Security Incidents mailing list archives

Re: SSH attacks?

From: Paul Schmehl <pauls () utdallas edu>
Date: Tue, 27 Jul 2004 13:15:30 -0500

--On Tuesday, July 27, 2004 10:59:07 AM +1200 Robin <robin () kallisti net nz>wrote:


While looking through the logs after someone ran over my system with
Nessus, I  noticed some odd ones from sshd (that don't seem to be related
to the nessus  scan):
Jul 27 03:12:25 kallisti sshd[16471]: error: Could not get shadow
information  for NOUSER

Does anyone know why this would appear all of a sudden?

Yes. These are compromised hosts that are being used to probe forvulnerable versions of sshd. The login is irrelevant. The banner tellsthey what they need to know.


You're not alone.  We're seeing them regularly.  And reporting them.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/

Current thread:

Re: SSH attacks?, (continued)
- - - Re: SSH attacks? Merlijn Tishauser (Jul 30)
- Re: SSH attacks? Tom Laermans (Jul 27)
- Re: SSH attacks? buzz (Jul 27)
  - Re: SSH attacks? Jyri Hovila (Jul 29)
    - Re: SSH attacks? Chris Brenton (Jul 29)
    - Re: SSH attacks? Valdis . Kletnieks (Jul 30)
    - Re: SSH attacks? Thomas Hochstein (Jul 30)
    - Re: SSH attacks? Matt Beland (Jul 30)
  - Re: SSH attacks? Jyri Hovila (Jul 29)
- Re: SSH attacks? Jason Falciola (Jul 27)
- Re: SSH attacks? Paul Schmehl (Jul 27)
- Re: SSH attacks? brandy (Jul 28)
  - Re: SSH attacks? Andrew J Caines (Jul 29)
    - Re: SSH attacks? Marcus Merrin (Jul 29)
    - Re: SSH attacks? Robin (Jul 30)
    - RE: SSH attacks? Herman Frederick Ebeling Jr. (Jul 30)
    - Re: SSH attacks? Brian C. Lane (Jul 30)
  - Re: SSH attacks? Mike Whitley (Jul 29)
- Re: SSH attacks? David Block (Jul 29)
- Re: SSH attacks? Bulgaro (Jul 29)
  - Re: SSH attacks? John Bossert (Jul 30)

(Thread continues...)