Full Disclosure mailing list archives
Re: Automated SSH login attempts?
From: Andrei Galca-Vasiliu <andrei () fq ro>
Date: Sun, 25 Jul 2004 22:31:28 +0300
I've seen that too, on several machines, different range of ip's. I guess it`s some sort of a mass bruteforce exploit (there were 50 or more attempts on my box in just 20-30 s). Anyone who can enlighten us, it will be appreciated, i've searched too and couldn't find anything related. Intr-un mail de pe data de Thursday 22 July 2004 17:47, Jay Libove povestea:
[ Posted to full disclosure and vulnwatch; please edit reply address(es) as appropriate. Thanks. -Jay ] My Linux system, and a Linux system run by a friend here in the same city but on a completely different netblock (different ISP), have both seen apparently automated attempts to log in to our systems via SSH in the past few days. Looks like a script. Here are some log entries from my system: Jul 15 10:01:34 panther6 sshd[8267]: Illegal user test from 62.67.45.4 Jul 15 10:01:34 panther6 sshd[8267]: Failed password for illegal user test from 62.67.45.4 port 39141 ssh2 Jul 15 10:01:36 panther6 sshd[8269]: Illegal user guest from 62.67.45.4 Jul 15 10:01:36 panther6 sshd[8269]: Failed password for illegal user guest from 62.67.45.4 port 39192 ssh2 Jul 15 10:01:37 panther6 sshd[8271]: Illegal user admin from 62.67.45.4 Jul 15 10:01:37 panther6 sshd[8271]: Failed password for illegal user admin from 62.67.45.4 port 39234 ssh2 Jul 15 10:01:38 panther6 sshd[8273]: Illegal user user from 62.67.45.4 Jul 15 10:01:38 panther6 sshd[8273]: Failed password for illegal user user from 62.67.45.4 port 39275 ssh2 Jul 15 10:01:39 panther6 sshd[8275]: Failed password for root from 62.67.45.4 port 39340 ssh2 Jul 15 10:01:41 panther6 sshd[8277]: Failed password for root from 62.67.45.4 port 39386 ssh2 Jul 15 10:44:12 panther6 sshd[8300]: Illegal user test from 62.67.45.4 Jul 15 10:44:12 panther6 sshd[8300]: Failed password for illegal user test from 62.67.45.4 port 33771 ssh2 Jul 15 10:44:14 panther6 sshd[8302]: Illegal user guest from 62.67.45.4 Jul 15 10:44:14 panther6 sshd[8302]: Failed password for illegal user guest from 62.67.45.4 port 33828 ssh2 Jul 15 10:44:15 panther6 sshd[8304]: Illegal user admin from 62.67.45.4 Jul 15 10:44:15 panther6 sshd[8304]: Failed password for illegal user admin from 62.67.45.4 port 33876 ssh2 Jul 15 10:44:16 panther6 sshd[8306]: Illegal user user from 62.67.45.4 Jul 15 10:44:16 panther6 sshd[8306]: Failed password for illegal user user from 62.67.45.4 port 33916 ssh2 Jul 15 10:44:17 panther6 sshd[8308]: Failed password for root from 62.67.45.4 port 33988 ssh2 Jul 15 10:44:19 panther6 sshd[8310]: Failed password for root from 62.67.45.4 port 34032 ssh2 Jul 15 17:07:15 panther6 sshd[8912]: Illegal user test from 131.234.36.152 Jul 15 17:07:15 panther6 sshd[8912]: Failed password for illegal user test from 131.234.36.152 port 38287 ssh2 Jul 15 17:07:16 panther6 sshd[8914]: Illegal user guest from 131.234.36.152 Jul 15 17:07:16 panther6 sshd[8914]: Failed password for illegal user guest from 131.234.36.152 port 38326 ssh2 Jul 15 17:07:18 panther6 sshd[8916]: Illegal user admin from 131.234.36.152 Jul 15 17:07:18 panther6 sshd[8916]: Failed password for illegal user admin from 131.234.36.152 port 38370 ssh2 Jul 15 17:07:19 panther6 sshd[8918]: Illegal user admin from 131.234.36.152 Jul 15 17:07:19 panther6 sshd[8918]: Failed password for illegal user admin from 131.234.36.152 port 38412 ssh2 Jul 15 17:07:21 panther6 sshd[8920]: Illegal user user from 131.234.36.152 Jul 15 17:07:21 panther6 sshd[8920]: Failed password for illegal user user from 131.234.36.152 port 38468 ssh2 Jul 15 17:07:22 panther6 sshd[8922]: Failed password for root from 131.234.36.152 port 38516 ssh2 Jul 15 17:07:23 panther6 sshd[8924]: Failed password for root from 131.234.36.152 port 38558 ssh2 Jul 15 17:07:25 panther6 sshd[8926]: Failed password for root from 131.234.36.152 port 38611 ssh2 Jul 15 17:07:26 panther6 sshd[8928]: Illegal user test from 131.234.36.152 Jul 15 17:07:26 panther6 sshd[8928]: Failed password for illegal user test from 131.234.36.152 port 38675 ssh2 Jul 19 22:05:07 panther6 sshd[30439]: Illegal user test from 83.103.27.66 Jul 19 22:05:07 panther6 sshd[30439]: Failed password for illegal user test from 83.103.27.66 port 52671 ssh2 Jul 19 22:05:08 panther6 sshd[30441]: Illegal user guest from 83.103.27.66 Jul 19 22:05:08 panther6 sshd[30441]: Failed password for illegal user guest from 83.103.27.66 port 52687 ssh2 Jul 21 06:30:12 panther6 sshd[1103]: Illegal user test from 219.103.193.130 Jul 21 06:30:12 panther6 sshd[1103]: Failed password for illegal user test from 219.103.193.130 port 55802 ssh2 Jul 21 06:30:14 panther6 sshd[1105]: Illegal user guest from 219.103.193.130 Jul 21 06:30:14 panther6 sshd[1105]: Failed password for illegal user guest from 219.103.193.130 port 55823 ssh2 .. and some log entries from my friend's system: Jul 19 21:04:33 quack sshd[28379]: Illegal user test from 131.234.157.10 Jul 19 21:04:34 quack sshd[28381]: Illegal user guest from 131.234.157.10 Jul 19 21:04:36 quack sshd[28383]: Illegal user admin from 131.234.157.10 Jul 19 21:04:37 quack sshd[28385]: Illegal user admin from 131.234.157.10 Jul 19 21:04:38 quack sshd[28387]: Illegal user user from 131.234.157.10 Jul 19 21:04:43 quack sshd[28400]: Illegal user test from 131.234.157.10 Jul 22 09:39:10 quack sshd[7646]: Illegal user test from 156.17.99.11 Jul 22 09:39:11 quack sshd[7648]: Illegal user guest from 156.17.99.11 I have not seen any notes about this on the vulnerability disucssion lists. Has anyone else noticed it? What specific vulnerability (or default password?) is this looking for? -Jay Libove, CISSP libove () felines org Atlanta, GA US _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
-- Andrei Galca-Vasiliu Technical Support Brasov Branch Romania Data Systems T: +402 68 474133 F: +402 68 474133 www.rdsnet.ro -- Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsable for delivery of the message to such person), you may not copy or deliver this message to anyone. In such a case, you should destroy this message and kindly notify the sender by reply e-mail. -- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Automated SSH login attempts? Jay Libove (Jul 25)
- Re: Automated SSH login attempts? Andrei Galca-Vasiliu (Jul 25)
- Re: Automated SSH login attempts? Neal O'Creat (Jul 30)
- Re: Automated SSH login attempts? Valdis . Kletnieks (Jul 30)
- Re: Automated SSH login attempts? Jan Muenther (Jul 31)
- Re: Automated SSH login attempts? Neal O'Creat (Jul 30)
- Re: Automated SSH login attempts? Andrei Galca-Vasiliu (Jul 25)
- Re: Automated SSH login attempts? Harry Hoffman (Jul 25)
- Re: Automated SSH login attempts? Andrew Farmer (Jul 25)
- Re: Automated SSH login attempts? Paul Mohr (Jul 25)
- Re: Automated SSH login attempts? Paul Schmehl (Jul 25)
- Re: [VulnDiscuss] Re: Automated SSH login attempts? RBabb (Jul 27)
- Re: [VulnDiscuss] Re: Automated SSH login attempts? Paul Schmehl (Jul 27)
- Re: [VulnDiscuss] Re: Automated SSH login attempts? RBabb (Jul 27)
- Re: Automated SSH login attempts? Andrei Galca-Vasiliu (Jul 25)