A reader (Thanks Jim!) mentioned earlier today that his SSH logs were showing access attempts utilising elements of the reverse DNS name of the IP address being accessed.  For example using  isc.sans.org results in the userids isc, sans and org. This may be cause a number of hosting providers use the domain name itself as the userid for shell access for customers.  In light of the breach at dreamhost earlier this week http://blog.dreamhost.com/2012/01/21/security-update/ this may be what is going on. 

If you are noticing the same in your logs and you can share some log lines please send some in as I'd be interested in taking a peek.

Mark H

In case you missed it there is a vulnerability in the CISCO Ironport telnet service. Details can be found here http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120126-ironport

To mitigate the risk (if you can't upgrade just yet) is to switch off telnet on the device and use SSH to manage it instead.

Mark H

Overview
Need to attribute information to ISC? Want to provide users with an avenue to visit the ISC site? Want to link directly to the ISC Stormcast, Infocon or other information? These methods and more are listed on out ISC Linkback Page! https://isc.sans.edu/linkback.html

Features

• Various text only links and terms: ISC, Stormcast, Log Submission http://isc.sans.edu/linkback.html#text

• Show an ISC image logo for your link back to ISC: Homepage, Stormcast http://isc.sans.edu/linkback.html#image

• ISC Inforcon status image http://isc.sans.edu/linkback.html#other

Note
This works as DShield also. Just view the dshield.org url http://dshield.org/linkback.html

Don't see a link you'd like to use? Suggest in the comments section below or send any questions or comments in the contact form https://isc.sans.edu/contact.html

--
Adam Swanger, Web Developer (GWEB)
Internet Storm Center (http://isc.sans.edu)