SSH scanning from compromised mail servers

Published: 2009-04-07
Last Updated: 2009-04-07 23:29:12 UTC
by Johannes Ullrich (Version: 1)
4 comment(s)

We received two reports about an increase in ssh scanning. One of them (thanks Quentin!) correlated the sources and found that based on reverse DNS lookups, 706 out of 824 sources appear to run mail servers.  We do not have any associated malware at this point, and the mail servers appear to run various SMTP daemons. If you observe a similar pattern, or better: if you mail server scans for port 22 tcp, please let us know.

 Denyhost, which monitors ssh brute force attacks, detected a remarkable uptick. We do not see an uptick in our data, but we only monitor firewall logs which would not detect connects to open ssh servers.

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: mail servers ssh
4 comment(s)
Diary Archives