SecurityFocus

SSH attacks? Jul 26 2004 10:59PM
Robin (robin kallisti net nz) (10 replies)

Re: SSH attacks? Jul 29 2004 10:31AM
David Block (dave yucc yorku ca)

Re: SSH attacks? Jul 28 2004 04:33AM
brandy (brandy klammeraffe org) (2 replies)

Re: SSH attacks? Jul 29 2004 12:22AM
Andrew J Caines (A J Caines halplant com) (3 replies)

Re: SSH attacks? Jul 29 2004 10:12PM
Brian C. Lane (bcl brianlane com)

RE: SSH attacks? Jul 29 2004 06:32PM
Herman Frederick Ebeling Jr. (hfebelingjr lycos com)

Re: SSH attacks? Jul 29 2004 05:22PM
Marcus Merrin (marcus merrin emptyair com) (1 replies)

Re: SSH attacks? Jul 30 2004 12:58AM
Robin (robin kallisti net nz)

Re: SSH attacks? Jul 29 2004 12:18AM
Mike Whitley (mwhitley borg proceon com)

Re: SSH attacks? Jul 27 2004 09:12PM
buzz (reitenba fh-brandenburg de) (2 replies)

Re: SSH attacks? Jul 28 2004 07:05PM
Jyri Hovila (jyri hovila iki fi) (4 replies)

Re: SSH attacks? Jul 30 2004 05:40AM
Thomas Hochstein (ml ancalagon inka de)

Re: SSH attacks? Jul 29 2004 07:03PM
Chris Brenton (cbrenton chrisbrenton org)

Re: SSH attacks? Jul 29 2004 05:03PM
Matt Beland (matt rearviewmirror org)

Re: SSH attacks? Jul 29 2004 05:02PM
Valdis Kletnieks vt edu

Re: SSH attacks? Jul 28 2004 06:42PM
Jyri Hovila (jyri hovila iki fi)

Re: SSH attacks? Jul 27 2004 08:46PM
Adam Young (adam vbfx com) (1 replies)

Re: SSH attacks? Jul 28 2004 08:19AM
Christine Kronberg (Christine_Kronberg genua de) (3 replies)

Re: SSH attacks? Jul 29 2004 04:53PM
Steve Schuster (sjs74 cornell edu)

Re: SSH attacks? Jul 29 2004 04:05PM
Merlijn Tishauser (merlijn begeleidingentraining nl)

Re: SSH attacks? Jul 29 2004 09:21AM
Pieter-Bas IJdens (pieter-bas ijdens com) (2 replies)

Re: SSH attacks? Jul 30 2004 12:38AM
Jay D. Dyson (jdyson treachery net) (2 replies)

Re: SSH attacks? Jul 31 2004 12:06AM
mgotts 2roads com

Re: SSH attacks? Jul 31 2004 12:05AM
Frank Knobbe (frank knobbe us)

Re: SSH attacks? Jul 29 2004 10:12AM
Christine Kronberg (Christine_Kronberg genua de) (2 replies)

Re: SSH attacks? Jul 30 2004 01:26AM
Frank Knobbe (frank knobbe us)

Re: SSH attacks? Jul 29 2004 10:44AM
Pieter-Bas IJdens (pieter-bas ijdens com)

Re: SSH attacks? Jul 27 2004 07:21PM
Tom Laermans (tom laermans powersource cx)

Re: SSH attacks? Jul 27 2004 07:17PM
Chris Brown (chris wavetex com)

I've been seeing this as well. At first I thought it was just someone
messing around and I banned the IPs they were coming from, but the IP
keeps coming up randomly for me. I haven't seen quite as many and its
always been in pairs. Seems like one pair a day, sometimes two. Been
going on for about a week now. Some kind of script? The variety of IPs
I've seen has made me wonder if it is a worm. I would think a human
would be smarter than to keep trying 'test' and 'guest'. Who knows?

Chris

Robin wrote:

> While looking through the logs after someone ran over my system with
> Nessus, I
> noticed some odd ones from sshd (that don't seem to be related to the
> nessus
> scan):
> Jul 27 03:12:25 kallisti sshd[16471]: error: Could not get shadow
> information
> for NOUSER
>
> They usually, although not always occur in pairs, a few seconds apart.
> They
> don't seem to be very random, which suggests maybe that there is
> someone at
> the other end, rather than a worm.
>
> The first sighting was Jun 4 04:22:15 (all times NZST), with 153
> instances
> going to 04:47:03 (this is fairly constant, and not in pairs). It
> isn't seen
> again until Jun 17 08:39:54-08:58:20 (75 instances this time, again
> not in
> pairs). Since then, there have been a few on the 21st and 25th,
> followed by a
> lot on the 26th and into the 27th, where we now see the pairs coming up.
>
> Looking a bit closer (and in other log files), I see it's people
> trying random
> accounts. The big ones are going over a large list, the pairs seem to
> be just
> hitting test and guest:
> Jul 26 23:05:59 kallisti sshd[12314]: Illegal user test
> from ::ffff:64.246.56.44
> Jul 26 23:05:59 kallisti sshd[12314]: Failed password for illegal user
> test
> from ::ffff:64.246.56.44 port 41920 ssh2
> Jul 26 23:06:01 kallisti sshd[12320]: Illegal user guest
> from ::ffff:64.246.56.44
> Jul 26 23:06:01 kallisti sshd[12320]: Failed password for illegal user
> guest
> from ::ffff:64.246.56.44 port 41967 ssh2
>
> Does anyone know why this would appear all of a sudden?

--
Chris Brown
System Administrator
Wavetex Inc.
903-597-7566 http://wavetex.com/

[ reply ]

Re: SSH attacks? Jul 27 2004 06:24PM
Jason Falciola (falciola us ibm com)

Re: SSH attacks? Jul 27 2004 06:15PM
Paul Schmehl (pauls utdallas edu) (1 replies)

Re: SSH attacks? Jul 30 2004 06:37PM
George Georgalis (george galis org)

Re: SSH attacks? Jul 27 2004 06:06PM
Josh Tolley (josh raintreeinc com)

Re: SSH attacks? Jul 27 2004 06:00PM
Tobias Rice (rice up edu) (1 replies)

Re: SSH attacks? Jul 28 2004 03:43AM
Chris Brenton (cbrenton chrisbrenton org)