Security Incidents mailing list archives
Re: SSH scans...
From: "Dejan Markovic" <dejanmarkovic () hotmail com>
Date: Wed, 22 Dec 2004 10:15:46 -0500
Hi Paulo, Just replied to Brian, he wrote a code called timelox, it's been posted on the list, I'll check it out later when I get a chance, but seems to do just that. Talk to you later. Thanks, Regards, Dan ----- Original Message ----- From: "nixsec" <nixsec () area66 org> To: "Dejan Markovic" <dejanmarkovic () hotmail com> Cc: <INCIDENTS () securityfocus com> Sent: Tuesday, December 21, 2004 5:46 PM Subject: Re: SSH scans... I have gotten these attacks before and did some research on it, its a SSH bruteforce program released a few months ago that can be located at: http://www.k-otik.com/exploits/08202004.brutessh2.c.php Something that would be nice is some feature in ssh that would only allow 3 login atempts from 1 IP, if they get it wrong 3 times to automaticly block any connections from that ip. Paulo Ferreira. Dejan Markovic wrote:
Hi Guys, Don't know whether this is the right list, but need to ask if others have the same entries in their logs for the past number of months. Let me take a step back, I maintain a number of networks on different IP ranges and they are all being probed by what looks like a tool, or maybe it is the same group/script. The originating computers range from open proxies to owned boxes and there are two distinct patterns I've seen so far. The following scan is a recent example where the root/password from x.x.x.x: 59 Time(s) caught my attention the first time a while back, and still getting the same scans on a daily basis: account/password from 210.245.168.28: 1 Time(s) adam/password from 210.245.168.28: 1 Time(s) adm/password from 210.245.168.28: 2 Time(s) alan/password from 210.245.168.28: 1 Time(s) apache/password from 210.245.168.28: 1 Time(s) backup/password from 210.245.168.28: 1 Time(s) cip51/password from 210.245.168.28: 1 Time(s) cip52/password from 210.245.168.28: 1 Time(s) cosmin/password from 210.245.168.28: 1 Time(s) cyrus/password from 210.245.168.28: 1 Time(s) data/password from 210.245.168.28: 1 Time(s) frank/password from 210.245.168.28: 1 Time(s) george/password from 210.245.168.28: 1 Time(s) henry/password from 210.245.168.28: 1 Time(s) horde/password from 210.245.168.28: 1 Time(s) iceuser/password from 210.245.168.28: 1 Time(s) irc/password from 210.245.168.28: 2 Time(s) jane/password from 210.245.168.28: 1 Time(s) john/password from 210.245.168.28: 1 Time(s) master/password from 210.245.168.28: 1 Time(s) matt/password from 210.245.168.28: 1 Time(s) mysql/password from 210.245.168.28: 1 Time(s) nobody/password from 210.245.168.28: 1 Time(s) noc/password from 210.245.168.28: 1 Time(s) operator/password from 210.245.168.28: 1 Time(s) oracle/password from 210.245.168.28: 1 Time(s) pamela/password from 210.245.168.28: 1 Time(s) patrick/password from 210.245.168.28: 2 Time(s) rolo/password from 210.245.168.28: 1 Time(s) root/password from 210.245.168.28: 59 Time(s) server/password from 210.245.168.28: 1 Time(s) sybase/password from 210.245.168.28: 1 Time(s) test/password from 210.245.168.28: 5 Time(s) user/password from 210.245.168.28: 3 Time(s) web/password from 210.245.168.28: 2 Time(s) webmaster/password from 210.245.168.28: 1 Time(s) www-data/password from 210.245.168.28: 1 Time(s) www/password from 210.245.168.28: 1 Time(s) wwwrun/password from 210.245.168.28: 1 Time(s) Regards, Dan
Current thread:
- Re: SSH scans..., (continued)
- Re: SSH scans... Keith Morgan (Dec 20)
- Re: SSH scans... Gerry Dalton (Dec 20)
- Re: SSH scans... Peter Willis (Dec 20)
- Re: SSH scans... skippy1 (Dec 21)
- Re: SSH scans... Peter Willis (Dec 20)
- Re: SSH scans... Raymond Lillard (Dec 20)
- Re: SSH scans... Ben Nelson (Dec 20)
- Re: SSH scans... Steve Kemp (Dec 20)
- RE: SSH scans... KEM Hosting (Dec 21)
- Re: SSH scans... Michael H. Warfield (Dec 21)
- Re: SSH scans... nixsec (Dec 22)
- Re: SSH scans... Dejan Markovic (Dec 22)
- re: SSH scans... brian () ethernet org (Dec 21)
- re: SSH scans... Kerry Thompson (Dec 22)