Attacks on ssh port
Frankye - ML
listsucker at ipv5.net
Sat Sep 18 07:14:37 PDT 2004
On Sat, 18 Sep 2004 14:18:32 +0200
Willem Jan Withagen <wjw at withagen.nl> wrote:
| Is there a security problem with ssh that I've missed???
| Ik keep getting these hords of:
| Failed password for root from 126.96.36.199 port 39239 ssh2
| with all kinds of different source addresses.
FYI, the past month there were a couple of (quite long) threads on this
thing on bugtraq and incidents @securityfocus.
It seems to be some worm that scans for weak passwords, someone on
incidents published a webpage on this stuff here:
http://www.jaenicke.org/sk/ with the binaries used and an irc log chatting
with one of the kiddies.
The sources seems to mainly be cracked boxes with, aemh... blank root
(everytime I read the previous 3 words together I shudder, apologies if
they have the same effect on you :)
| they're back and keep clogging my logs.
| Is there a "easy" way of getting these ip-numbers added to the
| blocking-list of ipfw??
I've just moved the public port of the sshd on another port, quite lame
but at least I'm not bothered by worms :)
Frankye Fattarelli |U| |P| |S|F|
frankye.DIESPAMMERSDIE at ipv5.net |R| |S| |Y|I|
this email is RFC 3514 compliant |G| |H| |N|N|
More information about the freebsd-security