Re: SSH scans...

[Keith Morgan <keith.morgan () terradon com>]

I tried to report similar incidents to this list about a month ago, but
my posts weren't acted upon, and eventually auto-rejected.  Don't know
if this was a planned "list closure" or if someone was asleep at the
wheel.

I digress.

We've been seeing an increase across multiple networks of brute force
attacks against common usernames for about three months now.  I don't
have a feel for the rate of attacks off the top of my head, but the
scans tend to attack sequential IP's.


On Mon, 2004-12-20 at 10:21 -0500, Dejan Markovic wrote:
> Hi Guys,
>
> Don't know whether this is the right list, but need to ask if others have
> the same entries in their logs for the past number of months. Let me take a
> step back, I maintain a number of networks on different IP ranges and they
> are all being probed by what looks like a tool, or maybe it is the same
> group/script. The originating computers range from open proxies to owned
> boxes and there are two distinct patterns I've seen so far. The following
> scan is a recent example where the root/password from x.x.x.x: 59 Time(s)
> caught my attention the first time a while back, and still getting the same
> scans on a daily basis:
>
> account/password    from 210.245.168.28: 1 Time(s)
> adam/password    from 210.245.168.28: 1 Time(s)
> adm/password    from 210.245.168.28: 2 Time(s)
> alan/password    from 210.245.168.28: 1 Time(s)
> apache/password    from 210.245.168.28: 1 Time(s)
> backup/password    from 210.245.168.28: 1 Time(s)
> cip51/password    from 210.245.168.28: 1 Time(s)
> cip52/password    from 210.245.168.28: 1 Time(s)
> cosmin/password    from 210.245.168.28: 1 Time(s)
> cyrus/password    from 210.245.168.28: 1 Time(s)
> data/password    from 210.245.168.28: 1 Time(s)
> frank/password    from 210.245.168.28: 1 Time(s)
> george/password    from 210.245.168.28: 1 Time(s)
> henry/password    from 210.245.168.28: 1 Time(s)
> horde/password    from 210.245.168.28: 1 Time(s)
> iceuser/password    from 210.245.168.28: 1 Time(s)
> irc/password    from 210.245.168.28: 2 Time(s)
> jane/password    from 210.245.168.28: 1 Time(s)
> john/password    from 210.245.168.28: 1 Time(s)
> master/password    from 210.245.168.28: 1 Time(s)
> matt/password    from 210.245.168.28: 1 Time(s)
> mysql/password    from 210.245.168.28: 1 Time(s)
> nobody/password    from 210.245.168.28: 1 Time(s)
> noc/password    from 210.245.168.28: 1 Time(s)
> operator/password    from 210.245.168.28: 1 Time(s)
> oracle/password    from 210.245.168.28: 1 Time(s)
> pamela/password    from 210.245.168.28: 1 Time(s)
> patrick/password    from 210.245.168.28: 2 Time(s)
> rolo/password    from 210.245.168.28: 1 Time(s)
> root/password    from 210.245.168.28: 59 Time(s)
> server/password    from 210.245.168.28: 1 Time(s)
> sybase/password    from 210.245.168.28: 1 Time(s)
> test/password    from 210.245.168.28: 5 Time(s)
> user/password    from 210.245.168.28: 3 Time(s)
> web/password    from 210.245.168.28: 2 Time(s)
> webmaster/password    from 210.245.168.28: 1 Time(s)
> www-data/password    from 210.245.168.28: 1 Time(s)
> www/password    from 210.245.168.28: 1 Time(s)
> wwwrun/password    from 210.245.168.28: 1 Time(s)
>
> Regards,
> Dan
-- 

Why yes!  I am using Linux in your windows environment!

Keith T. Morgan
Terradon Communications Group
**************************************************************************************************
The contents of this email and any attachments are confidential.
It is intended for the named recipient(s) only.
If you have received this email in error please notify the system manager or  the 
sender immediately and do not disclose the contents to anyone or make copies.

** this message has been scanned for viruses, vandals and malicious content **
**************************************************************************************************