Educause Security Discussion mailing list archives

SSH logs - ip address as user?

From: "Lisciotti, Kevin" <klisciotti () UMASSP EDU>
Date: Thu, 11 Dec 2014 14:49:09 +0000
Hi everyone,


Just curious if anyone else has seen entries in their SSH logs where the user name is an IP address? It's coming from 
an IP in Vietnam and I assume it's a script kiddie who doesn't know how to use their brute force tool :)


Dec 11 00:15:48  sshd[27852]: Connection closed by 123.30.187.17
Dec 11 00:50:24  sshd[614]: Invalid user 71.246.205.123 from 123.30.187.17
Dec 11 00:50:24  sshd[614]: Address 123.30.187.17 maps to static.vdc.vn, but this does not map back to the address - 
POSSIBLE BREAK-IN ATTEMPT!
Dec 11 00:50:24  sshd[618]: input_userauth_request: invalid user 71.246.205.123
Dec 11 00:50:24  sshd[614]: pam_unix(sshd:auth): check pass; user unknown
Dec 11 00:50:24  sshd[614]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=123.30.187.17
Dec 11 00:50:24  sshd[614]: pam_succeed_if(sshd:auth): error retrieving information about user 71.246.205.123
Dec 11 00:50:26  sshd[614]: Failed password for invalid user 71.246.205.123 from 123.30.187.17 port 53804 ssh2
Dec 11 00:50:26  sshd[618]: Connection closed by 123.30.187.17
Dec 11 01:24:55  sshd[5986]: Invalid user 71.246.230.158 from 123.30.187.17
Dec 11 01:24:55  sshd[5986]: Address 123.30.187.17 maps to static.vdc.vn, but this does not map back to the address - 
POSSIBLE BREAK-IN ATTEMPT!
Dec 11 01:24:55  sshd[5990]: input_userauth_request: invalid user 71.246.230.158
Dec 11 01:24:55  sshd[5986]: pam_unix(sshd:auth): check pass; user unknown
Dec 11 01:24:55  sshd[5986]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=123.30.187.17
Dec 11 01:24:55  sshd[5986]: pam_succeed_if(sshd:auth): error retrieving information about user 71.246.230.158
Dec 11 01:24:56  sshd[5986]: Failed password for invalid user 71.246.230.158 from 123.30.187.17 port 57926 ssh2
Dec 11 01:24:56  sshd[5990]: Connection closed by 123.30.187.17
Dec 11 01:59:26  sshd[11174]: Invalid user 71.248.109.200 from 123.30.187.17
Dec 11 01:59:26  sshd[11174]: Address 123.30.187.17 maps to static.vdc.vn, but this does not map back to the address - 
POSSIBLE BREAK-IN ATTEMPT!
Dec 11 01:59:26  sshd[11178]: input_userauth_request: invalid user 71.248.109.200
Dec 11 01:59:26  sshd[11174]: pam_unix(sshd:auth): check pass; user unknown
Dec 11 01:59:26  sshd[11174]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=123.30.187.17
Dec 11 01:59:26  sshd[11174]: pam_succeed_if(sshd:auth): error retrieving information about user 71.248.109.200
Dec 11 01:59:28  sshd[11174]: Failed password for invalid user 71.248.109.200 from 123.30.187.17 port 43797 ssh2
Dec 11 01:59:28  sshd[11178]: Connection closed by 123.30.187.17
Dec 11 02:33:57  sshd[17227]: Invalid user 71.249.139.77 from 123.30.187.17
Dec 11 02:33:57  sshd[17227]: Address 123.30.187.17 maps to static.vdc.vn, but this does not map back to the address - 
POSSIBLE BREAK-IN ATTEMPT!
Dec 11 02:33:57  sshd[17231]: input_userauth_request: invalid user 71.249.139.77
Dec 11 02:33:57  sshd[17227]: pam_unix(sshd:auth): check pass; user unknown
Dec 11 02:33:57  sshd[17227]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=123.30.187.17
Dec 11 02:33:57  sshd[17227]: pam_succeed_if(sshd:auth): error retrieving information about user 71.249.139.77
Dec 11 02:33:59  sshd[17227]: Failed password for invalid user 71.249.139.77 from 123.30.187.17 port 44497 ssh2
Dec 11 02:33:59  sshd[17231]: Connection closed by 123.30.187.17


Thanks,


Kevin
Current thread:

SSH logs - ip address as user? Lisciotti, Kevin (Dec 11)
- Re: SSH logs - ip address as user? David James Anderson (Dec 11)