ISC Diary

Published: 2012-01-27,
Last Updated: 2012-01-27 10:08:01 UTC
by Mark Hofman (Version: 1)

A reader (Thanks Jim!) mentioned earlier today that his SSH logs were showing access attempts utilising elements of the reverse DNS name of the IP address being accessed. For example using isc.sans.org results in the userids isc, sans and org. This may be cause a number of hosting providers use the domain name itself as the userid for shell access for customers. In light of the breach at dreamhost earlier this week http://blog.dreamhost.com/2012/01/21/security-update/ this may be what is going on.

If you are noticing the same in your logs and you can share some log lines please send some in as I'd be interested in taking a peek.

Mark H

Keywords:

1 comment(s)

Top of page

Comments

There has been some analysis of SSH Brute Force attacks by Steven J. Murdoch which identified the same trend of using domain name elements. The blog post covering the analysis of the usernames and passwords used are at http://www.lightbluetouchpaper.org/2012/01/25/ and he may have raw log data he can share.

J

posted by jules, Fri Jan 27 2012, 12:02

New Comments closed for all Diaries older than two(2) weeks
Please send your comments to our Contact Form