Weblog entry #317 for simonw
See all weblog entries made by simonw.
#317
Recent spate of SSH login attempts
Posted by simonw on Thu 9 Apr 2009 at 21:31
Recent spate of SSH scanning seems to originate from email servers.
http://isc.sans.org/diary.html?storyid=6148
Contacted the abuse desk of one hosting companies whose machine was sending a lot of requests per minute to one of our boxes. They reported they thought it was a known roundcube vulnerability that had been exploited to compromise the server.
Indeed nearly all the mail servers involved, although running different MTAs were all providing a web interface on port 80. So it seems likely someone has used a web exploit of some kind to get some machines to do SSH attacks from, so this fits.
http://isc.sans.org/diary.html?storyid=6148
Contacted the abuse desk of one hosting companies whose machine was sending a lot of requests per minute to one of our boxes. They reported they thought it was a known roundcube vulnerability that had been exploited to compromise the server.
Indeed nearly all the mail servers involved, although running different MTAs were all providing a web interface on port 80. So it seems likely someone has used a web exploit of some kind to get some machines to do SSH attacks from, so this fits.
Comments on this Entry
Posted by Anonymous (84.172.xx.xx) on Sat 11 Apr 2009 at 15:00
Roundcube seems to be wildly popular. I don't have this software running on any of my servers (and never had), but my web server logs are full of attempts to access /roundcube/.
I guess Roundcube must be a highly sophisticated application which was designed and developed from the ground up with security in mind. *sigh*
I guess Roundcube must be a highly sophisticated application which was designed and developed from the ground up with security in mind. *sigh*
[ Parent | Reply to this comment ]