Vulnwatch mailing list archives
Re: [VulnDiscuss] Re: [Full-Disclosure] Automated SSH login attempts?
From: Paul Schmehl <pauls () utdallas edu>
Date: Mon, 26 Jul 2004 15:37:07 -0500
--On Monday, July 26, 2004 03:29:56 PM -0400 RBabb <rob_mailing_lists () rbabb net> wrote:
That's not obvious at all. In our case, they're hitting IPs in sequential order, so it looks (to us) more like a "brute force" attempt rather than the targeting of hosts that are specifically running sshd.This makes me feel better. I thought it odd that so many machines were hitting my ssh server. I even blocked it at the firewall for a day or so. Is anyone talking on what the bot system was that allowed them to automate this? It seemed that as soon as 1 got it so did a whole bunch more so obviously people are distributing lists of IP's for potential SSH access.
I'm not real sure on who to contact for these machines, but here are all the ones that have hit me. Mostly seem to be Asian so far. Jul 25 19:48:40 server sshd[55910]: Failed password for illegal user test from 212.4.172.123 port 56843 ssh2 Jul 25 19:48:42 server sshd[55915]: Failed password for illegal user guest from 212.4.172.123 port 56916 ssh2 Jul 25 20:37:19 server sshd[57221]: Failed password for illegal user test from 210.40.224.10 port 49738 ssh2 Jul 25 20:37:22 server sshd[57223]: Failed password for illegal user guest from 210.40.224.10 port 49756 ssh2
[pauls@utd49554 pauls]$ dig -x 212.4.172.123 ; <<>> DiG 9.2.2-P3 <<>> -x 212.4.172.123 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 123 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1 ;; QUESTION SECTION: ;123.172.4.212.in-addr.arpa. IN PTR ;; ANSWER SECTION: 123.172.4.212.in-addr.arpa. 604800 IN PTR mail.enet.de.Since this is a mail server, I would say the odds are *extremely high* that it's been compromised and that the owners would greatly appreciate a heads up. (So I've cc'd them. But these are *your* logs, so *you* should notify them as well.
Jul 24 21:37:50 server sshd[21578]: Failed password for illegal user test from 218.244.240.195 port 58900 ssh2 Jul 24 21:37:53 server sshd[21580]: Failed password for illegal user guest from 218.244.240.195 port 58928 ssh2
person: ShouLan Du address: Fl./8, South Building, Bridge Mansion, No. 53 country: CN phone: +86-010-83160000 fax-no: +86-010-83155528 e-mail: dsl327 () btamail net cn nic-hdl: SD76-AP mnt-by: MAINT-CNNIC-AP changed: dsl327 () btamail net cn 20020403 source: APNIC
Jul 22 18:23:36 server sshd[38184]: Failed password for illegal user test from 216.86.221.113 port 58012 ssh2 Jul 22 18:23:37 server sshd[38195]: Failed password for illegal user guest from 216.86.221.113 port 51509 ssh2
;; ANSWER SECTION:113.221.86.216.in-addr.arpa. 14400 IN PTR adsl-gte-la-216-86-215-113.mminternet.com.
Technical Contact: Master, Host (NC312) hostmaster () MMINTERNET COM 3780 Kilroy Airport Way Suite 410 Long Beach, CA 90806 US 562-427-0344 fax: 562-427-3622 Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/
Current thread:
- Re: [VulnDiscuss] Re: [Full-Disclosure] Automated SSH login attempts? Paul Schmehl (Jul 26)