Re: SSH attacks?

[Jason Falciola <falciola () us ibm com>]

Robin <robin () kallisti net nz> wrote on 07/26/2004 06:59:07 PM:

] Looking a bit closer (and in other log files), I see it's people 
] trying random 
] accounts. The big ones are going over a large list, the pairs seem to be 
just 
] hitting test and guest:
] Jul 26 23:05:59 kallisti sshd[12314]: Illegal user test 
] from ::ffff:64.246.56.44
] Jul 26 23:05:59 kallisti sshd[12314]: Failed password for illegal user 
test 
] from ::ffff:64.246.56.44 port 41920 ssh2
] Jul 26 23:06:01 kallisti sshd[12320]: Illegal user guest 
] from ::ffff:64.246.56.44
] Jul 26 23:06:01 kallisti sshd[12320]: Failed password for illegal user 
guest 
] from ::ffff:64.246.56.44 port 41967 ssh2
] 
] Does anyone know why this would appear all of a sudden?

Others have noticed this activity recently, although the exact cause 
(manual, automated, etc) has not been publicly identified yet.

<http://www.dslreports.com/forum/remark,10854834~mode=flat~days=9999>
<http://www.incidents.org/diary.php?date=2004-07-23>
<http://www.incidents.org/diary.php?date=2004-07-25>

One post indicated that a box which accepted the 'test' login was 
subsequently rooted, with the Suckit rootkit being installed.  This may or 
may not be significant.

<http://www.dslreports.com/forum/remark,10854834~mode=flat~days=9999~start=60>

Jason Falciola
Security Intelligence Analyst
IBM Managed Security Services
falciola () us ibm com

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature