Security Incidents mailing list archives
Re: SSH scans...
From: Keith Morgan <keith.morgan () terradon com>
Date: Mon, 20 Dec 2004 11:19:39 -0500
I tried to report similar incidents to this list about a month ago, but my posts weren't acted upon, and eventually auto-rejected. Don't know if this was a planned "list closure" or if someone was asleep at the wheel. I digress. We've been seeing an increase across multiple networks of brute force attacks against common usernames for about three months now. I don't have a feel for the rate of attacks off the top of my head, but the scans tend to attack sequential IP's. On Mon, 2004-12-20 at 10:21 -0500, Dejan Markovic wrote:
Hi Guys, Don't know whether this is the right list, but need to ask if others have the same entries in their logs for the past number of months. Let me take a step back, I maintain a number of networks on different IP ranges and they are all being probed by what looks like a tool, or maybe it is the same group/script. The originating computers range from open proxies to owned boxes and there are two distinct patterns I've seen so far. The following scan is a recent example where the root/password from x.x.x.x: 59 Time(s) caught my attention the first time a while back, and still getting the same scans on a daily basis: account/password from 210.245.168.28: 1 Time(s) adam/password from 210.245.168.28: 1 Time(s) adm/password from 210.245.168.28: 2 Time(s) alan/password from 210.245.168.28: 1 Time(s) apache/password from 210.245.168.28: 1 Time(s) backup/password from 210.245.168.28: 1 Time(s) cip51/password from 210.245.168.28: 1 Time(s) cip52/password from 210.245.168.28: 1 Time(s) cosmin/password from 210.245.168.28: 1 Time(s) cyrus/password from 210.245.168.28: 1 Time(s) data/password from 210.245.168.28: 1 Time(s) frank/password from 210.245.168.28: 1 Time(s) george/password from 210.245.168.28: 1 Time(s) henry/password from 210.245.168.28: 1 Time(s) horde/password from 210.245.168.28: 1 Time(s) iceuser/password from 210.245.168.28: 1 Time(s) irc/password from 210.245.168.28: 2 Time(s) jane/password from 210.245.168.28: 1 Time(s) john/password from 210.245.168.28: 1 Time(s) master/password from 210.245.168.28: 1 Time(s) matt/password from 210.245.168.28: 1 Time(s) mysql/password from 210.245.168.28: 1 Time(s) nobody/password from 210.245.168.28: 1 Time(s) noc/password from 210.245.168.28: 1 Time(s) operator/password from 210.245.168.28: 1 Time(s) oracle/password from 210.245.168.28: 1 Time(s) pamela/password from 210.245.168.28: 1 Time(s) patrick/password from 210.245.168.28: 2 Time(s) rolo/password from 210.245.168.28: 1 Time(s) root/password from 210.245.168.28: 59 Time(s) server/password from 210.245.168.28: 1 Time(s) sybase/password from 210.245.168.28: 1 Time(s) test/password from 210.245.168.28: 5 Time(s) user/password from 210.245.168.28: 3 Time(s) web/password from 210.245.168.28: 2 Time(s) webmaster/password from 210.245.168.28: 1 Time(s) www-data/password from 210.245.168.28: 1 Time(s) www/password from 210.245.168.28: 1 Time(s) wwwrun/password from 210.245.168.28: 1 Time(s) Regards, Dan
-- Why yes! I am using Linux in your windows environment! Keith T. Morgan Terradon Communications Group ************************************************************************************************** The contents of this email and any attachments are confidential. It is intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies. ** this message has been scanned for viruses, vandals and malicious content ** **************************************************************************************************
Current thread:
- SSH scans... Dejan Markovic (Dec 20)
- Re: SSH scans... Harald Nesland (Dec 20)
- RE: SSH scans... another possible solution Ron Moore (Dec 20)
- Re: SSH scans... Dejan Markovic (Dec 20)
- Re: SSH scans... Barrie Dempster (Dec 20)
- Re: [incidents] SSH scans... Tim Kennedy (Dec 20)
- Message not available
- Re: [incidents] SSH scans... Tim Kennedy (Dec 20)
- Message not available
- Re: SSH scans... Harald Nesland (Dec 20)
- Re: SSH scans... Keith Morgan (Dec 20)
- Re: SSH scans... Gerry Dalton (Dec 20)
- Re: SSH scans... Peter Willis (Dec 20)
- Re: SSH scans... skippy1 (Dec 21)
- Re: SSH scans... Peter Willis (Dec 20)
- Re: SSH scans... Raymond Lillard (Dec 20)
- Re: SSH scans... Ben Nelson (Dec 20)
- Re: SSH scans... Steve Kemp (Dec 20)
- RE: SSH scans... KEM Hosting (Dec 21)
- Re: SSH scans... Michael H. Warfield (Dec 21)
- Re: SSH scans... nixsec (Dec 22)
- Re: SSH scans... Dejan Markovic (Dec 22)