Security Incidents mailing list archives
RE: SSH probes?
From: "Jerry Shenk" <jshenk () decommunications com>
Date: Mon, 10 May 2004 11:21:51 -0400
At first glance, that sure does seem like somebody's a little overly interested;) Do you know who 211.216.53.20 is? It looks like it belongs to a block from Korea....generally not a good sign unless you have a partner there. I'd be very tempted to just block the ip block that this machine comes from. How about the usernames. The one listed here is ftp - any other usernames, particularly valid ones that belong to real people in your organization. -----Original Message----- From: Devdas Bhagat [mailto:devdas () dvb homelinux org] Sent: Sunday, May 09, 2004 12:35 PM To: incidents () securityfocus com Subject: SSH probes? I got about 61 of these in my logs before I turned sshd off. This looks like a brute force attempt at getting a login. May 9 21:35:03 evita sshd(pam_unix)[16332]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.216.53.20 user=ftp May 9 21:35:10 evita sshd(pam_unix)[16374]: check pass; user unknown May 9 21:35:10 evita sshd(pam_unix)[16374]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.216.53.20 May 9 21:35:16 evita sshd(pam_unix)[16375]: check pass; user unknown Anyone else seeing events like this? The box is patched, up to date and still uncompromised. Timezone is UTC +0530 and synchronised to ntp. Devdas Bhagat ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- SSH probes? Devdas Bhagat (May 10)
- RE: SSH probes? Jerry Shenk (May 10)
- Re: SSH probes? iglope (May 12)
- Re: SSH probes? Valdis . Kletnieks (May 12)
- Re: SSH probes? Klaus Lichtenwalder (May 12)
- Re: SSH probes? Valdis . Kletnieks (May 12)