Odd new ssh scanning, possibly for D-Link devices, (Wed, Dec 10th)

I noticed it in my own logs overnight and also had a couple of readers (both named Paul) report some odd new ssh scanning overnight. The scanning involves many sites, likely a botnet, attempting to ssh in as 3 users, D-Link, admin, and ftpuser. Given the first of those usernames, I suspect that they are targetting improperly configured D-Link routers or other appliances that have some sort of default password. The system that I have at home was not running kippo, so I didnt get the passwords that they were guessing and was not able to see what they might do if they succeed in ssh-ing in. If anyone out there has any more info on what exactly they are targetting, please let us know by e-mail, via the contact page, or by commenting on this post. Ill try to reconfigure a couple of kippo honeypots to see if I can capture the bad guys there and may update this post later.

Jim Clausing, GIAC GSE #26
jclausing –at– isc [dot] sans (dot) edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.