Security Incidents mailing list archives
Re: SSH attacks?
From: Chris Brown <chris () wavetex com>
Date: Tue, 27 Jul 2004 14:17:39 -0500
I've been seeing this as well. At first I thought it was just someone messing around and I banned the IPs they were coming from, but the IP keeps coming up randomly for me. I haven't seen quite as many and its always been in pairs. Seems like one pair a day, sometimes two. Been going on for about a week now. Some kind of script? The variety of IPs I've seen has made me wonder if it is a worm. I would think a human would be smarter than to keep trying 'test' and 'guest'. Who knows?
Chris Robin wrote:
While looking through the logs after someone ran over my system with Nessus, I noticed some odd ones from sshd (that don't seem to be related to the nessusscan):Jul 27 03:12:25 kallisti sshd[16471]: error: Could not get shadow informationfor NOUSERThey usually, although not always occur in pairs, a few seconds apart. They don't seem to be very random, which suggests maybe that there is someone atthe other end, rather than a worm.The first sighting was Jun 4 04:22:15 (all times NZST), with 153 instances going to 04:47:03 (this is fairly constant, and not in pairs). It isn't seen again until Jun 17 08:39:54-08:58:20 (75 instances this time, again not in pairs). Since then, there have been a few on the 21st and 25th, followed by alot on the 26th and into the 27th, where we now see the pairs coming up.Looking a bit closer (and in other log files), I see it's people trying random accounts. The big ones are going over a large list, the pairs seem to be justhitting test and guest: Jul 26 23:05:59 kallisti sshd[12314]: Illegal user test from ::ffff:64.246.56.44Jul 26 23:05:59 kallisti sshd[12314]: Failed password for illegal user testfrom ::ffff:64.246.56.44 port 41920 ssh2 Jul 26 23:06:01 kallisti sshd[12320]: Illegal user guest from ::ffff:64.246.56.44Jul 26 23:06:01 kallisti sshd[12320]: Failed password for illegal user guestfrom ::ffff:64.246.56.44 port 41967 ssh2 Does anyone know why this would appear all of a sudden?
-- Chris Brown System Administrator Wavetex Inc. 903-597-7566 http://wavetex.com/
Current thread:
- SSH attacks? Robin (Jul 27)
- Re: SSH attacks? Tobias Rice (Jul 27)
- Re: SSH attacks? Chris Brenton (Jul 28)
- Re: SSH attacks? Josh Tolley (Jul 27)
- Re: SSH attacks? Chris Brown (Jul 27)
- Re: SSH attacks? Adam Young (Jul 27)
- Re: SSH attacks? Christine Kronberg (Jul 29)
- Re: SSH attacks? Pieter-Bas IJdens (Jul 29)
- Re: SSH attacks? Christine Kronberg (Jul 29)
- Re: SSH attacks? Pieter-Bas IJdens (Jul 30)
- Re: SSH attacks? Frank Knobbe (Jul 30)
- Re: SSH attacks? Jay D. Dyson (Jul 30)
- Re: SSH attacks? Frank Knobbe (Jul 31)
- Re: SSH attacks? mgotts (Jul 31)
- Re: SSH attacks? Christine Kronberg (Jul 29)
- Re: SSH attacks? Tobias Rice (Jul 27)
- Re: SSH attacks? Steve Schuster (Jul 29)