Security Incidents mailing list archives
Re: SSH attacks?
From: Jyri Hovila <jyri.hovila () iki fi>
Date: Wed, 28 Jul 2004 21:42:48 +0300
Hi!
I collect logs from a bunch of OpenBSD hosts. Below is what I found
(sorry about the messy format).
Most of the hosts doing the scans seem to be running sshd. I'm afraid
this could mean there is a new SSH exploit out in the wild. I think
admins would do wisely restricting SSH logins to known IP addresses (or
subnets) when possible.
- Jyri
------------------------------------------------------------------------
Total of 166 records
First record: Jul 17th 17.27 EET (GMT +2)
Addresses, geological area, banners and usernames tested:
* = host appears more than once
Jul 17
212.65.244.xxx RIPE \
SSH-1.99-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3 \
admin, guest, user, test
Jul 20
61.60.51.xxx APNIC (no response) \
guest, test
66.250.111.xxx ARIN SSH-1.99-OpenSSH_3.1p1 \
admin, guest, user, test
Jul 21
195.113.17.xxx RIPE (no response) \
guest, test
Jul 23
63.166.192.xxx ARIN (no response) \
guest, test
211.119.136.xxx APNIC (no response) \
guest, test
216.20.112.xxx ARIN SSH-1.99-OpenSSH_2.3.0p1 \
guest, test
Jul 24
* 61.109.156.xxx APNIC SSH-1.99-OpenSSH_3.5p1 \
guest, test
64.8.171.xxx ARIN (no response) \
admin, guest, user, test
Jul 25
* 61.109.156.xxx APNIC SSH-1.99-OpenSSH_3.5p1 \
guest, test
80.53.236.xxx RIPE (connection refused) \
guest, test
* 81.8.206.xxx RIPE SSH-1.99-OpenSSH_3.6.1p2 \
guest, test
210.101.234.xxx APNIC (no response)
guest, test
Jul 26
* 61.109.156.xxx APNIC SSH-1.99-OpenSSH_3.5p1 \
guest, test
67.68.231.xxx ARIN SSH-1.99-OpenSSH_3.5p1 \
guest, test
* 81.8.206.xxx RIPE SSH-1.99-OpenSSH_3.6.1p2 \
guest, test
202.134.73.xxx APNIC SSH-1.99-OpenSSH_3.1p1 \
guest, test
Jul 27
* 81.8.206.xxx RIPE SSH-1.99-OpenSSH_3.6.1p2 \
guest, test
194.204.17.xxx RIPE SSH-1.99-OpenSSH_3.5p1 \
guest, test
208.30.184.xxx ARIN (connection refused) \
guest, test
210.0.186.xxx APNIC SSH-2.0-OpenSSH_3.5p1 \
guest, test
210.83.203.xxx APNIC SSH-1.99-OpenSSH_2.5.2p2 \
guest, test
Jul 28
64.69.77.xxx ARIN (connection refused) \
guest, test
69.0.134.xxx ARIN SSH-1.99-OpenSSH_2.9p2 \
admin, user, guest, test
209.176.248.xxx ARIN SSH-1.99-OpenSSH_2.3.0p1 \
guest, test
211.184.226.xxx APNIC (connection refused) \
guest, test
------------------------------------------------------------------------
##################################################################
# This message has been checked for viruses using Qmail-Scanner. #
# http://www.turvamies.fi #
##################################################################
Current thread:
- Re: SSH attacks?, (continued)
- Re: SSH attacks? mgotts (Jul 31)
- Re: SSH attacks? Steve Schuster (Jul 29)
- Re: SSH attacks? Merlijn Tishauser (Jul 30)
- Re: SSH attacks? Tom Laermans (Jul 27)
- Re: SSH attacks? buzz (Jul 27)
- Re: SSH attacks? Jyri Hovila (Jul 29)
- Re: SSH attacks? Chris Brenton (Jul 29)
- Re: SSH attacks? Valdis . Kletnieks (Jul 30)
- Re: SSH attacks? Thomas Hochstein (Jul 30)
- Re: SSH attacks? Matt Beland (Jul 30)
- Re: SSH attacks? Jyri Hovila (Jul 29)
- Re: SSH attacks? Jyri Hovila (Jul 29)
- Re: SSH attacks? Jason Falciola (Jul 27)
- Re: SSH attacks? Paul Schmehl (Jul 27)
- Re: SSH attacks? brandy (Jul 28)
- Re: SSH attacks? Andrew J Caines (Jul 29)
- Re: SSH attacks? Marcus Merrin (Jul 29)
- Re: SSH attacks? Robin (Jul 30)
- RE: SSH attacks? Herman Frederick Ebeling Jr. (Jul 30)
- Re: SSH attacks? Brian C. Lane (Jul 30)
- Re: SSH attacks? Andrew J Caines (Jul 29)
- Re: SSH attacks? Mike Whitley (Jul 29)
- Re: SSH attacks? David Block (Jul 29)