Full Disclosure mailing list archives
Re: [VulnDiscuss] Re: Automated SSH login attempts?
From: Paul Schmehl <pauls () utdallas edu>
Date: Mon, 26 Jul 2004 15:37:07 -0500
--On Monday, July 26, 2004 03:29:56 PM -0400 RBabb <rob_mailing_lists () rbabb net> wrote:
That's not obvious at all. In our case, they're hitting IPs in sequential order, so it looks (to us) more like a "brute force" attempt rather than the targeting of hosts that are specifically running sshd.This makes me feel better. I thought it odd that so many machines were hitting my ssh server. I even blocked it at the firewall for a day or so. Is anyone talking on what the bot system was that allowed them to automate this? It seemed that as soon as 1 got it so did a whole bunch more so obviously people are distributing lists of IP's for potential SSH access.
I'm not real sure on who to contact for these machines, but here are all the ones that have hit me. Mostly seem to be Asian so far. Jul 25 19:48:40 server sshd[55910]: Failed password for illegal user test from 212.4.172.123 port 56843 ssh2 Jul 25 19:48:42 server sshd[55915]: Failed password for illegal user guest from 212.4.172.123 port 56916 ssh2 Jul 25 20:37:19 server sshd[57221]: Failed password for illegal user test from 210.40.224.10 port 49738 ssh2 Jul 25 20:37:22 server sshd[57223]: Failed password for illegal user guest from 210.40.224.10 port 49756 ssh2
[pauls@utd49554 pauls]$ dig -x 212.4.172.123 ; <<>> DiG 9.2.2-P3 <<>> -x 212.4.172.123 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 123 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1 ;; QUESTION SECTION: ;123.172.4.212.in-addr.arpa. IN PTR ;; ANSWER SECTION: 123.172.4.212.in-addr.arpa. 604800 IN PTR mail.enet.de.Since this is a mail server, I would say the odds are *extremely high* that it's been compromised and that the owners would greatly appreciate a heads up. (So I've cc'd them. But these are *your* logs, so *you* should notify them as well.
Jul 24 21:37:50 server sshd[21578]: Failed password for illegal user test from 218.244.240.195 port 58900 ssh2 Jul 24 21:37:53 server sshd[21580]: Failed password for illegal user guest from 218.244.240.195 port 58928 ssh2
person: ShouLan Du address: Fl./8, South Building, Bridge Mansion, No. 53 country: CN phone: +86-010-83160000 fax-no: +86-010-83155528 e-mail: dsl327 () btamail net cn nic-hdl: SD76-AP mnt-by: MAINT-CNNIC-AP changed: dsl327 () btamail net cn 20020403 source: APNIC
Jul 22 18:23:36 server sshd[38184]: Failed password for illegal user test from 216.86.221.113 port 58012 ssh2 Jul 22 18:23:37 server sshd[38195]: Failed password for illegal user guest from 216.86.221.113 port 51509 ssh2
;; ANSWER SECTION:113.221.86.216.in-addr.arpa. 14400 IN PTR adsl-gte-la-216-86-215-113.mminternet.com.
Technical Contact: Master, Host (NC312) hostmaster () MMINTERNET COM 3780 Kilroy Airport Way Suite 410 Long Beach, CA 90806 US 562-427-0344 fax: 562-427-3622 Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Automated SSH login attempts? Jay Libove (Jul 25)
- Re: Automated SSH login attempts? Andrei Galca-Vasiliu (Jul 25)
- Re: Automated SSH login attempts? Neal O'Creat (Jul 30)
- Re: Automated SSH login attempts? Valdis . Kletnieks (Jul 30)
- Re: Automated SSH login attempts? Jan Muenther (Jul 31)
- Re: Automated SSH login attempts? Neal O'Creat (Jul 30)
- Re: Automated SSH login attempts? Andrei Galca-Vasiliu (Jul 25)
- Re: Automated SSH login attempts? Harry Hoffman (Jul 25)
- Re: Automated SSH login attempts? Andrew Farmer (Jul 25)
- Re: Automated SSH login attempts? Paul Mohr (Jul 25)
- Re: Automated SSH login attempts? Paul Schmehl (Jul 25)
- Re: [VulnDiscuss] Re: Automated SSH login attempts? RBabb (Jul 27)
- Re: [VulnDiscuss] Re: Automated SSH login attempts? Paul Schmehl (Jul 27)
- Re: [VulnDiscuss] Re: Automated SSH login attempts? RBabb (Jul 27)
- Re: Automated SSH login attempts? Andrei Galca-Vasiliu (Jul 25)
- Re: Automated SSH login attempts? Shafik Yaghmour (Jul 26)
- Re: Automated SSH login attempts? Alain Crespo (Jul 28)
- <Possible follow-ups>
- Re: Automated SSH login attempts? syrrus (Jul 25)
- Re: Automated SSH login attempts? Joe Hickory (Jul 27)
- Re: Automated SSH login attempts? Juan Carlos Navea (Jul 29)
- RE: Automated SSH login attempts? Todd Towles (Jul 29)
- Re: Automated SSH login attempts? Ali Campbell (Jul 29)
- Re: Automated SSH login attempts? Andrew Farmer (Jul 29)
- Re: Automated SSH login attempts? Jan Muenther (Jul 30)