Re: SSH logs - ip address as user?

[David James Anderson <David.Anderson () NAU EDU>]

This one made my morning, thank you.
--
-David.


David Anderson
Information Security Analyst, Senior
Information Technology Services
Northern Arizona University
(928) 523-1225

On Dec 11, 2014, at 7:49 AM, Lisciotti, Kevin <klisciotti () UMASSP EDU<mailto:klisciotti () UMASSP EDU>> wrote:

Hi everyone,

Just curious if anyone else has seen entries in their SSH logs where the user name is an IP address? It's coming from 
an IP in Vietnam and I assume it's a script kiddie who doesn't know how to use their brute force tool :)

Dec 11 00:15:48  sshd[27852]: Connection closed by 123.30.187.17
Dec 11 00:50:24  sshd[614]: Invalid user 71.246.205.123 from 123.30.187.17
Dec 11 00:50:24  sshd[614]: Address 123.30.187.17 maps to static.vdc.vn, but this does not map back to the address - 
POSSIBLE BREAK-IN ATTEMPT!
Dec 11 00:50:24  sshd[618]: input_userauth_request: invalid user 71.246.205.123
Dec 11 00:50:24  sshd[614]: pam_unix(sshd:auth): check pass; user unknown
Dec 11 00:50:24  sshd[614]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=123.30.187.17
Dec 11 00:50:24  sshd[614]: pam_succeed_if(sshd:auth): error retrieving information about user 71.246.205.123
Dec 11 00:50:26  sshd[614]: Failed password for invalid user 71.246.205.123 from 123.30.187.17 port 53804 ssh2
Dec 11 00:50:26  sshd[618]: Connection closed by 123.30.187.17
Dec 11 01:24:55  sshd[5986]: Invalid user 71.246.230.158 from 123.30.187.17
Dec 11 01:24:55  sshd[5986]: Address 123.30.187.17 maps to static.vdc.vn, but this does not map back to the address - 
POSSIBLE BREAK-IN ATTEMPT!
Dec 11 01:24:55  sshd[5990]: input_userauth_request: invalid user 71.246.230.158
Dec 11 01:24:55  sshd[5986]: pam_unix(sshd:auth): check pass; user unknown
Dec 11 01:24:55  sshd[5986]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=123.30.187.17
Dec 11 01:24:55  sshd[5986]: pam_succeed_if(sshd:auth): error retrieving information about user 71.246.230.158
Dec 11 01:24:56  sshd[5986]: Failed password for invalid user 71.246.230.158 from 123.30.187.17 port 57926 ssh2
Dec 11 01:24:56  sshd[5990]: Connection closed by 123.30.187.17
Dec 11 01:59:26  sshd[11174]: Invalid user 71.248.109.200 from 123.30.187.17
Dec 11 01:59:26  sshd[11174]: Address 123.30.187.17 maps to static.vdc.vn, but this does not map back to the address - 
POSSIBLE BREAK-IN ATTEMPT!
Dec 11 01:59:26  sshd[11178]: input_userauth_request: invalid user 71.248.109.200
Dec 11 01:59:26  sshd[11174]: pam_unix(sshd:auth): check pass; user unknown
Dec 11 01:59:26  sshd[11174]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=123.30.187.17
Dec 11 01:59:26  sshd[11174]: pam_succeed_if(sshd:auth): error retrieving information about user 71.248.109.200
Dec 11 01:59:28  sshd[11174]: Failed password for invalid user 71.248.109.200 from 123.30.187.17 port 43797 ssh2
Dec 11 01:59:28  sshd[11178]: Connection closed by 123.30.187.17
Dec 11 02:33:57  sshd[17227]: Invalid user 71.249.139.77 from 123.30.187.17
Dec 11 02:33:57  sshd[17227]: Address 123.30.187.17 maps to static.vdc.vn, but this does not map back to the address - 
POSSIBLE BREAK-IN ATTEMPT!
Dec 11 02:33:57  sshd[17231]: input_userauth_request: invalid user 71.249.139.77
Dec 11 02:33:57  sshd[17227]: pam_unix(sshd:auth): check pass; user unknown
Dec 11 02:33:57  sshd[17227]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=123.30.187.17
Dec 11 02:33:57  sshd[17227]: pam_succeed_if(sshd:auth): error retrieving information about user 71.249.139.77
Dec 11 02:33:59  sshd[17227]: Failed password for invalid user 71.249.139.77 from 123.30.187.17 port 44497 ssh2
Dec 11 02:33:59  sshd[17231]: Connection closed by 123.30.187.17

Thanks,

Kevin