Security Incidents mailing list archives
Re: SSH scans...
From: "Dejan Markovic" <dejanmarkovic () hotmail com>
Date: Mon, 20 Dec 2004 13:39:43 -0500
Hi Harald, Thanks for the reply, have already received a number of responses from people saying they are getting the same type of probes, as for blocking at the firewall, that would definitely be more secure, but unfortunately that would add another layer of complexity, so I'm pretty much stuck with use strong passwords and read the logs. Talk to you later. Regards, Dan ----- Original Message ----- From: "Harald Nesland" <maillists-hn () interweb no> To: "Dejan Markovic" <dejanmarkovic () hotmail com> Cc: <INCIDENTS () SECURITYFOCUS COM> Sent: Monday, December 20, 2004 11:18 AM Subject: Re: SSH scans... Hi, You're not alone :) I'm beeing scanned too, from various ip-addresses for various users. I guess the solution is to block SSH in your firewall, and open it to your needs. Dejan Markovic wrote:
Hi Guys, Don't know whether this is the right list, but need to ask if others have the same entries in their logs for the past number of months. Let me take
a
step back, I maintain a number of networks on different IP ranges and they are all being probed by what looks like a tool, or maybe it is the same group/script. The originating computers range from open proxies to owned boxes and there are two distinct patterns I've seen so far. The following scan is a recent example where the root/password from x.x.x.x: 59 Time(s) caught my attention the first time a while back, and still getting the
same
scans on a daily basis: account/password from 210.245.168.28: 1 Time(s) adam/password from 210.245.168.28: 1 Time(s) adm/password from 210.245.168.28: 2 Time(s) alan/password from 210.245.168.28: 1 Time(s) apache/password from 210.245.168.28: 1 Time(s) backup/password from 210.245.168.28: 1 Time(s) cip51/password from 210.245.168.28: 1 Time(s) cip52/password from 210.245.168.28: 1 Time(s) cosmin/password from 210.245.168.28: 1 Time(s) cyrus/password from 210.245.168.28: 1 Time(s) data/password from 210.245.168.28: 1 Time(s) frank/password from 210.245.168.28: 1 Time(s) george/password from 210.245.168.28: 1 Time(s) henry/password from 210.245.168.28: 1 Time(s) horde/password from 210.245.168.28: 1 Time(s) iceuser/password from 210.245.168.28: 1 Time(s) irc/password from 210.245.168.28: 2 Time(s) jane/password from 210.245.168.28: 1 Time(s) john/password from 210.245.168.28: 1 Time(s) master/password from 210.245.168.28: 1 Time(s) matt/password from 210.245.168.28: 1 Time(s) mysql/password from 210.245.168.28: 1 Time(s) nobody/password from 210.245.168.28: 1 Time(s) noc/password from 210.245.168.28: 1 Time(s) operator/password from 210.245.168.28: 1 Time(s) oracle/password from 210.245.168.28: 1 Time(s) pamela/password from 210.245.168.28: 1 Time(s) patrick/password from 210.245.168.28: 2 Time(s) rolo/password from 210.245.168.28: 1 Time(s) root/password from 210.245.168.28: 59 Time(s) server/password from 210.245.168.28: 1 Time(s) sybase/password from 210.245.168.28: 1 Time(s) test/password from 210.245.168.28: 5 Time(s) user/password from 210.245.168.28: 3 Time(s) web/password from 210.245.168.28: 2 Time(s) webmaster/password from 210.245.168.28: 1 Time(s) www-data/password from 210.245.168.28: 1 Time(s) www/password from 210.245.168.28: 1 Time(s) wwwrun/password from 210.245.168.28: 1 Time(s) Regards, Dan
Cheers, -- _____ __ Ú---------------------Â---------------------------¿ |_ _\ \ / / | Harald Nesland | email: harald () interweb no | | | \ \ /\ / / | Interweb Norge AS | t l f: +47 380 58 200 | | | \ V V / | Ægirsvei 10 | f a x: +47 380 58 201 | |___| \_/\_/ | 4630 Kristiansand | p g p: 0 x 43951F95 | www.interweb.no À---------------------Á---------------------------Ù
Current thread:
- SSH scans... Dejan Markovic (Dec 20)
- Re: SSH scans... Harald Nesland (Dec 20)
- RE: SSH scans... another possible solution Ron Moore (Dec 20)
- Re: SSH scans... Dejan Markovic (Dec 20)
- Re: SSH scans... Barrie Dempster (Dec 20)
- Re: [incidents] SSH scans... Tim Kennedy (Dec 20)
- Message not available
- Re: [incidents] SSH scans... Tim Kennedy (Dec 20)
- Message not available
- Re: SSH scans... Harald Nesland (Dec 20)
- Re: SSH scans... Keith Morgan (Dec 20)
- Re: SSH scans... Gerry Dalton (Dec 20)
- Re: SSH scans... Peter Willis (Dec 20)
- Re: SSH scans... skippy1 (Dec 21)
- Re: SSH scans... Peter Willis (Dec 20)
- Re: SSH scans... Raymond Lillard (Dec 20)
- Re: SSH scans... Ben Nelson (Dec 20)
- Re: SSH scans... Steve Kemp (Dec 20)