[fw-wiz] SSH brute force attack

From: Toderick, Lee W (TODERICKL_at_MAIL.ECU.EDU)
Date: 06/24/05

Next message: Kevin Sheldrake: "Re: [fw-wiz] Transitive Trust: 40 million credit cards hack'd"

Previous message: sin: "Re: [fw-wiz] Host based vs network firewall in datacenter"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <firewall-wizards@honor.icsalabs.com>
Date: Fri, 24 Jun 2005 13:17:17 -0400

Greetings!

Our computers running SSH daemons have logged attacks. The attacks begin
with a scan logged "Did not receive identification string from x.x.x.x",
followed approximately 15 minutes later with "Illegal user " or " Failed
password for root".

Does anyone have information or documentation about this scan/attack?
Following is a list of Illegal users:
# cat secure.4 | grep "193.24.213.216" | cut -d " " -f6-12 | grep "Illegal"
| cut -d " " -f 3
sun0s
reboot
reboot
flood
irc
key
david
htpd
httpd
jared42
cchen
admin
admin
admin
admin
test
test
test
test
test
test
test
admin
akcesbenefit
b3
njproghouse
schaiderhair
perseus
guardit
phpbb
bejgli
forums
temp
eric
staff
bb
maggie
rock
sandra
kim
recruit
alina
dana
bloodclansb
jeff

Thanks,
Lee Toderick

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

application/x-pkcs7-signature attachment: smime.p7s

Next message: Kevin Sheldrake: "Re: [fw-wiz] Transitive Trust: 40 million credit cards hack'd"

Previous message: sin: "Re: [fw-wiz] Host based vs network firewall in datacenter"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Easy way/script to add another user like me?
... have to do to give a user sudo privileges is to add them to the ... # Members of the admin group may gain root privileges ... of cracking the root password because they already know the ...
(Ubuntu)
Problems setting up Samba+LDAP PDC in Debian Sarge
... Integration test, when I added an admin user, got it on the "Domain ... SeMachineAccountPrivilege: ... to work using root nor Manager. ... uidNumber: 998 ...
(Debian-User)
Re: User log out?
... All I'm saying is that if bad credentials have somehow ... When you reboot or kill all client sessions it will force the user client to ... login to Sharepoint as themselves. ... Last solution which might end up backfiring is change the admin ...
(microsoft.public.sharepoint.windowsservices)
Re: AD design question
... The cases where you put in a root domain for the purposes of enterprise administration are very rare and specialised. ... I may be in the minority, but I have never seen the value of the empty root domain, except to solve political issues or for VARs and consultants to sell more hardware and server licenses. ... access resources in other forest ... - empty domain model would not "secure" the enterprise admin ...
(microsoft.public.windows.server.active_directory)
Re: Forest to Child -- Permissions
... first DC in the root. ... the member servers only ... DCDiag pretty much confirms authentication AND that DNS is right. ... never happen unless some admin has been mucking about. ...
(microsoft.public.windows.server.dns)