Security Incidents mailing list archives

Re: SSH attacks?

From: Christine Kronberg <Christine_Kronberg () genua de>
Date: Wed, 28 Jul 2004 10:19:10 +0200 (CEST)

On Tue, 27 Jul 2004, Adam Young wrote:

On Tue, 27 Jul 2004 10:59:07 +1200
Robin <robin () kallisti net nz> wrote:

accounts. The big ones are going over a large list, the pairs seem to be just
hitting test and guest:
Jul 26 23:05:59 kallisti sshd[12314]: Illegal user test
from ::ffff:64.246.56.44
Jul 26 23:05:59 kallisti sshd[12314]: Failed password for illegal user test
from ::ffff:64.246.56.44 port 41920 ssh2
Jul 26 23:06:01 kallisti sshd[12320]: Illegal user guest
from ::ffff:64.246.56.44
Jul 26 23:06:01 kallisti sshd[12320]: Failed password for illegal user guest
from ::ffff:64.246.56.44 port 41967 ssh2

Does anyone know why this would appear all of a sudden?


I've noticed this myself.  It has been happening for roughly one week, two at
maximum.


  Heaven, I'm glad you are seeing that, too. It really gave me headaches.
  In the last four weeks I had (privately) two ssh "incidents": one
  originating from Korea, one from Germany. The first was clearly a
  person trying to get in, taking a deliberate taste in the (existing)
  test account (without success). The other one was "next door", someone
  trying to get in as root (no success either). I only reported the
  second one.
  Only after the first playround the test/guest attempts started so
  I was starting to think that whoever was probing my host from Korea
  was probably going with that. Now that my host is out of focus, I'm
  really relieved. :-)

I think someone has either caught wind of some sort of information about loosely
configured proprietary hardware which has an empty password on test/guest, or a
worm sets up these accounts with some preset password that it checks other
machines for to see if they're also infected.


  Has anyone tried to capture that with an honeypot? I'm considering
  that for my own but lack the proper enviroment.

  Cheers,


                                                     Chris Kronberg.

-- 
GeNUA mbH

Current thread:

SSH attacks? Robin (Jul 27)
- Re: SSH attacks? Tobias Rice (Jul 27)
  - Re: SSH attacks? Chris Brenton (Jul 28)
- Re: SSH attacks? Josh Tolley (Jul 27)
- Re: SSH attacks? Chris Brown (Jul 27)
- Re: SSH attacks? Adam Young (Jul 27)
  - Re: SSH attacks? Christine Kronberg (Jul 29)
    - Re: SSH attacks? Pieter-Bas IJdens (Jul 29)
    - Re: SSH attacks? Christine Kronberg (Jul 29)
    - Re: SSH attacks? Pieter-Bas IJdens (Jul 30)
    - Re: SSH attacks? Frank Knobbe (Jul 30)
    - Re: SSH attacks? Jay D. Dyson (Jul 30)
    - Re: SSH attacks? Frank Knobbe (Jul 31)
    - Re: SSH attacks? mgotts (Jul 31)
    - Re: SSH attacks? Steve Schuster (Jul 29)
    - Re: SSH attacks? Merlijn Tishauser (Jul 30)
- Re: SSH attacks? Tom Laermans (Jul 27)

(Thread continues...)