Security Incidents mailing list archives

RE: SSH attacks?

From: "Herman Frederick Ebeling Jr." <hfebelingjr () lycos com>
Date: Thu, 29 Jul 2004 14:32:52 -0400


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrew,

        Looking at the list of IP addresses that you listed I got curious and fired up
McAfee's Visual Trace, and with the
exception of two of them they've all come from overseas.  And then mostly from
Asia, with one ending in Europe.  I
wonder IF we're looking at a "gang" of cyber-criminals from Asia, or if it's
just a coincidence that most of them seem
to have originated in Asia???

Herman

- -----Original Message-----
From: Andrew J Caines [mailto:A.J.Caines () halplant com]
Sent: Wednesday, 28 July, 2004 20:22
To: incidents () securityfocus com
Subject: Re: SSH attacks?


FWIW, here's what I've seen on my single IP cable connection:

Jul 17 04:54:46 test  129.194.21.5
Jul 17 04:54:47 guest 129.194.21.5
Jul 22 04:38:49 test  61.237.13.234
Jul 22 04:38:52 guest 61.237.13.234
Jul 23 10:55:46 test  61.109.156.5
Jul 23 10:55:49 guest 61.109.156.5
Jul 24 19:40:48 test  202.6.75.195
Jul 24 19:40:50 guest 202.6.75.195
Jul 24 20:24:31 test  69.0.134.72
Jul 24 20:24:31 guest 69.0.134.72
Jul 24 20:24:32 admin 69.0.134.72
Jul 24 20:24:33 admin 69.0.134.72
Jul 24 20:24:34 user  69.0.134.72
Jul 24 20:24:37 test  69.0.134.72
Jul 25 02:51:10 test  211.202.3.148
Jul 25 02:51:12 guest 211.202.3.148
Jul 25 16:30:34 test  219.234.216.150
Jul 25 16:30:37 guest 219.234.216.150
Jul 27 16:12:08 test  210.92.210.67
Jul 27 16:12:10 guest 210.92.210.67
Jul 28 11:52:43 test  65.61.98.16
Jul 28 11:52:45 guest 65.61.98.16

The timing and distribution of userids indicates to me that this is more
than a simple probe for vulnerable SSH servers.

Reality must take precedence over public relations, for Mother Nature
cannot be fooled.  -- R.P. Feynman


"Physics is like sex: sure, it may give some practical results, but
 thats not why we do it." - Feynman


- -Andrew-
- --
 _______________________________________________________________________
| -Andrew J. Caines-   Unix Systems Engineer   A.J.Caines () halplant com  |
| "They that can give up essential liberty to obtain a little temporary |
|  safety deserve neither liberty nor safety" - Benjamin Franklin, 1759 |

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQQlB/h/i52nbE9vTEQKJvACg4JnEdK+2DGEF9izjRFblcOiRX9UAn0Sp
4HcbCl/cFnYRIQFN5cgGmyCO
=Fo8t
-----END PGP SIGNATURE-----

Current thread:

Re: SSH attacks?, (continued)
- - - Re: SSH attacks? Valdis . Kletnieks (Jul 30)
    - Re: SSH attacks? Thomas Hochstein (Jul 30)
    - Re: SSH attacks? Matt Beland (Jul 30)
  - Re: SSH attacks? Jyri Hovila (Jul 29)
- Re: SSH attacks? Jason Falciola (Jul 27)
- Re: SSH attacks? Paul Schmehl (Jul 27)
- Re: SSH attacks? brandy (Jul 28)
  - Re: SSH attacks? Andrew J Caines (Jul 29)
    - Re: SSH attacks? Marcus Merrin (Jul 29)
    - Re: SSH attacks? Robin (Jul 30)
    - RE: SSH attacks? Herman Frederick Ebeling Jr. (Jul 30)
    - Re: SSH attacks? Brian C. Lane (Jul 30)
  - Re: SSH attacks? Mike Whitley (Jul 29)
- Re: SSH attacks? David Block (Jul 29)
- Re: SSH attacks? Bulgaro (Jul 29)
  - Re: SSH attacks? John Bossert (Jul 30)
- RE: SSH attacks? M Shirk (Jul 30)
  - Re: SSH attacks? Valdis . Kletnieks (Jul 31)
- Re: SSH attacks? Skip Carter (Jul 30)
- Re: SSH attacks? Alexander Klimov (Jul 31)