Security Incidents mailing list archives
Re: SSH attacks?
From: Bulgaro <bulgaro76 () yahoo it>
Date: Thu, 29 Jul 2004 11:11:12 +0200 (CEST)
While looking through the logs after someone ran over my system with Nessus, I noticed some odd ones from sshd (that don't seem to be related to the nessus scan): Jul 27 03:12:25 kallisti sshd[16471]: error: Could not get shadow information for NOUSER They usually, although not always occur in pairs, a few seconds apart. They don't seem to be very random, which suggests maybe that there is someone at the other end, rather than a worm. The first sighting was Jun 4 04:22:15 (all times NZST), with 153 instances going to 04:47:03 (this is fairly constant, and not in pairs). It isn't seen again until Jun 17 08:39:54-08:58:20 (75 instances this time, again not in pairs). Since then, there have been a few on the 21st and 25th, followed by a lot on the 26th and into the 27th, where we now see the pairs coming up. Looking a bit closer (and in other log files), I see it's people trying random accounts. The big ones are going over a large list, the pairs seem to be just hitting test and guest: Jul 26 23:05:59 kallisti sshd[12314]: Illegal user test from ::ffff:64.246.56.44 Jul 26 23:05:59 kallisti sshd[12314]: Failed password for illegal user test from ::ffff:64.246.56.44 port 41920 ssh2 Jul 26 23:06:01 kallisti sshd[12320]: Illegal user guest from ::ffff:64.246.56.44 Jul 26 23:06:01 kallisti sshd[12320]: Failed password for illegal user guest from ::ffff:64.246.56.44 port 41967 ssh2 Does anyone know why this would appear all of a sudden? - -- Robin <robin () kallisti net nz> JabberID: <eythian () jabber org> Hostes alienigeni me abduxerunt. Qui annus est? PGP Key 0x776DB663 = DD10 5C62 1E29 A385 9866 0853 CD38 E07A 776D B663
I've got some logs very similar from auth.log: Jul 26 18:01:17 cabernet sshd[12014]: Illegal user test from 163.32.62.4 Jul 26 18:01:17 cabernet sshd[12014]: error: Could not get shadow information for NOUSER Jul 26 18:01:17 cabernet sshd[12014]: Failed password for illegal user test from 163.32.62.4 port 46707 ssh2 Jul 26 18:01:20 cabernet sshd[12016]: Illegal user guest from 163.32.62.4 Jul 26 18:01:20 cabernet sshd[12016]: error: Could not get shadow information for NOUSER Jul 26 18:01:20 cabernet sshd[12016]: Failed password for illegal user guest from 163.32.62.4 port 46818 ssh2 Jul 26 18:01:23 cabernet sshd[12018]: Illegal user admin from 163.32.62.4 Jul 26 18:01:23 cabernet sshd[12018]: error: Could not get shadow information for NOUSER Jul 26 18:01:23 cabernet sshd[12018]: Failed password for illegal user admin from 163.32.62.4 port 46899 ssh2 Jul 26 18:01:26 cabernet sshd[12020]: Illegal user admin from 163.32.62.4 Jul 26 18:01:26 cabernet sshd[12020]: error: Could not get shadow information for NOUSER Jul 26 18:01:26 cabernet sshd[12020]: Failed password for illegal user admin from 163.32.62.4 port 46974 ssh2 Jul 26 18:01:29 cabernet sshd[12022]: Illegal user user from 163.32.62.4 Jul 26 18:01:29 cabernet sshd[12022]: error: Could not get shadow information for NOUSER Jul 26 18:01:29 cabernet sshd[12022]: Failed password for illegal user user from 163.32.62.4 port 47049 ssh2 Jul 26 18:01:32 cabernet sshd[12024]: Failed password for root from 163.32.62.4 port 47132 ssh2 Jul 26 18:01:35 cabernet sshd[12026]: Failed password for root from 163.32.62.4 port 47235 ssh2 Jul 26 18:01:37 cabernet sshd[12028]: Failed password for root from 163.32.62.4 port 47295 ssh2 Jul 26 18:01:40 cabernet sshd[12030]: Illegal user test from 163.32.62.4 Jul 26 18:01:40 cabernet sshd[12030]: error: Could not get shadow information for NOUSER Jul 26 18:01:40 cabernet sshd[12030]: Failed password for illegal user test from 163.32.62.4 port 47388 ssh2 Jul 26 18:17:01 cabernet CRON[12117]: (pam_unix) session opened for user root by (uid=0) Jul 26 18:17:01 cabernet CRON[12117]: (pam_unix) session closed for user root Jul 26 18:50:30 cabernet sshd[12599]: Illegal user test from 163.32.62.4 Jul 26 18:50:31 cabernet sshd[12599]: error: Could not get shadow information for NOUSER Jul 26 18:50:31 cabernet sshd[12599]: Failed password for illegal user test from 163.32.62.4 port 52670 ssh2 Jul 26 18:50:34 cabernet sshd[12601]: Illegal user guest from 163.32.62.4 Jul 26 18:50:34 cabernet sshd[12601]: error: Could not get shadow information for NOUSER Jul 26 18:50:34 cabernet sshd[12601]: Failed password for illegal user guest from 163.32.62.4 port 52797 ssh2 Jul 26 18:50:36 cabernet sshd[12603]: Illegal user admin from 163.32.62.4 Jul 26 18:50:37 cabernet sshd[12603]: error: Could not get shadow information for NOUSER Jul 26 18:50:37 cabernet sshd[12603]: Failed password for illegal user admin from 163.32.62.4 port 52887 ssh2 Jul 26 18:50:39 cabernet sshd[12605]: Illegal user admin from 163.32.62.4 Jul 26 18:50:39 cabernet sshd[12605]: error: Could not get shadow information for NOUSER Jul 26 18:50:39 cabernet sshd[12605]: Failed password for illegal user admin from 163.32.62.4 port 52965 ssh2 Jul 26 18:50:42 cabernet sshd[12607]: Illegal user user from 163.32.62.4 Jul 26 18:50:42 cabernet sshd[12607]: error: Could not get shadow information for NOUSER Jul 26 18:50:42 cabernet sshd[12607]: Failed password for illegal user user from 163.32.62.4 port 53045 ssh2 Jul 26 18:50:45 cabernet sshd[12609]: Failed password for root from 163.32.62.4 port 53129 ssh2 Jul 26 18:50:48 cabernet sshd[12612]: Failed password for root from 163.32.62.4 port 53229 ssh2 ... I've checked the origin of this connection attempts and i discovered that the "guilty" host (163.32.62.4) is a box called mail.cshs.kh.edu.tw. I think that this host is affected by a worm but i don't know anything about the kind of virus. I noticed that the spread of the worm last only the 26 of July. Maybe there's a spread controlled by the date. Sorry for my english Alessandro Bulgarelli ____________________________________________________________ Yahoo! Companion - Scarica gratis la toolbar di Ricerca di Yahoo! http://companion.yahoo.it
Current thread:
- Re: SSH attacks?, (continued)
- Re: SSH attacks? Jason Falciola (Jul 27)
- Re: SSH attacks? Paul Schmehl (Jul 27)
- Re: SSH attacks? brandy (Jul 28)
- Re: SSH attacks? Andrew J Caines (Jul 29)
- Re: SSH attacks? Marcus Merrin (Jul 29)
- Re: SSH attacks? Robin (Jul 30)
- RE: SSH attacks? Herman Frederick Ebeling Jr. (Jul 30)
- Re: SSH attacks? Brian C. Lane (Jul 30)
- Re: SSH attacks? Andrew J Caines (Jul 29)
- Re: SSH attacks? Mike Whitley (Jul 29)
- Re: SSH attacks? David Block (Jul 29)
- Re: SSH attacks? Bulgaro (Jul 29)
- Re: SSH attacks? John Bossert (Jul 30)
- RE: SSH attacks? M Shirk (Jul 30)
- Re: SSH attacks? Valdis . Kletnieks (Jul 31)
- Re: SSH attacks? Skip Carter (Jul 30)
- Re: SSH attacks? Alexander Klimov (Jul 31)