On Fri, 2005-01-28 at 09:46 +0000, michael wrote: > I notice that frequently many machines around here get attacked by a > potential hacker (a prog I guess) trying lots of usernames to get in to > all the machines, using the same set of usernames at the same time. Have > people seen this on their machines? I'm guessing it's a virus/worm on a > Windows box doing this but does anybody know more? > > I've followed & done most of the suggestions listed in chpts 4 & 5 of > "Securing Debian" HowTo/Manual although I will admit to not following > and therefore not having got around to firewalling. Other suggestions > most welcome. I saw it the day this got posted. http://isc.sans.org/diary.php?date=2004-07-23&isc=3108d1d0b49c343d27856adb8f061fa7 I can tell you this, many of the machines are not Windows Hosts. I believe they are "rooted" *NIX machines. As I have seen multiple attempts from the same hosts. I have seen one machine doing one scan with a different name being used, once a week. I believe this is the good'ole traditional Brute Force using a newly written Binary. Originally it started with the two user "test" and "guest", but lotsa variants have popped up since then. Recently I had one machine do over 2000 iterations. I just laugh, the machine they are trying, well only allows SSH from certain Hosts, all but one is behind the firewall with the machine using NAT. The one lone machine updates my DNS for the IP addr it is... sorta like DYNDNS client. But enough, I'll tell you, the passwords they are trying are lame too. -- greg, greg@gregfolkert.net The technology that is Stronger, better, faster: Linux
Attachment:
signature.asc
Description: This is a digitally signed message part