Security Incidents mailing list archives

Strange authentication attempts

From: John Narron <zeek () cdsinet net>
Date: 30 Mar 2004 16:41:53 -0000


I woke up to find these entries in my RADIUS log file:

Tue Mar 30 10:26:00 2004: Auth: Login incorrect: [config/system] (from nas xxxx/S99)
Tue Mar 30 10:26:00 2004: Auth: Login incorrect: [config/password admin] (from nas xxxx/S99)
Tue Mar 30 10:26:00 2004: Auth: Login incorrect: [config/13370n3z] (from nas xxxx/S99)
Tue Mar 30 10:26:01 2004: Auth: Login incorrect: [password/fawkoffsz] (from nas xxxx/S99)
Tue Mar 30 10:26:01 2004: Auth: Login incorrect: [password/save] (from nas xxxx/S99)

(S99 being the "telnet" port for Livingston Portmasters)

Just to cover the bases, I also checked our TACACS+ server:

Tue Mar 30 10:26:00 2004   xxxx tty3    82.41.104.193   system          rejected        login
Tue Mar 30 10:26:02 2004   xxxx tty2    82.41.104.193   config          rejected        login
Tue Mar 30 10:26:05 2004   xxxx tty3    82.41.104.193   13370n3z        rejected        login
Tue Mar 30 10:26:06 2004   xxxx tty2    82.41.104.193   password admin  rejected        login
Tue Mar 30 10:26:08 2004   xxxx tty2    82.41.104.193   config          rejected        login
Tue Mar 30 10:26:09 2004   xxxx tty3    82.41.104.193   config          rejected        login
Tue Mar 30 10:26:10 2004   xxxx tty4    82.41.104.193   config          rejected        login
Tue Mar 30 10:26:11 2004   xxxx tty5    82.41.104.193   config          rejected        login
Tue Mar 30 10:26:12 2004   xxxx tty6    82.41.104.193   config          rejected        login
Tue Mar 30 10:26:13 2004   xxxx tty2    82.41.104.193   password admin  rejected        login

The IP address listed there is the sender of such bad requests, and its not the only one.  The tacacs+ server has shown 
the following IPs attempting to log on:

82.41.104.193
82.65.148.223
80.117.241.24
195.220.120.198
82.255.146.205
82.39.50.12
200.64.30.164

The first recorded attempt was at Tue Mar 30 09:46:53 2004

Anyone else seeing these pop up?

John Narron            | "Sacrifice, they always say
Network Administration |  Is a sign of nobility
CDS/CDSinet, LLC       |  But where does one draw the line
http://www.cdsinet.net |  In the face of injury?"
(660) 886 4045         |     - Queensryche

---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------
Current thread:

Strange authentication attempts John Narron (Mar 30)
- <Possible follow-ups>
- Re: Strange authentication attempts John Narron (Mar 31)