Last Updated: 2014-12-10 19:49:05 UTC
by Jim Clausing (Version: 1)
I noticed it in my own logs overnight and also had a couple of readers (both named Peter) report some odd new ssh scanning overnight. The scanning involves many sites, likely a botnet, attempting to ssh in as 3 users, D-Link, admin, and ftpuser. Given the first of those usernames, I suspect that they are targetting improperly configured D-Link routers or other appliances that have some sort of default password. The system that I have at home was not running kippo, so I didn't get the passwords that they were guessing and was not able to see what they might do if they succeed in ssh-ing in. If anyone out there has any more info on what exactly they are targetting, please let us know by e-mail, via the contact page, or by commenting on this post. I'll try to reconfigure a couple of kippo honeypots to see if I can capture the bad guys there and may update this post later.
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu