|
|
Incidents
SSH attacks? Jul 26 2004 10:59PM Robin (robin kallisti net nz) (10 replies) Re: SSH attacks? Jul 28 2004 04:33AM brandy (brandy klammeraffe org) (2 replies) Re: SSH attacks? Jul 29 2004 12:22AM Andrew J Caines (A J Caines halplant com) (3 replies) Re: SSH attacks? Jul 27 2004 09:12PM buzz (reitenba fh-brandenburg de) (2 replies) Re: SSH attacks? Jul 27 2004 08:46PM Adam Young (adam vbfx com) (1 replies) Re: SSH attacks? Jul 28 2004 08:19AM Christine Kronberg (Christine_Kronberg genua de) (3 replies) Re: SSH attacks? Jul 29 2004 09:21AM Pieter-Bas IJdens (pieter-bas ijdens com) (2 replies) |
|
Privacy Statement |
] Looking a bit closer (and in other log files), I see it's people
] trying random
] accounts. The big ones are going over a large list, the pairs seem to be
just
] hitting test and guest:
] Jul 26 23:05:59 kallisti sshd[12314]: Illegal user test
] from ::ffff:64.246.56.44
] Jul 26 23:05:59 kallisti sshd[12314]: Failed password for illegal user
test
] from ::ffff:64.246.56.44 port 41920 ssh2
] Jul 26 23:06:01 kallisti sshd[12320]: Illegal user guest
] from ::ffff:64.246.56.44
] Jul 26 23:06:01 kallisti sshd[12320]: Failed password for illegal user
guest
] from ::ffff:64.246.56.44 port 41967 ssh2
]
] Does anyone know why this would appear all of a sudden?
Others have noticed this activity recently, although the exact cause
(manual, automated, etc) has not been publicly identified yet.
<http://www.dslreports.com/forum/remark,10854834~mode=flat~days=9999>
<http://www.incidents.org/diary.php?date=2004-07-23>
<http://www.incidents.org/diary.php?date=2004-07-25>
One post indicated that a box which accepted the 'test' login was
subsequently rooted, with the Suckit rootkit being installed. This may or
may not be significant.
<http://www.dslreports.com/forum/remark,10854834~mode=flat~days=9999~sta
rt=60>
Jason Falciola
Security Intelligence Analyst
IBM Managed Security Services
falciola (at) us.ibm (dot) com [email concealed]
[ reply ]