SSH scanning from compromised mail servers
We received two reports about an increase in ssh scanning. One of them (thanks Quentin!) correlated the sources and found that based on reverse DNS lookups, 706 out of 824 sources appear to run mail servers. We do not have any associated malware at this point, and the mail servers appear to run various SMTP daemons. If you observe a similar pattern, or better: if you mail server scans for port 22 tcp, please let us know.
Denyhost, which monitors ssh brute force attacks, detected a remarkable uptick. We do not see an uptick in our data, but we only monitor firewall logs which would not detect connects to open ssh servers.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute           http://twitter.com/johullrich
Keywords: mail servers ssh 
4 comment(s)
My next class:
| Application Security: Securing Web Apps, APIs, and Microservices | Dallas | Dec 1st - Dec 6th 2025 | 
  
  ×
  
  ![modal content]() 
  
  
Diary Archives
         
              
Comments
Ken
Apr 8th 2009
1 decade ago
Regards.
Jean Bruder
Apr 8th 2009
1 decade ago
Jer
Apr 8th 2009
1 decade ago
Justin Shore
Apr 9th 2009
1 decade ago