Wireshark · Wireshark-users: Re: [Wireshark-users] Very strange SSH probe

Wireshark-users: Re: [Wireshark-users] Very strange SSH probe

From: Martin Visser <martinvisser99@xxxxxxxxx>

Date: Tue, 13 Jul 2010 10:14:23 +1000

This would seem to be just a variant of a common-variety kiddie-script. Everyone that has an ssh server on the net will be seeing attempts to login. Usually there is a whole lot of common user names being attempted. This could be a new botnet being tested out if the source IPs are genuine (not-being spoofed). Provided you are either using non-guessable passwords (or what you should be using is using SSH keys rather than passwords) then there is not much to worry about.

Regards, Martin

MartinVisser99@xxxxxxxxx

On Mon, Jul 12, 2010 at 11:51 PM, Michael Glenn <MGlenn@xxxxxxxxxxxxxxx> wrote:

Anyone else seeing this?

Every five to six minutes, my Linux boxes are seeing a single connection attempt via SSH. What makes this unusual is that the user ID is always 'test1' and the source IPs are all over the map; I don't think I've seen the same IP address twice yet.

Interesting, yes?

___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

References:
- [Wireshark-users] question, how to output specific fields in a complex packet using tshark command line
  - From: damker
- [Wireshark-users] Very strange SSH probe
  - From: Michael Glenn

Prev by Date: Re: [Wireshark-users] question, how to output specific fields in a complex packet using tshark command line
Next by Date: Re: [Wireshark-users] Very strange SSH probe
Previous by thread: [Wireshark-users] Very strange SSH probe
Next by thread: Re: [Wireshark-users] Very strange SSH probe
Index(es):
- Date
- Thread