SSH attacks?Jul 26 2004 10:59PM Robin (robin kallisti net nz) (10 replies)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
While looking through the logs after someone ran over my system with Nessus, I
noticed some odd ones from sshd (that don't seem to be related to the nessus
scan):
Jul 27 03:12:25 kallisti sshd[16471]: error: Could not get shadow information
for NOUSER
They usually, although not always occur in pairs, a few seconds apart. They
don't seem to be very random, which suggests maybe that there is someone at
the other end, rather than a worm.
The first sighting was Jun 4 04:22:15 (all times NZST), with 153 instances
going to 04:47:03 (this is fairly constant, and not in pairs). It isn't seen
again until Jun 17 08:39:54-08:58:20 (75 instances this time, again not in
pairs). Since then, there have been a few on the 21st and 25th, followed by a
lot on the 26th and into the 27th, where we now see the pairs coming up.
Looking a bit closer (and in other log files), I see it's people trying random
accounts. The big ones are going over a large list, the pairs seem to be just
hitting test and guest:
Jul 26 23:05:59 kallisti sshd[12314]: Illegal user test
from ::ffff:64.246.56.44
Jul 26 23:05:59 kallisti sshd[12314]: Failed password for illegal user test
from ::ffff:64.246.56.44 port 41920 ssh2
Jul 26 23:06:01 kallisti sshd[12320]: Illegal user guest
from ::ffff:64.246.56.44
Jul 26 23:06:01 kallisti sshd[12320]: Failed password for illegal user guest
from ::ffff:64.246.56.44 port 41967 ssh2
Does anyone know why this would appear all of a sudden?
- --
Robin <robin (at) kallisti.net (dot) nz [email concealed]> JabberID: <eythian (at) jabber (dot) org [email concealed]>
Hash: SHA1
While looking through the logs after someone ran over my system with Nessus, I
noticed some odd ones from sshd (that don't seem to be related to the nessus
scan):
Jul 27 03:12:25 kallisti sshd[16471]: error: Could not get shadow information
for NOUSER
They usually, although not always occur in pairs, a few seconds apart. They
don't seem to be very random, which suggests maybe that there is someone at
the other end, rather than a worm.
The first sighting was Jun 4 04:22:15 (all times NZST), with 153 instances
going to 04:47:03 (this is fairly constant, and not in pairs). It isn't seen
again until Jun 17 08:39:54-08:58:20 (75 instances this time, again not in
pairs). Since then, there have been a few on the 21st and 25th, followed by a
lot on the 26th and into the 27th, where we now see the pairs coming up.
Looking a bit closer (and in other log files), I see it's people trying random
accounts. The big ones are going over a large list, the pairs seem to be just
hitting test and guest:
Jul 26 23:05:59 kallisti sshd[12314]: Illegal user test
from ::ffff:64.246.56.44
Jul 26 23:05:59 kallisti sshd[12314]: Failed password for illegal user test
from ::ffff:64.246.56.44 port 41920 ssh2
Jul 26 23:06:01 kallisti sshd[12320]: Illegal user guest
from ::ffff:64.246.56.44
Jul 26 23:06:01 kallisti sshd[12320]: Failed password for illegal user guest
from ::ffff:64.246.56.44 port 41967 ssh2
Does anyone know why this would appear all of a sudden?
- --
Robin <robin (at) kallisti.net (dot) nz [email concealed]> JabberID: <eythian (at) jabber (dot) org [email concealed]>
Hostes alienigeni me abduxerunt. Qui annus est?
PGP Key 0x776DB663 = DD10 5C62 1E29 A385 9866 0853 CD38 E07A 776D B663
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBBYy7zTjgendttmMRApC3AJ4jPltp7rCFbrMmYHNOAYqd0k7bRQCeLOH1
IOBWhIi1EhWcT6YqNTJi9Jk=
=tpcb
-----END PGP SIGNATURE-----
[ reply ]