[nsp-sec] DFN-CERT#42614 - Distributed SSH Probes
Tim Wilde
twilde at cymru.com
Mon Apr 13 09:35:12 EDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Klaus Moeller wrote:
> ----------- nsp-security Confidential --------
>
> Hi all,
>
> For the last 3 days, several hosts in our constituency are under a
> distributed account probe against their SSH servers.
>
> Since most of the hosts probing the SSH servers will likely be
> compromised by weak account passwords too, I'm posting the list
> below. All timestampts are UTC+2:00.
>
> Hints for the C&C as well as the tool used for the account probe
> will be greatly appreciated.
Klaus and Team,
Thanks everyone for the insights and lists of IPs! Just a quick
reminder, SSH bruteforce is one of the easiest categories of the Daily
Reports project that you can contribute data to. If you have your SSH
logs available to pull this information out of, you can submit it by
following the instructions here:
https://www.cymru.com/nsp-sec/dailyreports/bruteforce.html
There's even a link to a script by our very own John Kristoff that will
automatically parse a number of common authentication log file formats
and output data suitable for submission. Data submitted here will get
distributed to all Daily Reports / ASN Alert subscribers on NSP-SEC,
automagically. If you have any questions or want to verify that your
newly submitted data is getting through, please don't hesitate to ask.
Thanks!
Regards,
Tim
- --
Tim Wilde, Senior Software Engineer, Team Cymru, Inc.
twilde at cymru.com | +1-630-230-5433 | http://www.team-cymru.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFJ4z+QluRbRini9tgRAjaQAJ9F4wZr6ZJMeXEHYYLCAJA4oCVoTgCfZ5/8
YPDQmJ92ueIQE1+FHa9BFOY=
=VGSe
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list