Security Incidents mailing list archives
Strange authentication attempts
From: John Narron <zeek () cdsinet net>
Date: 30 Mar 2004 16:41:53 -0000
I woke up to find these entries in my RADIUS log file: Tue Mar 30 10:26:00 2004: Auth: Login incorrect: [config/system] (from nas xxxx/S99) Tue Mar 30 10:26:00 2004: Auth: Login incorrect: [config/password admin] (from nas xxxx/S99) Tue Mar 30 10:26:00 2004: Auth: Login incorrect: [config/13370n3z] (from nas xxxx/S99) Tue Mar 30 10:26:01 2004: Auth: Login incorrect: [password/fawkoffsz] (from nas xxxx/S99) Tue Mar 30 10:26:01 2004: Auth: Login incorrect: [password/save] (from nas xxxx/S99) (S99 being the "telnet" port for Livingston Portmasters) Just to cover the bases, I also checked our TACACS+ server: Tue Mar 30 10:26:00 2004 xxxx tty3 82.41.104.193 system rejected login Tue Mar 30 10:26:02 2004 xxxx tty2 82.41.104.193 config rejected login Tue Mar 30 10:26:05 2004 xxxx tty3 82.41.104.193 13370n3z rejected login Tue Mar 30 10:26:06 2004 xxxx tty2 82.41.104.193 password admin rejected login Tue Mar 30 10:26:08 2004 xxxx tty2 82.41.104.193 config rejected login Tue Mar 30 10:26:09 2004 xxxx tty3 82.41.104.193 config rejected login Tue Mar 30 10:26:10 2004 xxxx tty4 82.41.104.193 config rejected login Tue Mar 30 10:26:11 2004 xxxx tty5 82.41.104.193 config rejected login Tue Mar 30 10:26:12 2004 xxxx tty6 82.41.104.193 config rejected login Tue Mar 30 10:26:13 2004 xxxx tty2 82.41.104.193 password admin rejected login The IP address listed there is the sender of such bad requests, and its not the only one. The tacacs+ server has shown the following IPs attempting to log on: 82.41.104.193 82.65.148.223 80.117.241.24 195.220.120.198 82.255.146.205 82.39.50.12 200.64.30.164 The first recorded attempt was at Tue Mar 30 09:46:53 2004 Anyone else seeing these pop up? John Narron | "Sacrifice, they always say Network Administration | Is a sign of nobility CDS/CDSinet, LLC | But where does one draw the line http://www.cdsinet.net | In the face of injury?" (660) 886 4045 | - Queensryche --------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040301 ----------------------------------------------------------------------------
Current thread:
- Strange authentication attempts John Narron (Mar 30)
- <Possible follow-ups>
- Re: Strange authentication attempts John Narron (Mar 31)