Security Incidents mailing list archives

RE: SSH probes?

From: "Jerry Shenk" <jshenk () decommunications com>
Date: Mon, 10 May 2004 11:21:51 -0400

At first glance, that sure does seem like somebody's a little overly
interested;)  Do you know who 211.216.53.20 is?  It looks like it
belongs to a block from Korea....generally not a good sign unless you
have a partner there.  I'd be very tempted to just block the ip block
that this machine comes from.

How about the usernames.  The one listed here is ftp - any other
usernames, particularly valid ones that belong to real people in your
organization.

-----Original Message-----
From: Devdas Bhagat [mailto:devdas () dvb homelinux org] 
Sent: Sunday, May 09, 2004 12:35 PM
To: incidents () securityfocus com
Subject: SSH probes?


I got about 61 of these in my logs before I turned sshd off. This looks
like a brute force attempt at getting a login.

May  9 21:35:03 evita sshd(pam_unix)[16332]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.216.53.20  user=ftp
May  9 21:35:10 evita sshd(pam_unix)[16374]: check pass; user unknown
May  9 21:35:10 evita sshd(pam_unix)[16374]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.216.53.20
May  9 21:35:16 evita sshd(pam_unix)[16375]: check pass; user unknown

Anyone else seeing events like this?
The box is patched, up to date and still uncompromised. Timezone is 
UTC +0530 and synchronised to ntp.

Devdas Bhagat

------------------------------------------------------------------------
---
------------------------------------------------------------------------
----



---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

SSH probes? Devdas Bhagat (May 10)
- RE: SSH probes? Jerry Shenk (May 10)
- Re: SSH probes? iglope (May 12)
  - Re: SSH probes? Valdis . Kletnieks (May 12)
    - Re: SSH probes? Klaus Lichtenwalder (May 12)