![](https://seccdn.libravatar.org/avatar/6e5133fe0e726b31b249f9f20c7b5cc8.jpg?s=120&d=mm&r=g)
Dear all, I have detected recently some users trying to gain access on my server via ssh. I have their IPs and found the servers that these users have access from. I have sent e-mail to the abuse e-mail addresses that they advertise but I have not received a single reply for the longest time now. Can someone tell me if there is a higher authority whom I can contact about this issue since the system admins which I send e-mail to, do not even ignoledge me?? Thank you Chris
![](https://seccdn.libravatar.org/avatar/c483b3772bbd17819ee02438651f7a94.jpg?s=120&d=mm&r=g)
I have detected recently some users trying to gain access on my server via ssh. I have their IPs and found the servers that these users have access from.
I know this doesn't answer your question but if it's just a bunch of tries to ssh as guest, admin or test you can try changing your ssh port. I had the same problem and after changing the port these went away. Brana
![](https://seccdn.libravatar.org/avatar/52a38d96872b33394d689fc1a59bc068.jpg?s=120&d=mm&r=g)
On Friday 01 October 2004 08.21, Branimir Vasilic wrote:
I have detected recently some users trying to gain access on my server via ssh. I have their IPs and found the servers that these users have access from.
I know this doesn't answer your question but if it's just a bunch of tries to ssh as guest, admin or test you can try changing your ssh port. I had the same problem and after changing the port these went away.
Brana There was talk of a new wave of exploits/viruses that tries to gain access via shh. It tries to find entries for guest/admin and a few other common ones.
Might be something like that. -- /Rikard ------------------------------------------------------------------------------------ Rikard Johnels email : rikjoh@norweb.se Web : http://www.rikjoh.com Mob : +46 735 05 51 01 ------------------------ Public PGP fingerprint ---------------------------- < 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 >
![](https://seccdn.libravatar.org/avatar/dcefdbf1fbe7737b010a3a806d826ae2.jpg?s=120&d=mm&r=g)
On Friday 01 October 2004 05:43, Rikard Johnels wrote:
On Friday 01 October 2004 08.21, Branimir Vasilic wrote:
I have detected recently some users trying to gain access on my server via ssh. I have their IPs and found the servers that these users have access from.
I know this doesn't answer your question but if it's just a bunch of tries to ssh as guest, admin or test you can try changing your ssh port. I had the same problem and after changing the port these went away.
Brana
There was talk of a new wave of exploits/viruses that tries to gain access via shh. It tries to find entries for guest/admin and a few other common ones.
Might be something like that.
Yeah, it's either a virus or a script that's been passed around. It leaves the same signature of access attempts in the log. I've tuned my iptables firewall to limit IP access to authorized addresses and drop any other connection attempts. Unfortunately this approach isn't practical if you have dialup users with dynamic IPs. Jeff
![](https://seccdn.libravatar.org/avatar/24ca8608248a11f8eeb5fa02a0d5c463.jpg?s=120&d=mm&r=g)
Jeffrey wrote regarding 'Re: [SLE] Hacking Question' on Fri, Oct 01 at 07:21:
On Friday 01 October 2004 05:43, Rikard Johnels wrote:
On Friday 01 October 2004 08.21, Branimir Vasilic wrote:
I have detected recently some users trying to gain access on my server via ssh. I have their IPs and found the servers that these users have access from.
I know this doesn't answer your question but if it's just a bunch of tries to ssh as guest, admin or test you can try changing your ssh port. I had the same problem and after changing the port these went away.
Brana
There was talk of a new wave of exploits/viruses that tries to gain access via shh. It tries to find entries for guest/admin and a few other common ones.
Might be something like that.
Yeah, it's either a virus or a script that's been passed around. It leaves the same signature of access attempts in the log. I've tuned my iptables firewall to limit IP access to authorized addresses and drop any other connection attempts. Unfortunately this approach isn't practical if you have dialup users with dynamic IPs.
Wouldn't it be easier to just not use acccounts named "guest" or "admin", or at least set decent passwords for those accounts? :) --Danny, with logs full of those attempts...
![](https://seccdn.libravatar.org/avatar/dcefdbf1fbe7737b010a3a806d826ae2.jpg?s=120&d=mm&r=g)
There was talk of a new wave of exploits/viruses that tries to gain access via shh. It tries to find entries for guest/admin and a few other common ones.
Might be something like that.
Yeah, it's either a virus or a script that's been passed around. It leaves the same signature of access attempts in the log. I've tuned my iptables firewall to limit IP access to authorized addresses and drop any other connection attempts. Unfortunately this approach isn't practical if you have dialup users with dynamic IPs.
Wouldn't it be easier to just not use acccounts named "guest" or "admin", or at least set decent passwords for those accounts? :)
--Danny, with logs full of those attempts.
Indeed, but it's kinda hard not to have a root account :-O Jeff - Who answers with "-j REJECT --reject-with icmp-host-unreachable" and now gets far fewer probes on any port.
![](https://seccdn.libravatar.org/avatar/24ca8608248a11f8eeb5fa02a0d5c463.jpg?s=120&d=mm&r=g)
Jeffrey wrote regarding 'Re: [SLE] Hacking Question' on Fri, Oct 01 at 12:56: [...]
Indeed, but it's kinda hard not to have a root account :-O
Jeff - Who answers with "-j REJECT --reject-with icmp-host-unreachable" and now gets far fewer probes on any port.
I'm partial to "-j DROP" since it slows scanners down. It may not make a difference with one host, but I've got 64IPs to protect (which isn't a real big range, but it's big enough) and I feel like I'm doing the rest of the world a favor, too. :) My root password isn't typically blank, "admin", or "root", either, so I'm not too worried. --Danny, saving the world, one packaet at a time
participants (5)
-
Branimir Vasilic
-
Chris Roubekas
-
Danny Sauer
-
Jeffrey Laramie
-
Rikard Johnels