Compromised Web Servers Used to Build SSH Brute Force Botnet
Lucian Constantin writes on Softpedia News:
There are strong indications that unidentified hackers are currently building a botnet, possibly by exploiting a vulnerability in outdated phpMyAdmin installations, and are using it to launch SSH brute force attacks.More here.
Apparently more and more Web server owners are finding instances of an unauthorized script called dd_ssh running on their systems
The script is located in the /tmp/ directory, runs under the same account as Apache and is apparently being used to brute force SSH logins.
The SANS Internet Storm Center (ISC) confirms detecting a recent spike in the number of unique IP addresses that participate in SSH scanning.