Hmmm...looks like we are moving onto the next phase of probing...time to
start cutting the iptables blackball rules.
Might also look to sending the IP to dshield.org to see if that can get
someone to attend to the zombie server.
Cheers, Frank.
Sep 27 18:23:13 INODE400 sshd[11596]: Illegal user debug from 220.107.72.132
Sep 27 18:23:15 INODE400 sshd[11598]: Illegal user tech from 220.107.72.132
Sep 27 18:23:19 INODE400 sshd[11602]: Illegal user manager from
220.107.72.132
Sep 27 18:23:21 INODE400 sshd[11604]: Illegal user monitor from
220.107.72.132
Sep 27 18:23:23 INODE400 sshd[11606]: Illegal user gnats from 220.107.72.132
Sep 27 18:23:25 INODE400 sshd[11608]: Illegal user security from
220.107.72.132
Sep 27 18:23:31 INODE400 sshd[11614]: Illegal user sysadmin from
220.107.72.132
Sep 27 18:23:33 INODE400 sshd[11616]: Illegal user master from
220.107.72.132
Sep 27 18:23:35 INODE400 sshd[11618]: Illegal user kermit from
220.107.72.132
Sep 27 18:23:37 INODE400 sshd[11620]: Illegal user client from
220.107.72.132
Sep 27 18:23:39 INODE400 sshd[11622]: Illegal user accounting from
220.107.72.132
Sep 27 18:23:41 INODE400 sshd[11624]: Illegal user boss from 220.107.72.132
Sep 27 18:23:43 INODE400 sshd[11626]: Illegal user sysop from 220.107.72.132
Sep 27 18:23:45 INODE400 sshd[11628]: Illegal user qsvr from 220.107.72.132
Sep 27 18:23:47 INODE400 sshd[11630]: Illegal user intel from 220.107.72.132
Sep 27 18:23:49 INODE400 sshd[11632]: Illegal user dni from 220.107.72.132
Sep 27 18:23:52 INODE400 sshd[11634]: Illegal user fal from 220.107.72.132
Sep 27 18:23:56 INODE400 sshd[11638]: Illegal user man from 220.107.72.132
Sep 27 18:24:02 INODE400 sshd[11644]: Illegal user postmaster from
220.107.72.132
-----Original Message-----
From: Rob Hughes [mailto:rob (at) robhughes (dot) com [email concealed]]
Sent: Tuesday, 28 September 2004 9:26 PM
To: secureshell (at) securityfocus (dot) com [email concealed]
Subject: Re: Illegal user ssh probes
On Sat, 2004-09-25 at 17:39 +1000, Frank Hamersley wrote:
> On examining /var/log/secure for several firewalls I manage remotely using
> ssh I have observed a recurrent pattern of probing over the last several
> that attempts to connect using user id's in the following order...
>
> test / guest / admin / admin / user / test
>
> Is anybody else seeing this?
>
> Regards, Frank.
>
This was reported a few weeks back. There are a large number of hosts
scanning for default accounts. And yes, I'm seeing it too.
--
If at first you don't succeed, skydiving is not for you.
start cutting the iptables blackball rules.
Might also look to sending the IP to dshield.org to see if that can get
someone to attend to the zombie server.
Cheers, Frank.
Sep 27 18:23:13 INODE400 sshd[11596]: Illegal user debug from 220.107.72.132
Sep 27 18:23:15 INODE400 sshd[11598]: Illegal user tech from 220.107.72.132
Sep 27 18:23:19 INODE400 sshd[11602]: Illegal user manager from
220.107.72.132
Sep 27 18:23:21 INODE400 sshd[11604]: Illegal user monitor from
220.107.72.132
Sep 27 18:23:23 INODE400 sshd[11606]: Illegal user gnats from 220.107.72.132
Sep 27 18:23:25 INODE400 sshd[11608]: Illegal user security from
220.107.72.132
Sep 27 18:23:31 INODE400 sshd[11614]: Illegal user sysadmin from
220.107.72.132
Sep 27 18:23:33 INODE400 sshd[11616]: Illegal user master from
220.107.72.132
Sep 27 18:23:35 INODE400 sshd[11618]: Illegal user kermit from
220.107.72.132
Sep 27 18:23:37 INODE400 sshd[11620]: Illegal user client from
220.107.72.132
Sep 27 18:23:39 INODE400 sshd[11622]: Illegal user accounting from
220.107.72.132
Sep 27 18:23:41 INODE400 sshd[11624]: Illegal user boss from 220.107.72.132
Sep 27 18:23:43 INODE400 sshd[11626]: Illegal user sysop from 220.107.72.132
Sep 27 18:23:45 INODE400 sshd[11628]: Illegal user qsvr from 220.107.72.132
Sep 27 18:23:47 INODE400 sshd[11630]: Illegal user intel from 220.107.72.132
Sep 27 18:23:49 INODE400 sshd[11632]: Illegal user dni from 220.107.72.132
Sep 27 18:23:52 INODE400 sshd[11634]: Illegal user fal from 220.107.72.132
Sep 27 18:23:56 INODE400 sshd[11638]: Illegal user man from 220.107.72.132
Sep 27 18:24:02 INODE400 sshd[11644]: Illegal user postmaster from
220.107.72.132
-----Original Message-----
From: Rob Hughes [mailto:rob (at) robhughes (dot) com [email concealed]]
Sent: Tuesday, 28 September 2004 9:26 PM
To: secureshell (at) securityfocus (dot) com [email concealed]
Subject: Re: Illegal user ssh probes
On Sat, 2004-09-25 at 17:39 +1000, Frank Hamersley wrote:
> On examining /var/log/secure for several firewalls I manage remotely using
> ssh I have observed a recurrent pattern of probing over the last several
> that attempts to connect using user id's in the following order...
>
> test / guest / admin / admin / user / test
>
> Is anybody else seeing this?
>
> Regards, Frank.
>
This was reported a few weeks back. There are a large number of hosts
scanning for default accounts. And yes, I'm seeing it too.
--
If at first you don't succeed, skydiving is not for you.
[ reply ]