Full Disclosure mailing list archives
Re: Automated SSH login attempts?
From: Harry Hoffman <hhoffman () ip-solutions net>
Date: Sun, 25 Jul 2004 17:19:04 -0400
Jay, Seeing these attempts on both work and home systems. HTH, Harry Jay Libove wrote:
[ Posted to full disclosure and vulnwatch; please edit reply address(es) as appropriate. Thanks. -Jay ] My Linux system, and a Linux system run by a friend here in the same city but on a completely different netblock (different ISP), have both seen apparently automated attempts to log in to our systems via SSH in the past few days. Looks like a script. Here are some log entries from my system: Jul 15 10:01:34 panther6 sshd[8267]: Illegal user test from 62.67.45.4 Jul 15 10:01:34 panther6 sshd[8267]: Failed password for illegal user test from 62.67.45.4 port 39141 ssh2 Jul 15 10:01:36 panther6 sshd[8269]: Illegal user guest from 62.67.45.4 Jul 15 10:01:36 panther6 sshd[8269]: Failed password for illegal user guest from 62.67.45.4 port 39192 ssh2 Jul 15 10:01:37 panther6 sshd[8271]: Illegal user admin from 62.67.45.4 Jul 15 10:01:37 panther6 sshd[8271]: Failed password for illegal user admin from 62.67.45.4 port 39234 ssh2 Jul 15 10:01:38 panther6 sshd[8273]: Illegal user user from 62.67.45.4 Jul 15 10:01:38 panther6 sshd[8273]: Failed password for illegal user user from 62.67.45.4 port 39275 ssh2 Jul 15 10:01:39 panther6 sshd[8275]: Failed password for root from 62.67.45.4 port 39340 ssh2 Jul 15 10:01:41 panther6 sshd[8277]: Failed password for root from 62.67.45.4 port 39386 ssh2 Jul 15 10:44:12 panther6 sshd[8300]: Illegal user test from 62.67.45.4 Jul 15 10:44:12 panther6 sshd[8300]: Failed password for illegal user test from 62.67.45.4 port 33771 ssh2 Jul 15 10:44:14 panther6 sshd[8302]: Illegal user guest from 62.67.45.4 Jul 15 10:44:14 panther6 sshd[8302]: Failed password for illegal user guest from 62.67.45.4 port 33828 ssh2 Jul 15 10:44:15 panther6 sshd[8304]: Illegal user admin from 62.67.45.4 Jul 15 10:44:15 panther6 sshd[8304]: Failed password for illegal user admin from 62.67.45.4 port 33876 ssh2 Jul 15 10:44:16 panther6 sshd[8306]: Illegal user user from 62.67.45.4 Jul 15 10:44:16 panther6 sshd[8306]: Failed password for illegal user user from 62.67.45.4 port 33916 ssh2 Jul 15 10:44:17 panther6 sshd[8308]: Failed password for root from 62.67.45.4 port 33988 ssh2 Jul 15 10:44:19 panther6 sshd[8310]: Failed password for root from 62.67.45.4 port 34032 ssh2 Jul 15 17:07:15 panther6 sshd[8912]: Illegal user test from 131.234.36.152 Jul 15 17:07:15 panther6 sshd[8912]: Failed password for illegal user test from 131.234.36.152 port 38287 ssh2 Jul 15 17:07:16 panther6 sshd[8914]: Illegal user guest from 131.234.36.152 Jul 15 17:07:16 panther6 sshd[8914]: Failed password for illegal user guest from 131.234.36.152 port 38326 ssh2 Jul 15 17:07:18 panther6 sshd[8916]: Illegal user admin from 131.234.36.152 Jul 15 17:07:18 panther6 sshd[8916]: Failed password for illegal user admin from 131.234.36.152 port 38370 ssh2 Jul 15 17:07:19 panther6 sshd[8918]: Illegal user admin from 131.234.36.152 Jul 15 17:07:19 panther6 sshd[8918]: Failed password for illegal user admin from 131.234.36.152 port 38412 ssh2 Jul 15 17:07:21 panther6 sshd[8920]: Illegal user user from 131.234.36.152 Jul 15 17:07:21 panther6 sshd[8920]: Failed password for illegal user user from 131.234.36.152 port 38468 ssh2 Jul 15 17:07:22 panther6 sshd[8922]: Failed password for root from 131.234.36.152 port 38516 ssh2 Jul 15 17:07:23 panther6 sshd[8924]: Failed password for root from 131.234.36.152 port 38558 ssh2 Jul 15 17:07:25 panther6 sshd[8926]: Failed password for root from 131.234.36.152 port 38611 ssh2 Jul 15 17:07:26 panther6 sshd[8928]: Illegal user test from 131.234.36.152 Jul 15 17:07:26 panther6 sshd[8928]: Failed password for illegal user test from 131.234.36.152 port 38675 ssh2 Jul 19 22:05:07 panther6 sshd[30439]: Illegal user test from 83.103.27.66 Jul 19 22:05:07 panther6 sshd[30439]: Failed password for illegal user test from 83.103.27.66 port 52671 ssh2 Jul 19 22:05:08 panther6 sshd[30441]: Illegal user guest from 83.103.27.66 Jul 19 22:05:08 panther6 sshd[30441]: Failed password for illegal user guest from 83.103.27.66 port 52687 ssh2 Jul 21 06:30:12 panther6 sshd[1103]: Illegal user test from 219.103.193.130 Jul 21 06:30:12 panther6 sshd[1103]: Failed password for illegal user test from 219.103.193.130 port 55802 ssh2 Jul 21 06:30:14 panther6 sshd[1105]: Illegal user guest from 219.103.193.130 Jul 21 06:30:14 panther6 sshd[1105]: Failed password for illegal user guest from 219.103.193.130 port 55823 ssh2 .. and some log entries from my friend's system: Jul 19 21:04:33 quack sshd[28379]: Illegal user test from 131.234.157.10 Jul 19 21:04:34 quack sshd[28381]: Illegal user guest from 131.234.157.10 Jul 19 21:04:36 quack sshd[28383]: Illegal user admin from 131.234.157.10 Jul 19 21:04:37 quack sshd[28385]: Illegal user admin from 131.234.157.10 Jul 19 21:04:38 quack sshd[28387]: Illegal user user from 131.234.157.10 Jul 19 21:04:43 quack sshd[28400]: Illegal user test from 131.234.157.10 Jul 22 09:39:10 quack sshd[7646]: Illegal user test from 156.17.99.11 Jul 22 09:39:11 quack sshd[7648]: Illegal user guest from 156.17.99.11 I have not seen any notes about this on the vulnerability disucssion lists. Has anyone else noticed it? What specific vulnerability (or default password?) is this looking for? -Jay Libove, CISSP libove () felines org Atlanta, GA US _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Automated SSH login attempts? Jay Libove (Jul 25)
- Re: Automated SSH login attempts? Andrei Galca-Vasiliu (Jul 25)
- Re: Automated SSH login attempts? Neal O'Creat (Jul 30)
- Re: Automated SSH login attempts? Valdis . Kletnieks (Jul 30)
- Re: Automated SSH login attempts? Jan Muenther (Jul 31)
- Re: Automated SSH login attempts? Neal O'Creat (Jul 30)
- Re: Automated SSH login attempts? Andrei Galca-Vasiliu (Jul 25)
- Re: Automated SSH login attempts? Harry Hoffman (Jul 25)
- Re: Automated SSH login attempts? Andrew Farmer (Jul 25)
- Re: Automated SSH login attempts? Paul Mohr (Jul 25)
- Re: Automated SSH login attempts? Paul Schmehl (Jul 25)
- Re: [VulnDiscuss] Re: Automated SSH login attempts? RBabb (Jul 27)
- Re: [VulnDiscuss] Re: Automated SSH login attempts? Paul Schmehl (Jul 27)
- Re: [VulnDiscuss] Re: Automated SSH login attempts? RBabb (Jul 27)
- Re: Automated SSH login attempts? Andrei Galca-Vasiliu (Jul 25)
- Re: Automated SSH login attempts? Shafik Yaghmour (Jul 26)
- Re: Automated SSH login attempts? Alain Crespo (Jul 28)
- <Possible follow-ups>
- Re: Automated SSH login attempts? syrrus (Jul 25)
- Re: Automated SSH login attempts? Joe Hickory (Jul 27)