Security Incidents mailing list archives
Re: SSH attacks?
From: Marcus Merrin <marcus.merrin () emptyair com>
Date: Thu, 29 Jul 2004 14:22:25 -0300
I saw the same thing about a month ago, only the selection of usernames was much wider, including graceland, metro, elvis, matrix and many more including guest and test. It was traced to a host in Japan but I haven't heard back from them if any action was taken. Maybe the current wave is a cut-down version of a more comprehensive tool? Attacks on my client's servers went on for about an hour at a time.
Andrew J Caines wrote:
FWIW, here's what I've seen on my single IP cable connection: Jul 17 04:54:46 test 129.194.21.5 Jul 17 04:54:47 guest 129.194.21.5 Jul 22 04:38:49 test 61.237.13.234 Jul 22 04:38:52 guest 61.237.13.234 Jul 23 10:55:46 test 61.109.156.5 Jul 23 10:55:49 guest 61.109.156.5 Jul 24 19:40:48 test 202.6.75.195 Jul 24 19:40:50 guest 202.6.75.195 Jul 24 20:24:31 test 69.0.134.72 Jul 24 20:24:31 guest 69.0.134.72 Jul 24 20:24:32 admin 69.0.134.72 Jul 24 20:24:33 admin 69.0.134.72 Jul 24 20:24:34 user 69.0.134.72 Jul 24 20:24:37 test 69.0.134.72 Jul 25 02:51:10 test 211.202.3.148 Jul 25 02:51:12 guest 211.202.3.148 Jul 25 16:30:34 test 219.234.216.150 Jul 25 16:30:37 guest 219.234.216.150 Jul 27 16:12:08 test 210.92.210.67 Jul 27 16:12:10 guest 210.92.210.67 Jul 28 11:52:43 test 65.61.98.16 Jul 28 11:52:45 guest 65.61.98.16 The timing and distribution of userids indicates to me that this is more than a simple probe for vulnerable SSH servers.
-- //////////////////////////////////////////////////////////// // Marcus Merrin PhD. // EmptyAir Consulting// marcus.merrin () emptyair com /////////////////////////////////////////////////////////////
Current thread:
- Re: SSH attacks?, (continued)
- Re: SSH attacks? Jyri Hovila (Jul 29)
- Re: SSH attacks? Chris Brenton (Jul 29)
- Re: SSH attacks? Valdis . Kletnieks (Jul 30)
- Re: SSH attacks? Thomas Hochstein (Jul 30)
- Re: SSH attacks? Matt Beland (Jul 30)
- Re: SSH attacks? Jyri Hovila (Jul 29)
- Re: SSH attacks? Jyri Hovila (Jul 29)
- Re: SSH attacks? Jason Falciola (Jul 27)
- Re: SSH attacks? Paul Schmehl (Jul 27)
- Re: SSH attacks? brandy (Jul 28)
- Re: SSH attacks? Andrew J Caines (Jul 29)
- Re: SSH attacks? Marcus Merrin (Jul 29)
- Re: SSH attacks? Robin (Jul 30)
- RE: SSH attacks? Herman Frederick Ebeling Jr. (Jul 30)
- Re: SSH attacks? Brian C. Lane (Jul 30)
- Re: SSH attacks? Andrew J Caines (Jul 29)
- Re: SSH attacks? Mike Whitley (Jul 29)
- Re: SSH attacks? David Block (Jul 29)
- Re: SSH attacks? Bulgaro (Jul 29)
- Re: SSH attacks? John Bossert (Jul 30)
- RE: SSH attacks? M Shirk (Jul 30)
- Re: SSH attacks? Valdis . Kletnieks (Jul 31)
- Re: SSH attacks? Skip Carter (Jul 30)