Security Incidents mailing list archives
Re: SSH attacks?
From: Christine Kronberg <Christine_Kronberg () genua de>
Date: Wed, 28 Jul 2004 10:19:10 +0200 (CEST)
On Tue, 27 Jul 2004, Adam Young wrote:
On Tue, 27 Jul 2004 10:59:07 +1200 Robin <robin () kallisti net nz> wrote:accounts. The big ones are going over a large list, the pairs seem to be just hitting test and guest: Jul 26 23:05:59 kallisti sshd[12314]: Illegal user test from ::ffff:64.246.56.44 Jul 26 23:05:59 kallisti sshd[12314]: Failed password for illegal user test from ::ffff:64.246.56.44 port 41920 ssh2 Jul 26 23:06:01 kallisti sshd[12320]: Illegal user guest from ::ffff:64.246.56.44 Jul 26 23:06:01 kallisti sshd[12320]: Failed password for illegal user guest from ::ffff:64.246.56.44 port 41967 ssh2 Does anyone know why this would appear all of a sudden?I've noticed this myself. It has been happening for roughly one week, two at maximum.
Heaven, I'm glad you are seeing that, too. It really gave me headaches. In the last four weeks I had (privately) two ssh "incidents": one originating from Korea, one from Germany. The first was clearly a person trying to get in, taking a deliberate taste in the (existing) test account (without success). The other one was "next door", someone trying to get in as root (no success either). I only reported the second one. Only after the first playround the test/guest attempts started so I was starting to think that whoever was probing my host from Korea was probably going with that. Now that my host is out of focus, I'm really relieved. :-)
I think someone has either caught wind of some sort of information about loosely configured proprietary hardware which has an empty password on test/guest, or a worm sets up these accounts with some preset password that it checks other machines for to see if they're also infected.
Has anyone tried to capture that with an honeypot? I'm considering that for my own but lack the proper enviroment. Cheers, Chris Kronberg. -- GeNUA mbH
Current thread:
- SSH attacks? Robin (Jul 27)
- Re: SSH attacks? Tobias Rice (Jul 27)
- Re: SSH attacks? Chris Brenton (Jul 28)
- Re: SSH attacks? Josh Tolley (Jul 27)
- Re: SSH attacks? Chris Brown (Jul 27)
- Re: SSH attacks? Adam Young (Jul 27)
- Re: SSH attacks? Christine Kronberg (Jul 29)
- Re: SSH attacks? Pieter-Bas IJdens (Jul 29)
- Re: SSH attacks? Christine Kronberg (Jul 29)
- Re: SSH attacks? Pieter-Bas IJdens (Jul 30)
- Re: SSH attacks? Frank Knobbe (Jul 30)
- Re: SSH attacks? Jay D. Dyson (Jul 30)
- Re: SSH attacks? Frank Knobbe (Jul 31)
- Re: SSH attacks? mgotts (Jul 31)
- Re: SSH attacks? Christine Kronberg (Jul 29)
- Re: SSH attacks? Tobias Rice (Jul 27)
- Re: SSH attacks? Steve Schuster (Jul 29)
- Re: SSH attacks? Merlijn Tishauser (Jul 30)