SSH scanning from compromised mail servers

Published: 2009-04-07
Last Updated: 2009-04-07 23:29:12 UTC
by Johannes Ullrich (Version: 1)
4 comment(s)

We received two reports about an increase in ssh scanning. One of them (thanks Quentin!) correlated the sources and found that based on reverse DNS lookups, 706 out of 824 sources appear to run mail servers.  We do not have any associated malware at this point, and the mail servers appear to run various SMTP daemons. If you observe a similar pattern, or better: if you mail server scans for port 22 tcp, please let us know.

 Denyhost, which monitors ssh brute force attacks, detected a remarkable uptick. We do not see an uptick in our data, but we only monitor firewall logs which would not detect connects to open ssh servers.

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: mail servers ssh
4 comment(s)


This has been very widespread, but \"low and slow\". It has also stopped in the last 25 minutes, almost exactly 24 hours after it began.
Got lots of ssh scan since some days on my box, but have \"fail2ban\" installed against it. Will try to use \"DenyHost\" instead to upload statistics too from my network (Neuf Telecom / SFR in France).

Just wanted to confirm that we are seeing this as well. A few of the IPs were mail servers, but many were not.
I have netflow data from my SP network that caught all this rogue traffic if ISC wants it. I specifically watch for SSH traffic destined for key points in our network that should never be accessed from the outside world. I generally catch between a dozen and 3-4 dozen each day. I caught 753 that between the 6th and 7th on traffic from just one of our upstreams. The scanning has not stopped either. It has only slowed slightly.

Diary Archives