Re: [Full-Disclosure] Automated SSH login attempts?

• Previous message: Mandrake Linux Security Team: "[Full-Disclosure] MDKSA-2004:076 - Updated sox packages fix buffer overflows with malicious .wav files"
• In reply to: Jay Libove: "[Full-Disclosure] Automated SSH login attempts?"
• Next in thread: Juan Carlos Navea: "Re: [Full-Disclosure] Automated SSH login attempts?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: full-disclosure@lists.netsys.com
Date: Thu, 29 Jul 2004 01:45:28 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I also seen since July 22nd, bruteforce login attempts on ftpd (proftpd) from
same ip ranges. And like you some attempts in sshd. The difference between
them is that for sshd used users are same as yours, but for ftpd they used a
usernames dictionary (with hundreds of users, what patience ;) ).
Anyone noticed some similar?

Jul 22 21:23:06 www0 proftpd[4447]: myhost (61.109.251.191[61.109.251.191]) -
USER invaliduserinvalid: no such user found from 61.109.251.191
[61.109.251.191] to 82.130.240.230:21
Jul 22 21:23:08 www0 proftpd[4448]: myhost (61.109.251.191[61.109.251.191]) -
USER board: no such user found from 61.109.251.191 [61.109.251.191] to
82.130.240.230:21
Jul 22 21:23:10 www0 proftpd[4449]: myhost (61.109.251.191[61.109.251.191]) -
USER btraining: no such user found from 61.109.251.191 [61.109.251.191] to
82.130.240.230:21
Jul 22 21:23:12 www0 proftpd[4451]: myhost (61.109.251.191[61.109.251.191]) -
USER distros: no such user found from 61.109.251.191 [61.109.251.191] to
82.130.240.230:21
Jul 22 21:23:14 www0 proftpd[4452]: myhost (61.109.251.191[61.109.251.191]) -
USER forge4os: no such user found from 61.109.251.191 [61.109.251.191] to
82.130.240.230:21
Jul 22 21:23:16 www0 proftpd[4453]: myhost (61.109.251.191[61.109.251.191]) -
USER licentia: no such user found from 61.109.251.191 [61.109.251.191] to
82.130.240.230:21
Jul 22 21:23:18 www0 proftpd[4454]: myhost (61.109.251.191[61.109.251.191]) -
USER linuxnews: no such user found from 61.109.251.191 [61.109.251.191] to
82.130.240.230:21
Jul 22 21:23:20 www0 proftpd[4455]: myhost (61.109.251.191[61.109.251.191]) -
USER localgforge: no such user found from 61.109.251.191 [61.109.251.191] to
82.130.240.230:21
Jul 22 21:23:22 www0 proftpd[4456]: myhost (61.109.251.191[61.109.251.191]) -
USER metalist: no such user found from 61.109.251.191 [61.109.251.191] to
82.130.240.230:21
Jul 22 21:23:25 www0 proftpd[4457]: myhost (61.109.251.191[61.109.251.191]) -
USER myos: no such user found from 61.109.251.191 [61.109.251.191] to
82.130.240.230:21
Jul 22 21:23:27 www0 proftpd[4458]: myhost (61.109.251.191[61.109.251.191]) -
USER newsadmin: no such user found from 61.109.251.191 [61.109.251.191] to
82.130.240.230:21
Jul 22 21:23:29 www0 proftpd[4459]: myhost (61.109.251.191[61.109.251.191]) -
USER osgitestbed: no such user found from 61.109.251.191 [61.109.251.191] to
82.130.240.230:21
Jul 22 21:23:31 www0 proftpd[4463]: myhost (61.109.251.191[61.109.251.191]) -
USER ossnews: no such user found from 61.109.251.191 [61.109.251.191] to
82.130.240.230:21
Jul 22 21:23:34 www0 proftpd[4464]: myhost (61.109.251.191[61.109.251.191]) -
USER osync: no such user found from 61.109.251.191 [61.109.251.191] to
82.130.240.230:21
Jul 22 21:23:36 www0 proftpd[4465]: myhost (61.109.251.191[61.109.251.191]) -
USER peerrating: no such user found from 61.109.251.191 [61.109.251.191] to
82.130.240.230:21
Jul 22 21:23:38 www0 proftpd[4466]: myhost (61.109.251.191[61.109.251.191]) -
USER resolvit: no such user found from 61.109.251.191 [61.109.251.191] to
82.130.240.230:21
Jul 22 21:23:40 www0 proftpd[4467]: myhost (61.109.251.191[61.109.251.191]) -
USER siteadmin: no such user found from 61.109.251.191 [61.109.251.191] to
82.130.240.230:21

- --

un saludo,

Alain Crespo <gazpa@euskalnet.net>

_,.-:*"``'*:-.,_,.-:*"``'*:-.,_,.-:*"``'*:-.,_,.-:*"``'*:-.,_,.-:*"``'*:-.,_

Why use Windows, since there is a door?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBCDqYP3/+R0rF2wkRAtW3AJ963dd6X7Nf17ZjRV/IDcb3DX4GfQCgjkD4
dbK+EryHfYKhIQDcaYMMiec=
=zLQW
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Mandrake Linux Security Team: "[Full-Disclosure] MDKSA-2004:076 - Updated sox packages fix buffer overflows with malicious .wav files"
• In reply to: Jay Libove: "[Full-Disclosure] Automated SSH login attempts?"
• Next in thread: Juan Carlos Navea: "Re: [Full-Disclosure] Automated SSH login attempts?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Pros and Cons of running under inetd.... ... I run sshd and ftpd on my laptop. ... ftpd does not heed hosts.allow directives when NOT run via inetd. ... (freebsd-questions) Re: Pros and Cons of running under inetd.... ... I run sshd and ftpd on my laptop. ... ftpd does not heed hosts.allow directives when NOT run via inetd. ... I prefer to use tcpwrappers to further protect my sshd and ftpd. ... (freebsd-questions) RE: SSHD and FTPD, cant connect ... Or if you just try telnet server.ip 22 do you get anything back? ... SSHD and FTPD, can't connect ... I can ping the box and use the Apache and telnet daemons, ... (freebsd-stable) RE: SSHD and FTPD, cant connect ... SSHD and FTPD, can't connect ... I can ping the box and use the Apache and telnet daemons, ... To unsubscribe, ... (freebsd-stable) Re: ftp broken :-( ... to run the ftp server out of two different places - the first seems to be ... (simply remove the ftpd or proftpd file). ... to see if there is a *.pid file associated with ftpd. ... (comp.os.linux.misc)