Re: SSH scans...

["Dejan Markovic" <dejanmarkovic () hotmail com>]

Hi Harald,

Thanks for the reply, have already received a number of responses from
people saying they are getting the same type of probes, as for blocking at
the firewall, that would definitely be more secure, but unfortunately that
would add another layer of complexity, so I'm pretty much stuck with use
strong passwords and read the logs. Talk to you later.

Regards,
Dan

----- Original Message ----- 
From: "Harald Nesland" <maillists-hn () interweb no>
To: "Dejan Markovic" <dejanmarkovic () hotmail com>
Cc: <INCIDENTS () SECURITYFOCUS COM>
Sent: Monday, December 20, 2004 11:18 AM
Subject: Re: SSH scans...


Hi,

You're not alone :)

I'm beeing scanned too, from various ip-addresses for various users.

I guess the solution is to block SSH in your firewall, and open it to
your needs.

Dejan Markovic wrote:
> Hi Guys,
>
> Don't know whether this is the right list, but need to ask if others have
> the same entries in their logs for the past number of months. Let me take
a
> step back, I maintain a number of networks on different IP ranges and they
> are all being probed by what looks like a tool, or maybe it is the same
> group/script. The originating computers range from open proxies to owned
> boxes and there are two distinct patterns I've seen so far. The following
> scan is a recent example where the root/password from x.x.x.x: 59 Time(s)
> caught my attention the first time a while back, and still getting the
same
> scans on a daily basis:
>
> account/password    from 210.245.168.28: 1 Time(s)
> adam/password    from 210.245.168.28: 1 Time(s)
> adm/password    from 210.245.168.28: 2 Time(s)
> alan/password    from 210.245.168.28: 1 Time(s)
> apache/password    from 210.245.168.28: 1 Time(s)
> backup/password    from 210.245.168.28: 1 Time(s)
> cip51/password    from 210.245.168.28: 1 Time(s)
> cip52/password    from 210.245.168.28: 1 Time(s)
> cosmin/password    from 210.245.168.28: 1 Time(s)
> cyrus/password    from 210.245.168.28: 1 Time(s)
> data/password    from 210.245.168.28: 1 Time(s)
> frank/password    from 210.245.168.28: 1 Time(s)
> george/password    from 210.245.168.28: 1 Time(s)
> henry/password    from 210.245.168.28: 1 Time(s)
> horde/password    from 210.245.168.28: 1 Time(s)
> iceuser/password    from 210.245.168.28: 1 Time(s)
> irc/password    from 210.245.168.28: 2 Time(s)
> jane/password    from 210.245.168.28: 1 Time(s)
> john/password    from 210.245.168.28: 1 Time(s)
> master/password    from 210.245.168.28: 1 Time(s)
> matt/password    from 210.245.168.28: 1 Time(s)
> mysql/password    from 210.245.168.28: 1 Time(s)
> nobody/password    from 210.245.168.28: 1 Time(s)
> noc/password    from 210.245.168.28: 1 Time(s)
> operator/password    from 210.245.168.28: 1 Time(s)
> oracle/password    from 210.245.168.28: 1 Time(s)
> pamela/password    from 210.245.168.28: 1 Time(s)
> patrick/password    from 210.245.168.28: 2 Time(s)
> rolo/password    from 210.245.168.28: 1 Time(s)
> root/password    from 210.245.168.28: 59 Time(s)
> server/password    from 210.245.168.28: 1 Time(s)
> sybase/password    from 210.245.168.28: 1 Time(s)
> test/password    from 210.245.168.28: 5 Time(s)
> user/password    from 210.245.168.28: 3 Time(s)
> web/password    from 210.245.168.28: 2 Time(s)
> webmaster/password    from 210.245.168.28: 1 Time(s)
> www-data/password    from 210.245.168.28: 1 Time(s)
> www/password    from 210.245.168.28: 1 Time(s)
> wwwrun/password    from 210.245.168.28: 1 Time(s)
>
> Regards,
> Dan

Cheers,

-- 
   _____        __ Ú---------------------Â---------------------------¿
  |_ _\ \      / / | Harald Nesland      | email: harald () interweb no |
   | | \ \ /\ / /  | Interweb Norge AS   | t l f: +47 380 58 200     |
   | |  \ V  V /   | Ægirsvei 10         | f a x: +47 380 58 201     |
  |___|  \_/\_/    | 4630 Kristiansand   | p g p: 0 x 43951F95       |
  www.interweb.no  À---------------------Á---------------------------Ù