are, so it's a shotgun.
    
-- 
------------------------------------------------------------------------
Brian Fahrländer                  Christian, Conservative, and Technomad
Evansville, IN                                 http://www.fahrlander.net
ICQ 5119262
AIM: WheelDweller
------------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20040731/b689bf3e/attachment-0001.sig>

More information about the fedora-list mailing list