Re: SSH attacks?

["Brian C. Lane" <bcl () brianlane com>]

On Wed, Jul 28, 2004 at 08:22:24PM -0400, Andrew J Caines wrote:
> FWIW, here's what I've seen on my single IP cable connection:
>
> Jul 17 04:54:46 test  129.194.21.5
> Jul 17 04:54:47 guest 129.194.21.5
> Jul 22 04:38:49 test  61.237.13.234
> Jul 22 04:38:52 guest 61.237.13.234
> Jul 23 10:55:46 test  61.109.156.5
> Jul 23 10:55:49 guest 61.109.156.5
> Jul 24 19:40:48 test  202.6.75.195
> Jul 24 19:40:50 guest 202.6.75.195
> Jul 24 20:24:31 test  69.0.134.72
> Jul 24 20:24:31 guest 69.0.134.72
> Jul 24 20:24:32 admin 69.0.134.72
> Jul 24 20:24:33 admin 69.0.134.72
> Jul 24 20:24:34 user  69.0.134.72
> Jul 24 20:24:37 test  69.0.134.72
> Jul 25 02:51:10 test  211.202.3.148
> Jul 25 02:51:12 guest 211.202.3.148
> Jul 25 16:30:34 test  219.234.216.150
> Jul 25 16:30:37 guest 219.234.216.150
> Jul 27 16:12:08 test  210.92.210.67
> Jul 27 16:12:10 guest 210.92.210.67
> Jul 28 11:52:43 test  65.61.98.16
> Jul 28 11:52:45 guest 65.61.98.16

Here's my list from the last week or so. 

130.15.15.239
140.130.211.13
200.217.168.82
202.141.1.28
204.17.205.2
207.172.87.38
207.44.154.9
207.44.192.71
210.212.218.35
210.92.210.67
218.237.66.152
24.113.79.8
61.107.176.163
62.100.21.188
62.117.99.83
62.129.173.135
62.183.28.116
62.67.45.4
65.102.152.64

Generated with:

grep sshd messages* | grep Illegal | awk '{print $10}' | sort -u

The 'NOUSER' error is normal, not something odd as I previously suspected. It
happens for any unknown user that tries to log in.

I haven't checked any of the scanners to see if they have been cracked. If
anyone else has, do they have insecure test/guest account on them? test and
guest are not standard account on any current Linux distribution that I am
aware of.

Brian

-- 
---[Office 77.7F]--[Fridge 42.4F]---[Fozzy 98.6F]--[Coaster 77.8F]---
Linux Software Developer                     http://www.brianlane.com

Attachment: _bin
Description: