Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: SSH scanning from compromised mail servers - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
SSH scanning from compromised mail servers

We received two reports about an increase in ssh scanning. One of them (thanks Quentin!) correlated the sources and found that based on reverse DNS lookups, 706 out of 824 sources appear to run mail servers.  We do not have any associated malware at this point, and the mail servers appear to run various SMTP daemons. If you observe a similar pattern, or better: if you mail server scans for port 22 tcp, please let us know.

 Denyhost, which monitors ssh brute force attacks, detected a remarkable uptick. We do not see an uptick in our data, but we only monitor firewall logs which would not detect connects to open ssh servers.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute     http://twitter.com/johullrich

I will be teaching next: Defending Web Applications Security Essentials - SANS Munich July 2019

Johannes

3535 Posts
ISC Handler
This has been very widespread, but \"low and slow\". It has also stopped in the last 25 minutes, almost exactly 24 hours after it began.
Ken

40 Posts
Got lots of ssh scan since some days on my box, but have \"fail2ban\" installed against it. Will try to use \"DenyHost\" instead to upload statistics too from my network (Neuf Telecom / SFR in France).

Regards.
Jean

5 Posts
Just wanted to confirm that we are seeing this as well. A few of the IPs were mail servers, but many were not.
Jean
1 Posts
I have netflow data from my SP network that caught all this rogue traffic if ISC wants it. I specifically watch for SSH traffic destined for key points in our network that should never be accessed from the outside world. I generally catch between a dozen and 3-4 dozen each day. I caught 753 that between the 6th and 7th on traffic from just one of our upstreams. The scanning has not stopped either. It has only slowed slightly.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!