1. 25

  2. 7

    I’d be interested in what commands an attacker executes after getting a (fake) session…

    1. 3

      Same here. I also got a huge log of failed SSH login attempts and I’ve seen a lot of the very same login names and also the country/ASN distribution was quite similar to that one here.

    2. 1

      You know, I didn’t expect that. PuTTY as the top client strings. (Also not sure what to make of the case difference.) I wonder if people are building the PuTTY SSH library into a tool for scanning or wrapping the binary in some kind of script.

      They mention earlier that these version strings can be spoofed, so is it possible attackers are using the PuTTY string in their bots to avoid suspicion? That would maybe explain the case difference as a typo on an attacker’s part.

      Edit: s/You/They/

      1. 2

        Yes, I’m thinking the same. I don’t have any facts but I can understand the presumption that a lot of *nix boxes is administrated from an windows client, and then use putty. By faking the user agent to putty the attacker might think it is harder to detect/ ring any bells.