Hi there, we already had a small thread about this topic but only for some log entries and not the problem itself ;) As we probably all noticed there're a bunch of ssh connects every day which try to login as root, test, user, admin, guest and maybe others. Now i saw a scan with more then 5000 attempts to login to serval servers. I read a lot about this topic now but noone really knows whats going on. So i try to sum up the information i got, maybe you know a littlebit more than i or just have the same "problem" and want to know more about it ;) First of all, it seems that there multiple tools or scripts out trying these logins. The simplest one only try root:root and guest:guest as login. Later on a few more usernames where added: guest, test, user, admin (and maybe others). After that someone seems to add some dictionary support to the tools. Now it tries many passwords for the root user (no pass guesses for the other ones so far). If some box has such a weak/guessable password, some of the "crackers" installed stuff like rootkits (e.g. suckit) or DDoS flood scripts/IRC Bots and other "bad" stuff. Today we found such a server in our network. The password wasn't changed by the customer so it was guessable. But unlike other reports no rootkit etc. was installed. All we found was some "uname -r" that was done. Maybe because of a very recent kernel and some other stuff they didn't like this box very much. A few analyses had been done yet: http://dev.gentoo.org/~krispykringle/sshnotes.txt http://lists.netsys.com/pipermail/full-disclosure/2004-August/025330.html http://isc.sans.org/diary.php?date=2004-07-28 and many other postings on the well known lists like dev-shed, full-disclosure, bugtraq etc. Most of the attackers seem not to be very skilled like you'll see in some postings: they leaved bash_history files and did other stuff you'll notice if you take a closer look to your box. For ppl who want to protect themselves against such attacks: - disable rootlogin (PermitRootLogin no in sshd_config) - use secure passwords - maybe just use ssh keys - don't use guessable accounts - put sshd on a different port then 22 (will only help for such "normal" scans, not if someone want to break *your* box.) - use features like hosts.allow/deny or iptables to allow ssh just for a couple of hosts (maybe isn't useable for ppl with nonstatic ips, but you still can limit ssh access to your isp, or use a vpn ;) Hope i didn't forget anything. If someone knows more about this topic, please let us know ;) Regards, Sven