On Tue, 27 Jul 2004, Adam Young wrote:
> On Tue, 27 Jul 2004 10:59:07 +1200
> Robin <robin (at) kallisti.net (dot) nz [email concealed]> wrote:
>
> > accounts. The big ones are going over a large list, the pairs seem to be just
> > hitting test and guest:
> > Jul 26 23:05:59 kallisti sshd[12314]: Illegal user test
> > from ::ffff:64.246.56.44
> > Jul 26 23:05:59 kallisti sshd[12314]: Failed password for illegal user test
> > from ::ffff:64.246.56.44 port 41920 ssh2
> > Jul 26 23:06:01 kallisti sshd[12320]: Illegal user guest
> > from ::ffff:64.246.56.44
> > Jul 26 23:06:01 kallisti sshd[12320]: Failed password for illegal user guest
> > from ::ffff:64.246.56.44 port 41967 ssh2
> >
> > Does anyone know why this would appear all of a sudden?
>
> I've noticed this myself. It has been happening for roughly one week, two at
> maximum.

Heaven, I'm glad you are seeing that, too. It really gave me headaches.
In the last four weeks I had (privately) two ssh "incidents": one
originating from Korea, one from Germany. The first was clearly a
person trying to get in, taking a deliberate taste in the (existing)
test account (without success). The other one was "next door", someone
trying to get in as root (no success either). I only reported the
second one.
Only after the first playround the test/guest attempts started so
I was starting to think that whoever was probing my host from Korea
was probably going with that. Now that my host is out of focus, I'm
really relieved. :-)

> I think someone has either caught wind of some sort of information about loosely
> configured proprietary hardware which has an empty password on test/guest, or a
> worm sets up these accounts with some preset password that it checks other
> machines for to see if they're also infected.

Has anyone tried to capture that with an honeypot? I'm considering
that for my own but lack the proper enviroment.

Cheers,

Chris Kronberg.

--
GeNUA mbH

[ reply ]