Distributed SSH attack

Aryeh M. Friedman aryeh.friedman at gmail.com
Fri Oct 2 23:10:45 UTC 2009

Greg Larkin wrote:
> Hash: SHA1
> Jeremy Lea wrote:
>> Hi,
>> This is off topic to this list, but I dont want to subscribe to -chat
>> just to post there...  Someone is currently running a distributed SSH
>> attack against one of my boxes - one attempted login for root every
>> minute or so for the last 48 hours.  They wont get anywhere, since the
>> box in question has no root password, and doesn't allow root logins via
>> SSH anyway...
>> But I was wondering if there were any security researchers out there
>> that might be interested in the +-800 IPs I've collected from the
>> botnet?  The resolvable hostnames mostly appear to be in Eastern Europe
>> and South America - I haven't spotted any that might be 'findable' to
>> get the botnet software.
>> I could switch out the machine for a honeypot in a VM or a jail, by
>> moving the host to a new IP, and if you can think of a way of allowing
>> the next login to succeed with any password, then you could try to see
>> what they delivered...  But I don't have a lot of time to help.
>> Regards,
>>   -Jeremy
> Hi Jeremy,
> You could set up DenyHosts and contribute to the pool of IPs that are
> attempting SSH logins on the Net:
> http://denyhosts.sourceforge.net/faq.html#4_0
> It also looks like there's been quite a spike of SSH login activity
> recently: http://stats.denyhosts.net/stats.html
> Hope that helps,
> Greg
> - --
> Greg Larkin
> http://www.FreeBSD.org/           - The Power To Serve
> http://www.sourcehosting.net/     - Ready. Set. Code.
> http://twitter.com/sourcehosting/ - Follow me, follow you
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> Tbv+hWI+KoXYsEpt0n4gW5k=
> =xCz7
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
There seems to be some kind of cordinated attack because I have been 
seeing different backbones wink in and out (work and home are on 
completely diff backbones and are having roughly the same intermitten 

More information about the freebsd-hackers mailing list