lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <410A4FAB.5000704@ll.mit.edu>
From: ids at ll.mit.edu (Neal O'Creat)
Subject: Automated SSH login attempts?

Could it be possible that there are different versions of this, one 
making noise and one much rarer one with an exploit?

-Neal

Andrei Galca-Vasiliu wrote:
> I've seen that too, on several machines, different range of ip's. I guess it`s
> some sort of a mass bruteforce exploit (there were 50 or more attempts on my
> box in just 20-30 s). Anyone who can enlighten us, it will be appreciated,
> i've searched too and couldn't find anything related.
> 
> Intr-un mail de pe data de Thursday 22 July 2004 17:47, Jay Libove povestea:
> 
>>[ Posted to full disclosure and vulnwatch;  please edit reply address(es)
>>as appropriate. Thanks. -Jay ]
>>
>>My Linux system, and a Linux system run by a friend here in the same city
>>but on a completely different netblock (different ISP), have both seen
>>apparently automated attempts to log in to our systems via SSH in the past
>>few days.  Looks like a script.
>>
>>
>>Here are some log entries from my system:
>>
>>Jul 15 10:01:34 panther6 sshd[8267]: Illegal user test from 62.67.45.4
>>Jul 15 10:01:34 panther6 sshd[8267]: Failed password for illegal user test
>>from 62.67.45.4 port 39141 ssh2 Jul 15 10:01:36 panther6 sshd[8269]:
>>Illegal user guest from 62.67.45.4 Jul 15 10:01:36 panther6 sshd[8269]:
>>Failed password for illegal user guest from 62.67.45.4 port 39192 ssh2 Jul
>>15 10:01:37 panther6 sshd[8271]: Illegal user admin from 62.67.45.4 Jul 15
>>10:01:37 panther6 sshd[8271]: Failed password for illegal user admin from
>>62.67.45.4 port 39234 ssh2 Jul 15 10:01:38 panther6 sshd[8273]: Illegal
>>user user from 62.67.45.4 Jul 15 10:01:38 panther6 sshd[8273]: Failed
>>password for illegal user user from 62.67.45.4 port 39275 ssh2 Jul 15
>>10:01:39 panther6 sshd[8275]: Failed password for root from 62.67.45.4 port
>>39340 ssh2 Jul 15 10:01:41 panther6 sshd[8277]: Failed password for root
>>from 62.67.45.4 port 39386 ssh2 Jul 15 10:44:12 panther6 sshd[8300]:
>>Illegal user test from 62.67.45.4 Jul 15 10:44:12 panther6 sshd[8300]:
>>Failed password for illegal user test from 62.67.45.4 port 33771 ssh2 Jul
>>15 10:44:14 panther6 sshd[8302]: Illegal user guest from 62.67.45.4 Jul 15
>>10:44:14 panther6 sshd[8302]: Failed password for illegal user guest from
>>62.67.45.4 port 33828 ssh2 Jul 15 10:44:15 panther6 sshd[8304]: Illegal
>>user admin from 62.67.45.4 Jul 15 10:44:15 panther6 sshd[8304]: Failed
>>password for illegal user admin from 62.67.45.4 port 33876 ssh2 Jul 15
>>10:44:16 panther6 sshd[8306]: Illegal user user from 62.67.45.4 Jul 15
>>10:44:16 panther6 sshd[8306]: Failed password for illegal user user from
>>62.67.45.4 port 33916 ssh2 Jul 15 10:44:17 panther6 sshd[8308]: Failed
>>password for root from 62.67.45.4 port 33988 ssh2 Jul 15 10:44:19 panther6
>>sshd[8310]: Failed password for root from 62.67.45.4 port 34032 ssh2 Jul 15
>>17:07:15 panther6 sshd[8912]: Illegal user test from 131.234.36.152 Jul 15
>>17:07:15 panther6 sshd[8912]: Failed password for illegal user test from
>>131.234.36.152 port 38287 ssh2 Jul 15 17:07:16 panther6 sshd[8914]: Illegal
>>user guest from 131.234.36.152 Jul 15 17:07:16 panther6 sshd[8914]: Failed
>>password for illegal user guest from 131.234.36.152 port 38326 ssh2 Jul 15
>>17:07:18 panther6 sshd[8916]: Illegal user admin from 131.234.36.152 Jul 15
>>17:07:18 panther6 sshd[8916]: Failed password for illegal user admin from
>>131.234.36.152 port 38370 ssh2 Jul 15 17:07:19 panther6 sshd[8918]: Illegal
>>user admin from 131.234.36.152 Jul 15 17:07:19 panther6 sshd[8918]: Failed
>>password for illegal user admin from 131.234.36.152 port 38412 ssh2 Jul 15
>>17:07:21 panther6 sshd[8920]: Illegal user user from 131.234.36.152 Jul 15
>>17:07:21 panther6 sshd[8920]: Failed password for illegal user user from
>>131.234.36.152 port 38468 ssh2 Jul 15 17:07:22 panther6 sshd[8922]: Failed
>>password for root from 131.234.36.152 port 38516 ssh2 Jul 15 17:07:23
>>panther6 sshd[8924]: Failed password for root from 131.234.36.152 port
>>38558 ssh2 Jul 15 17:07:25 panther6 sshd[8926]: Failed password for root
>>from 131.234.36.152 port 38611 ssh2 Jul 15 17:07:26 panther6 sshd[8928]:
>>Illegal user test from 131.234.36.152 Jul 15 17:07:26 panther6 sshd[8928]:
>>Failed password for illegal user test from 131.234.36.152 port 38675 ssh2
>>Jul 19 22:05:07 panther6 sshd[30439]: Illegal user test from 83.103.27.66
>>Jul 19 22:05:07 panther6 sshd[30439]: Failed password for illegal user test
>>from 83.103.27.66 port 52671 ssh2 Jul 19 22:05:08 panther6 sshd[30441]:
>>Illegal user guest from 83.103.27.66 Jul 19 22:05:08 panther6 sshd[30441]:
>>Failed password for illegal user guest from 83.103.27.66 port 52687 ssh2
>>Jul 21 06:30:12 panther6 sshd[1103]: Illegal user test from 219.103.193.130
>>Jul 21 06:30:12 panther6 sshd[1103]: Failed password for illegal user test
>>from 219.103.193.130 port 55802 ssh2 Jul 21 06:30:14 panther6 sshd[1105]:
>>Illegal user guest from 219.103.193.130 Jul 21 06:30:14 panther6
>>sshd[1105]: Failed password for illegal user guest from 219.103.193.130
>>port 55823 ssh2
>>
>>
>> .. and some log entries from my friend's system:
>>
>>Jul 19 21:04:33 quack sshd[28379]: Illegal user test from 131.234.157.10
>>Jul 19 21:04:34 quack sshd[28381]: Illegal user guest from 131.234.157.10
>>Jul 19 21:04:36 quack sshd[28383]: Illegal user admin from 131.234.157.10
>>Jul 19 21:04:37 quack sshd[28385]: Illegal user admin from 131.234.157.10
>>Jul 19 21:04:38 quack sshd[28387]: Illegal user user from 131.234.157.10
>>Jul 19 21:04:43 quack sshd[28400]: Illegal user test from 131.234.157.10
>>Jul 22 09:39:10 quack sshd[7646]: Illegal user test from 156.17.99.11
>>Jul 22 09:39:11 quack sshd[7648]: Illegal user guest from 156.17.99.11
>>
>>
>>I have not seen any notes about this on the vulnerability disucssion
>>lists.  Has anyone else noticed it?  What specific vulnerability (or
>>default password?) is this looking for?
>>
>>-Jay Libove, CISSP
>>libove@...ines.org
>>Atlanta, GA US
>>
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
> 



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ