[ Thanks to Peter N. M.
Hansteen for this link. ]
“A new round of slow, distributed bruteforce attacks is
in progress. Just like the other times we know about (see
references later), the initial target is root. This time around I
see only one of my ssh-contactable machines targeted, and the
dribble started on September 30th.“I’ve put the raw data so far up for study here (a total of 6067
attempts), and a list of hosts sorted by number of attempts (the
first column) can be found here (770 hosts, with up to 32 attempts
each). Quite likely I’ll be collecting more data and publishing
updates when I have a few free moments.“A number of people were kind enough to contact me in the
followup of the earlier articles, and from one of my correspendents
(who asked not to be named) I learned that the likely culprit is a
piece of Linux malware known as dt_ssh5. If you type dt_ssh5 into
your favorite search engine, it will turn up a few hits, but
significantly fewer than the number of hosts in my sample. A couple
of those documents have some analysis of how a badly secured web
application let the miscreants in.”