Re: SSH attacks?

[Marcus Merrin <marcus.merrin () emptyair com>]

I saw the same thing about a month ago, only the selection of usernames 
was much wider, including  graceland, metro, elvis, matrix and many more 
including guest and test.  It was traced to a host in Japan but I 
haven't heard back from them if any action was taken.  Maybe the current 
wave is a cut-down version of a more comprehensive tool? Attacks on  my 
client's servers  went on for about an hour at a time.

Andrew J Caines wrote:

> FWIW, here's what I've seen on my single IP cable connection:
>
> Jul 17 04:54:46 test  129.194.21.5
> Jul 17 04:54:47 guest 129.194.21.5
> Jul 22 04:38:49 test  61.237.13.234
> Jul 22 04:38:52 guest 61.237.13.234
> Jul 23 10:55:46 test  61.109.156.5
> Jul 23 10:55:49 guest 61.109.156.5
> Jul 24 19:40:48 test  202.6.75.195
> Jul 24 19:40:50 guest 202.6.75.195
> Jul 24 20:24:31 test  69.0.134.72
> Jul 24 20:24:31 guest 69.0.134.72
> Jul 24 20:24:32 admin 69.0.134.72
> Jul 24 20:24:33 admin 69.0.134.72
> Jul 24 20:24:34 user  69.0.134.72
> Jul 24 20:24:37 test  69.0.134.72
> Jul 25 02:51:10 test  211.202.3.148
> Jul 25 02:51:12 guest 211.202.3.148
> Jul 25 16:30:34 test  219.234.216.150
> Jul 25 16:30:37 guest 219.234.216.150
> Jul 27 16:12:08 test  210.92.210.67
> Jul 27 16:12:10 guest 210.92.210.67
> Jul 28 11:52:43 test  65.61.98.16
> Jul 28 11:52:45 guest 65.61.98.16
>
> The timing and distribution of userids indicates to me that this is more
> than a simple probe for vulnerable SSH servers.
>
>  
--
////////////////////////////////////////////////////////////
// Marcus Merrin PhD.
// EmptyAir Consulting
// marcus.merrin () emptyair com 
/////////////////////////////////////////////////////////////