***者首先扫描某个IP段是否有主机开放了SSHD服务,然后开始对这些SSH服务中的下列用户名进行口令猜测:
root
admin
test
guest
user
root
admin
test
guest
user
如果这些用户存在薄弱口令,就可能遭到***。***者在***之后,可能安装后门或继续利用该主机扫描其他的网段。
这种***会在系统日志中留下大量痕迹,例如:
Jul 31 21:51:43 services sshd[695]: Illegal user test from xxxxx
Jul 31 21:51:44 services sshd[697]: Illegal user guest from xxxxx
Jul 31 21:51:46 services sshd[699]: Illegal user admin from xxxxx
Jul 31 21:51:47 services sshd[701]: Illegal user admin from xxxxx
Jul 31 21:51:44 services sshd[697]: Illegal user guest from xxxxx
Jul 31 21:51:46 services sshd[699]: Illegal user admin from xxxxx
Jul 31 21:51:47 services sshd[701]: Illegal user admin from xxxxx
建议网络和系统管理员尽快检查系统和网络日志中是否存在异常的SSH登陆事件,同时确保系统用户的口令强度。