Threat Level: green Handler on Duty: Yee Ching Tok

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

SSH Password attacks using domain name elements as userid

Published: 2012-01-27
Last Updated: 2012-01-27 10:08:01 UTC
by Mark Hofman (Version: 1)
1 comment(s)

A reader (Thanks Jim!) mentioned earlier today that his SSH logs were showing access attempts utilising elements of the reverse DNS name of the IP address being accessed.  For example using results in the userids isc, sans and org. This may be cause a number of hosting providers use the domain name itself as the userid for shell access for customers.  In light of the breach at dreamhost earlier this week this may be what is going on. 

If you are noticing the same in your logs and you can share some log lines please send some in as I'd be interested in taking a peek.

Mark H


1 comment(s)
Diary Archives