Botnet attacks SSH servers
According to a number of reports (here and here), the dd_ssh bot is currently responsible for an increase in brute force attacks on SSH connections. Botnet herders are apparently injecting the script via a phpMyAdmin vulnerability and using the compromised computers for targeted SSH attacks. The vulnerability is a year old and only affects the outdated phpMyAdmin versions 2.11.x prior to 2.11.9.5 and 3.x prior to 3.1.3.1.
By using a large botnet and therefore a large number of IP addresses, and ensuring that each bot makes only a few login attempts, botnet herders can fly under the radar of filtering solutions, since each bot fails to reach the blocking threshold. The best means of protecting against this kind of attack is the use of a shared blacklist from the cloud which can be automatically imported by a script such as DenyHosts. A basic requirement still remains a secure – even if inconvenient – password.
(djwm)