| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <F025BAFA10F6AB9FA32707DE@utd49554.utdallas.edu>
From: pauls at utdallas.edu (Paul Schmehl)
Subject: [VulnDiscuss] Re: Automated SSH login
attempts?
--On Monday, July 26, 2004 03:29:56 PM -0400 RBabb
<rob_mailing_lists@...bb.net> wrote:
>
> This makes me feel better. I thought it odd that so many machines were
> hitting my ssh server. I even blocked it at the firewall for a day or so.
> Is anyone talking on what the bot system was that allowed them to
> automate this? It seemed that as soon as 1 got it so did a whole bunch
> more so obviously people are distributing lists of IP's for potential SSH
> access.
>
That's not obvious at all. In our case, they're hitting IPs in sequential
order, so it looks (to us) more like a "brute force" attempt rather than
the targeting of hosts that are specifically running sshd.
> I'm not real sure on who to contact for these machines, but here are all
> the ones that have hit me. Mostly seem to be Asian so far.
>
> Jul 25 19:48:40 server sshd[55910]: Failed password for illegal user test
> from 212.4.172.123 port 56843 ssh2
> Jul 25 19:48:42 server sshd[55915]: Failed password for illegal user
> guest from 212.4.172.123 port 56916 ssh2
> Jul 25 20:37:19 server sshd[57221]: Failed password for illegal user test
> from 210.40.224.10 port 49738 ssh2
> Jul 25 20:37:22 server sshd[57223]: Failed password for illegal user
> guest from 210.40.224.10 port 49756 ssh2
>
[pauls@...49554 pauls]$ dig -x 212.4.172.123
; <<>> DiG 9.2.2-P3 <<>> -x 212.4.172.123
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 123
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; QUESTION SECTION:
;123.172.4.212.in-addr.arpa. IN PTR
;; ANSWER SECTION:
123.172.4.212.in-addr.arpa. 604800 IN PTR mail.enet.de.
Since this is a mail server, I would say the odds are *extremely high* that
it's been compromised and that the owners would greatly appreciate a heads
up. (So I've cc'd them. But these are *your* logs, so *you* should notify
them as well.
> Jul 24 21:37:50 server sshd[21578]: Failed password for illegal user test
> from 218.244.240.195 port 58900 ssh2
> Jul 24 21:37:53 server sshd[21580]: Failed password for illegal user
> guest from 218.244.240.195 port 58928 ssh2
>
person: ShouLan Du
address: Fl./8, South Building, Bridge Mansion, No. 53
country: CN
phone: +86-010-83160000
fax-no: +86-010-83155528
e-mail: dsl327@...mail.net.cn
nic-hdl: SD76-AP
mnt-by: MAINT-CNNIC-AP
changed: dsl327@...mail.net.cn 20020403
source: APNIC
> Jul 22 18:23:36 server sshd[38184]: Failed password for illegal user test
> from 216.86.221.113 port 58012 ssh2
> Jul 22 18:23:37 server sshd[38195]: Failed password for illegal user
> guest from 216.86.221.113 port 51509 ssh2
>
;; ANSWER SECTION:
113.221.86.216.in-addr.arpa. 14400 IN PTR
adsl-gte-la-216-86-215-113.mminternet.com.
Technical Contact:
Master, Host (NC312) hostmaster@...NTERNET.COM
3780 Kilroy Airport Way
Suite 410
Long Beach, CA 90806
US
562-427-0344 fax: 562-427-3622
Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
Powered by blists - more mailing lists