Re: What to do about SSH brute force attempts?
Jack T Mudge III <firstname.lastname@example.org> writes:
> I'm quite open to other interpretations, and I'd be glad to hear what
> others think of this idea, but IMO, anyone attacking a linux machine is
> probably doing so for reasons other than running a botnet.
The brute force login attempts that we see, and the corresponding phishing
attempts and uses of phished passwords, seem to be mostly to send spam.
Usually as soon as someone compromises an account, the first thing they do
is upload some simple spam script (usually written in PHP) and start using
the local mail server to blast out spam (usually phishing spam) to as many
people as they can.
It's not exactly a botnet, but it's similar.
It used to be that they'd set up some sort of IRC bot (usually Eggdrop)
for remote control, but that's become quite a bit less popular.
A lot of the account compromises seem to be essentially a pyramid game:
break into accounts to use them to send phishing mail to get more
passwords to break into more accounts to send more phishing mail, etc.
Occasionally, they mix in traditional spam (particularly 419 or stock
pump-and-dump spam), which presumably is how they actually make money.
Russ Allbery (email@example.com) <http://www.eyrie.org/~eagle/>