Security Incidents mailing list archives
Re: SSH attacks?
From: Jyri Hovila <jyri.hovila () iki fi>
Date: Wed, 28 Jul 2004 21:42:48 +0300
Hi! I collect logs from a bunch of OpenBSD hosts. Below is what I found (sorry about the messy format). Most of the hosts doing the scans seem to be running sshd. I'm afraid this could mean there is a new SSH exploit out in the wild. I think admins would do wisely restricting SSH logins to known IP addresses (or subnets) when possible. - Jyri ------------------------------------------------------------------------ Total of 166 records First record: Jul 17th 17.27 EET (GMT +2) Addresses, geological area, banners and usernames tested: * = host appears more than once Jul 17 212.65.244.xxx RIPE \ SSH-1.99-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3 \ admin, guest, user, test Jul 20 61.60.51.xxx APNIC (no response) \ guest, test 66.250.111.xxx ARIN SSH-1.99-OpenSSH_3.1p1 \ admin, guest, user, test Jul 21 195.113.17.xxx RIPE (no response) \ guest, test Jul 23 63.166.192.xxx ARIN (no response) \ guest, test 211.119.136.xxx APNIC (no response) \ guest, test 216.20.112.xxx ARIN SSH-1.99-OpenSSH_2.3.0p1 \ guest, test Jul 24 * 61.109.156.xxx APNIC SSH-1.99-OpenSSH_3.5p1 \ guest, test 64.8.171.xxx ARIN (no response) \ admin, guest, user, test Jul 25 * 61.109.156.xxx APNIC SSH-1.99-OpenSSH_3.5p1 \ guest, test 80.53.236.xxx RIPE (connection refused) \ guest, test * 81.8.206.xxx RIPE SSH-1.99-OpenSSH_3.6.1p2 \ guest, test 210.101.234.xxx APNIC (no response) guest, test Jul 26 * 61.109.156.xxx APNIC SSH-1.99-OpenSSH_3.5p1 \ guest, test 67.68.231.xxx ARIN SSH-1.99-OpenSSH_3.5p1 \ guest, test * 81.8.206.xxx RIPE SSH-1.99-OpenSSH_3.6.1p2 \ guest, test 202.134.73.xxx APNIC SSH-1.99-OpenSSH_3.1p1 \ guest, test Jul 27 * 81.8.206.xxx RIPE SSH-1.99-OpenSSH_3.6.1p2 \ guest, test 194.204.17.xxx RIPE SSH-1.99-OpenSSH_3.5p1 \ guest, test 208.30.184.xxx ARIN (connection refused) \ guest, test 210.0.186.xxx APNIC SSH-2.0-OpenSSH_3.5p1 \ guest, test 210.83.203.xxx APNIC SSH-1.99-OpenSSH_2.5.2p2 \ guest, test Jul 28 64.69.77.xxx ARIN (connection refused) \ guest, test 69.0.134.xxx ARIN SSH-1.99-OpenSSH_2.9p2 \ admin, user, guest, test 209.176.248.xxx ARIN SSH-1.99-OpenSSH_2.3.0p1 \ guest, test 211.184.226.xxx APNIC (connection refused) \ guest, test ------------------------------------------------------------------------ ################################################################## # This message has been checked for viruses using Qmail-Scanner. # # http://www.turvamies.fi # ##################################################################
Current thread:
- Re: SSH attacks?, (continued)
- Re: SSH attacks? mgotts (Jul 31)
- Re: SSH attacks? Steve Schuster (Jul 29)
- Re: SSH attacks? Merlijn Tishauser (Jul 30)
- Re: SSH attacks? Tom Laermans (Jul 27)
- Re: SSH attacks? buzz (Jul 27)
- Re: SSH attacks? Jyri Hovila (Jul 29)
- Re: SSH attacks? Chris Brenton (Jul 29)
- Re: SSH attacks? Valdis . Kletnieks (Jul 30)
- Re: SSH attacks? Thomas Hochstein (Jul 30)
- Re: SSH attacks? Matt Beland (Jul 30)
- Re: SSH attacks? Jyri Hovila (Jul 29)
- Re: SSH attacks? Jyri Hovila (Jul 29)
- Re: SSH attacks? Jason Falciola (Jul 27)
- Re: SSH attacks? Paul Schmehl (Jul 27)
- Re: SSH attacks? brandy (Jul 28)
- Re: SSH attacks? Andrew J Caines (Jul 29)
- Re: SSH attacks? Marcus Merrin (Jul 29)
- Re: SSH attacks? Robin (Jul 30)
- RE: SSH attacks? Herman Frederick Ebeling Jr. (Jul 30)
- Re: SSH attacks? Brian C. Lane (Jul 30)
- Re: SSH attacks? Andrew J Caines (Jul 29)
- Re: SSH attacks? Mike Whitley (Jul 29)
- Re: SSH attacks? David Block (Jul 29)