lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200407252231.28779.andrei@fq.ro>
From: andrei at fq.ro (Andrei Galca-Vasiliu)
Subject: Automated SSH login attempts?

I've seen that too, on several machines, different range of ip's. I guess it`s
some sort of a mass bruteforce exploit (there were 50 or more attempts on my
box in just 20-30 s). Anyone who can enlighten us, it will be appreciated,
i've searched too and couldn't find anything related.

Intr-un mail de pe data de Thursday 22 July 2004 17:47, Jay Libove povestea:
> [ Posted to full disclosure and vulnwatch;  please edit reply address(es)
> as appropriate. Thanks. -Jay ]
>
> My Linux system, and a Linux system run by a friend here in the same city
> but on a completely different netblock (different ISP), have both seen
> apparently automated attempts to log in to our systems via SSH in the past
> few days.  Looks like a script.
>
>
> Here are some log entries from my system:
>
> Jul 15 10:01:34 panther6 sshd[8267]: Illegal user test from 62.67.45.4
> Jul 15 10:01:34 panther6 sshd[8267]: Failed password for illegal user test
> from 62.67.45.4 port 39141 ssh2 Jul 15 10:01:36 panther6 sshd[8269]:
> Illegal user guest from 62.67.45.4 Jul 15 10:01:36 panther6 sshd[8269]:
> Failed password for illegal user guest from 62.67.45.4 port 39192 ssh2 Jul
> 15 10:01:37 panther6 sshd[8271]: Illegal user admin from 62.67.45.4 Jul 15
> 10:01:37 panther6 sshd[8271]: Failed password for illegal user admin from
> 62.67.45.4 port 39234 ssh2 Jul 15 10:01:38 panther6 sshd[8273]: Illegal
> user user from 62.67.45.4 Jul 15 10:01:38 panther6 sshd[8273]: Failed
> password for illegal user user from 62.67.45.4 port 39275 ssh2 Jul 15
> 10:01:39 panther6 sshd[8275]: Failed password for root from 62.67.45.4 port
> 39340 ssh2 Jul 15 10:01:41 panther6 sshd[8277]: Failed password for root
> from 62.67.45.4 port 39386 ssh2 Jul 15 10:44:12 panther6 sshd[8300]:
> Illegal user test from 62.67.45.4 Jul 15 10:44:12 panther6 sshd[8300]:
> Failed password for illegal user test from 62.67.45.4 port 33771 ssh2 Jul
> 15 10:44:14 panther6 sshd[8302]: Illegal user guest from 62.67.45.4 Jul 15
> 10:44:14 panther6 sshd[8302]: Failed password for illegal user guest from
> 62.67.45.4 port 33828 ssh2 Jul 15 10:44:15 panther6 sshd[8304]: Illegal
> user admin from 62.67.45.4 Jul 15 10:44:15 panther6 sshd[8304]: Failed
> password for illegal user admin from 62.67.45.4 port 33876 ssh2 Jul 15
> 10:44:16 panther6 sshd[8306]: Illegal user user from 62.67.45.4 Jul 15
> 10:44:16 panther6 sshd[8306]: Failed password for illegal user user from
> 62.67.45.4 port 33916 ssh2 Jul 15 10:44:17 panther6 sshd[8308]: Failed
> password for root from 62.67.45.4 port 33988 ssh2 Jul 15 10:44:19 panther6
> sshd[8310]: Failed password for root from 62.67.45.4 port 34032 ssh2 Jul 15
> 17:07:15 panther6 sshd[8912]: Illegal user test from 131.234.36.152 Jul 15
> 17:07:15 panther6 sshd[8912]: Failed password for illegal user test from
> 131.234.36.152 port 38287 ssh2 Jul 15 17:07:16 panther6 sshd[8914]: Illegal
> user guest from 131.234.36.152 Jul 15 17:07:16 panther6 sshd[8914]: Failed
> password for illegal user guest from 131.234.36.152 port 38326 ssh2 Jul 15
> 17:07:18 panther6 sshd[8916]: Illegal user admin from 131.234.36.152 Jul 15
> 17:07:18 panther6 sshd[8916]: Failed password for illegal user admin from
> 131.234.36.152 port 38370 ssh2 Jul 15 17:07:19 panther6 sshd[8918]: Illegal
> user admin from 131.234.36.152 Jul 15 17:07:19 panther6 sshd[8918]: Failed
> password for illegal user admin from 131.234.36.152 port 38412 ssh2 Jul 15
> 17:07:21 panther6 sshd[8920]: Illegal user user from 131.234.36.152 Jul 15
> 17:07:21 panther6 sshd[8920]: Failed password for illegal user user from
> 131.234.36.152 port 38468 ssh2 Jul 15 17:07:22 panther6 sshd[8922]: Failed
> password for root from 131.234.36.152 port 38516 ssh2 Jul 15 17:07:23
> panther6 sshd[8924]: Failed password for root from 131.234.36.152 port
> 38558 ssh2 Jul 15 17:07:25 panther6 sshd[8926]: Failed password for root
> from 131.234.36.152 port 38611 ssh2 Jul 15 17:07:26 panther6 sshd[8928]:
> Illegal user test from 131.234.36.152 Jul 15 17:07:26 panther6 sshd[8928]:
> Failed password for illegal user test from 131.234.36.152 port 38675 ssh2
> Jul 19 22:05:07 panther6 sshd[30439]: Illegal user test from 83.103.27.66
> Jul 19 22:05:07 panther6 sshd[30439]: Failed password for illegal user test
> from 83.103.27.66 port 52671 ssh2 Jul 19 22:05:08 panther6 sshd[30441]:
> Illegal user guest from 83.103.27.66 Jul 19 22:05:08 panther6 sshd[30441]:
> Failed password for illegal user guest from 83.103.27.66 port 52687 ssh2
> Jul 21 06:30:12 panther6 sshd[1103]: Illegal user test from 219.103.193.130
> Jul 21 06:30:12 panther6 sshd[1103]: Failed password for illegal user test
> from 219.103.193.130 port 55802 ssh2 Jul 21 06:30:14 panther6 sshd[1105]:
> Illegal user guest from 219.103.193.130 Jul 21 06:30:14 panther6
> sshd[1105]: Failed password for illegal user guest from 219.103.193.130
> port 55823 ssh2
>
>
>  .. and some log entries from my friend's system:
>
> Jul 19 21:04:33 quack sshd[28379]: Illegal user test from 131.234.157.10
> Jul 19 21:04:34 quack sshd[28381]: Illegal user guest from 131.234.157.10
> Jul 19 21:04:36 quack sshd[28383]: Illegal user admin from 131.234.157.10
> Jul 19 21:04:37 quack sshd[28385]: Illegal user admin from 131.234.157.10
> Jul 19 21:04:38 quack sshd[28387]: Illegal user user from 131.234.157.10
> Jul 19 21:04:43 quack sshd[28400]: Illegal user test from 131.234.157.10
> Jul 22 09:39:10 quack sshd[7646]: Illegal user test from 156.17.99.11
> Jul 22 09:39:11 quack sshd[7648]: Illegal user guest from 156.17.99.11
>
>
> I have not seen any notes about this on the vulnerability disucssion
> lists.  Has anyone else noticed it?  What specific vulnerability (or
> default password?) is this looking for?
>
> -Jay Libove, CISSP
> libove@...ines.org
> Atlanta, GA US
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

-- 
Andrei Galca-Vasiliu
Technical Support
Brasov Branch
Romania Data Systems
T: +402 68 474133  F: +402 68 474133
www.rdsnet.ro
--
Privileged/Confidential Information may be contained in this message. 
If you are not the addressee indicated in this message (or responsable 
for delivery of the message to such person), you may not copy or 
deliver this message to anyone. In such a case, you should destroy 
this message and kindly notify the sender by reply e-mail.
--


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ