[nsp-sec] SSH scanners looking for "temporary"?
Havard Eidnes
he at nordu.net
Wed Sep 10 11:24:47 EDT 2008
> > I know that nobody really cares about SSH scanners, but there
> > was a strange pattern this morning that I've never seen
> > before:
>
> Actually, it now looks like just a slow, synchronized dictionary
> attack. They've moved on to "christiane" and "colette", etc. Each
> name is tried 6-8 times by different IPs, somebody must be just
> slowly feeding their botnet with new things to try. . .
That's probably a probe pattern designed to get around the protection
which log scanners such as DenyHosts can put in place -- by default it
blocks a host after a number of unsuccessful attempts, but if a single
host doesn't cross this threshold, it's not blocked...
Regards,
- Håvard
More information about the nsp-security
mailing list