[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  m0n0wall list <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Have I been owned? (caught outgoing src port 22)
 Date:  Fri, 28 Jan 2005 16:40:31 -0500
On Fri, 28 Jan 2005 13:12:15 -0800, Jeffrey Goldberg
<jeffrey at goldmark dot org> wrote:
> > The other question is why are you connecting to bluemidnight.com?
> That is precisely what I would like to know.

This could be a coincidence, and/or completely and totally unrelated,
but in the last 3 days I've seen a huge increase in SSH brute force
attempts on two systems that have to have SSH opened to the world for
open source projects (for CVS without using pserver).  Many people see
these attempts all the time, though I don't see them much at all.  The
vast majority of the attacking hosts are webmail systems of some sort
(or that's what they have running on port 80), and some new
vulnerabilities in some webmail packages were recently discovered.  My
guess is compromised systems that attackers are using to attempt to
compromise other systems.

The commonality between the IP in question here and what I've seen
recently is they all are running some sort of (what appears to be, in
this case) open source webmail.

Yeah I know the src is 22, not dst, but thought I'd at least share
that after seeing more of these pathetic attempts this afternoon.