On Wed, Jul 28, 2004 at 08:22:24PM -0400, Andrew J Caines wrote:
> FWIW, here's what I've seen on my single IP cable connection:
>
> Jul 17 04:54:46 test 129.194.21.5
> Jul 17 04:54:47 guest 129.194.21.5
> Jul 22 04:38:49 test 61.237.13.234
> Jul 22 04:38:52 guest 61.237.13.234
> Jul 23 10:55:46 test 61.109.156.5
> Jul 23 10:55:49 guest 61.109.156.5
> Jul 24 19:40:48 test 202.6.75.195
> Jul 24 19:40:50 guest 202.6.75.195
> Jul 24 20:24:31 test 69.0.134.72
> Jul 24 20:24:31 guest 69.0.134.72
> Jul 24 20:24:32 admin 69.0.134.72
> Jul 24 20:24:33 admin 69.0.134.72
> Jul 24 20:24:34 user 69.0.134.72
> Jul 24 20:24:37 test 69.0.134.72
> Jul 25 02:51:10 test 211.202.3.148
> Jul 25 02:51:12 guest 211.202.3.148
> Jul 25 16:30:34 test 219.234.216.150
> Jul 25 16:30:37 guest 219.234.216.150
> Jul 27 16:12:08 test 210.92.210.67
> Jul 27 16:12:10 guest 210.92.210.67
> Jul 28 11:52:43 test 65.61.98.16
> Jul 28 11:52:45 guest 65.61.98.16
>

Here's my list from the last week or so.

130.15.15.239
140.130.211.13
200.217.168.82
202.141.1.28
204.17.205.2
207.172.87.38
207.44.154.9
207.44.192.71
210.212.218.35
210.92.210.67
218.237.66.152
24.113.79.8
61.107.176.163
62.100.21.188
62.117.99.83
62.129.173.135
62.183.28.116
62.67.45.4
65.102.152.64

Generated with:

grep sshd messages* | grep Illegal | awk '{print $10}' | sort -u

The 'NOUSER' error is normal, not something odd as I previously suspected. It
happens for any unknown user that tries to log in.

I haven't checked any of the scanners to see if they have been cracked. If
anyone else has, do they have insecure test/guest account on them? test and
guest are not standard account on any current Linux distribution that I am
aware of.

Brian

--
---[Office 77.7F]--[Fridge 42.4F]---[Fozzy 98.6F]--[Coaster 77.8F]---
Linux Software Developer http://www.brianlane.com

[ reply ]