Educause Security Discussion mailing list archives
Re: SSH logs - ip address as user?
From: David James Anderson <David.Anderson () NAU EDU>
Date: Thu, 11 Dec 2014 15:40:01 +0000
This one made my morning, thank you. -- -David. David Anderson Information Security Analyst, Senior Information Technology Services Northern Arizona University (928) 523-1225 On Dec 11, 2014, at 7:49 AM, Lisciotti, Kevin <klisciotti () UMASSP EDU<mailto:klisciotti () UMASSP EDU>> wrote: Hi everyone, Just curious if anyone else has seen entries in their SSH logs where the user name is an IP address? It's coming from an IP in Vietnam and I assume it's a script kiddie who doesn't know how to use their brute force tool :) Dec 11 00:15:48 sshd[27852]: Connection closed by 123.30.187.17 Dec 11 00:50:24 sshd[614]: Invalid user 71.246.205.123 from 123.30.187.17 Dec 11 00:50:24 sshd[614]: Address 123.30.187.17 maps to static.vdc.vn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! Dec 11 00:50:24 sshd[618]: input_userauth_request: invalid user 71.246.205.123 Dec 11 00:50:24 sshd[614]: pam_unix(sshd:auth): check pass; user unknown Dec 11 00:50:24 sshd[614]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.30.187.17 Dec 11 00:50:24 sshd[614]: pam_succeed_if(sshd:auth): error retrieving information about user 71.246.205.123 Dec 11 00:50:26 sshd[614]: Failed password for invalid user 71.246.205.123 from 123.30.187.17 port 53804 ssh2 Dec 11 00:50:26 sshd[618]: Connection closed by 123.30.187.17 Dec 11 01:24:55 sshd[5986]: Invalid user 71.246.230.158 from 123.30.187.17 Dec 11 01:24:55 sshd[5986]: Address 123.30.187.17 maps to static.vdc.vn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! Dec 11 01:24:55 sshd[5990]: input_userauth_request: invalid user 71.246.230.158 Dec 11 01:24:55 sshd[5986]: pam_unix(sshd:auth): check pass; user unknown Dec 11 01:24:55 sshd[5986]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.30.187.17 Dec 11 01:24:55 sshd[5986]: pam_succeed_if(sshd:auth): error retrieving information about user 71.246.230.158 Dec 11 01:24:56 sshd[5986]: Failed password for invalid user 71.246.230.158 from 123.30.187.17 port 57926 ssh2 Dec 11 01:24:56 sshd[5990]: Connection closed by 123.30.187.17 Dec 11 01:59:26 sshd[11174]: Invalid user 71.248.109.200 from 123.30.187.17 Dec 11 01:59:26 sshd[11174]: Address 123.30.187.17 maps to static.vdc.vn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! Dec 11 01:59:26 sshd[11178]: input_userauth_request: invalid user 71.248.109.200 Dec 11 01:59:26 sshd[11174]: pam_unix(sshd:auth): check pass; user unknown Dec 11 01:59:26 sshd[11174]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.30.187.17 Dec 11 01:59:26 sshd[11174]: pam_succeed_if(sshd:auth): error retrieving information about user 71.248.109.200 Dec 11 01:59:28 sshd[11174]: Failed password for invalid user 71.248.109.200 from 123.30.187.17 port 43797 ssh2 Dec 11 01:59:28 sshd[11178]: Connection closed by 123.30.187.17 Dec 11 02:33:57 sshd[17227]: Invalid user 71.249.139.77 from 123.30.187.17 Dec 11 02:33:57 sshd[17227]: Address 123.30.187.17 maps to static.vdc.vn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! Dec 11 02:33:57 sshd[17231]: input_userauth_request: invalid user 71.249.139.77 Dec 11 02:33:57 sshd[17227]: pam_unix(sshd:auth): check pass; user unknown Dec 11 02:33:57 sshd[17227]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.30.187.17 Dec 11 02:33:57 sshd[17227]: pam_succeed_if(sshd:auth): error retrieving information about user 71.249.139.77 Dec 11 02:33:59 sshd[17227]: Failed password for invalid user 71.249.139.77 from 123.30.187.17 port 44497 ssh2 Dec 11 02:33:59 sshd[17231]: Connection closed by 123.30.187.17 Thanks, Kevin
Current thread:
- SSH logs - ip address as user? Lisciotti, Kevin (Dec 11)
- Re: SSH logs - ip address as user? David James Anderson (Dec 11)