Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Anyone else seeing SSH scans?

From: "Ian Hayes" <Ian.Hayes () dpsi-inc com>
Date: Wed, 28 Jul 2004 22:00:26 -0500
 

        -----Original Message----- 
        From: Andrew Kopp ( Tor ZEW ) [mailto:andrew.kopp () kuehne-nagel com] 
        Sent: Wed 7/28/2004 7:33 AM 
        To: Matthew Dharm; incidents () securityfocus com 
        Cc: 
        Subject: RE: Anyone else seeing SSH scans?
        
        

        >I have seen an significant increase of scans on our ssh ports... 

        >But none of them seem to be related to any on this list. The attacker is 
        >trying different accounts such as root or admin. They seem to try two 
        >passwords with the admin account and three passwords with the root account. 
        >If they are unable to obtain access they move on to the next host. It seems 
        >to be scripted as each host has the same log except for the timestamp.) 

        Just got my cable modem activated yesterday. Looks like I joined in just in time:

        messages:Jul 28 05:59:32 sixshooter sshd[7339]: Failed password for illegal user test from 220.68.91.206 port 
48987 ssh2
        messages:Jul 28 05:59:34 sixshooter sshd[7341]: Failed password for illegal user guest from 220.68.91.206 port 
49009 ssh2
        

        From the timestamp, I guess it's just someone playing around with a script. Looks like he's scanning a bunch of 
hosts at once if his system is opening up source ports sequentially.

        Actually, I'm offended. They didn't even try root.
Previous By Date Next
Previous By Thread Next

Current thread: