Re: [Full-Disclosure] Automated SSH login attempts?

From: Neal O'Creat (ids_at_ll.mit.edu)
Date: 07/30/04

  • Next message: Barry Fitzgerald: "Re: [Full-Disclosure] Re: OpenServer 5.0.6 OpenServer 5.0.7 : Multiple Vulnerabilities in Sendmail"
    Date: Fri, 30 Jul 2004 09:39:55 -0400
    
    

    Could it be possible that there are different versions of this, one
    making noise and one much rarer one with an exploit?

    -Neal

    Andrei Galca-Vasiliu wrote:
    > I've seen that too, on several machines, different range of ip's. I guess it`s
    > some sort of a mass bruteforce exploit (there were 50 or more attempts on my
    > box in just 20-30 s). Anyone who can enlighten us, it will be appreciated,
    > i've searched too and couldn't find anything related.
    >
    > Intr-un mail de pe data de Thursday 22 July 2004 17:47, Jay Libove povestea:
    >
    >>[ Posted to full disclosure and vulnwatch; please edit reply address(es)
    >>as appropriate. Thanks. -Jay ]
    >>
    >>My Linux system, and a Linux system run by a friend here in the same city
    >>but on a completely different netblock (different ISP), have both seen
    >>apparently automated attempts to log in to our systems via SSH in the past
    >>few days. Looks like a script.
    >>
    >>
    >>Here are some log entries from my system:
    >>
    >>Jul 15 10:01:34 panther6 sshd[8267]: Illegal user test from 62.67.45.4
    >>Jul 15 10:01:34 panther6 sshd[8267]: Failed password for illegal user test
    >>from 62.67.45.4 port 39141 ssh2 Jul 15 10:01:36 panther6 sshd[8269]:
    >>Illegal user guest from 62.67.45.4 Jul 15 10:01:36 panther6 sshd[8269]:
    >>Failed password for illegal user guest from 62.67.45.4 port 39192 ssh2 Jul
    >>15 10:01:37 panther6 sshd[8271]: Illegal user admin from 62.67.45.4 Jul 15
    >>10:01:37 panther6 sshd[8271]: Failed password for illegal user admin from
    >>62.67.45.4 port 39234 ssh2 Jul 15 10:01:38 panther6 sshd[8273]: Illegal
    >>user user from 62.67.45.4 Jul 15 10:01:38 panther6 sshd[8273]: Failed
    >>password for illegal user user from 62.67.45.4 port 39275 ssh2 Jul 15
    >>10:01:39 panther6 sshd[8275]: Failed password for root from 62.67.45.4 port
    >>39340 ssh2 Jul 15 10:01:41 panther6 sshd[8277]: Failed password for root
    >>from 62.67.45.4 port 39386 ssh2 Jul 15 10:44:12 panther6 sshd[8300]:
    >>Illegal user test from 62.67.45.4 Jul 15 10:44:12 panther6 sshd[8300]:
    >>Failed password for illegal user test from 62.67.45.4 port 33771 ssh2 Jul
    >>15 10:44:14 panther6 sshd[8302]: Illegal user guest from 62.67.45.4 Jul 15
    >>10:44:14 panther6 sshd[8302]: Failed password for illegal user guest from
    >>62.67.45.4 port 33828 ssh2 Jul 15 10:44:15 panther6 sshd[8304]: Illegal
    >>user admin from 62.67.45.4 Jul 15 10:44:15 panther6 sshd[8304]: Failed
    >>password for illegal user admin from 62.67.45.4 port 33876 ssh2 Jul 15
    >>10:44:16 panther6 sshd[8306]: Illegal user user from 62.67.45.4 Jul 15
    >>10:44:16 panther6 sshd[8306]: Failed password for illegal user user from
    >>62.67.45.4 port 33916 ssh2 Jul 15 10:44:17 panther6 sshd[8308]: Failed
    >>password for root from 62.67.45.4 port 33988 ssh2 Jul 15 10:44:19 panther6
    >>sshd[8310]: Failed password for root from 62.67.45.4 port 34032 ssh2 Jul 15
    >>17:07:15 panther6 sshd[8912]: Illegal user test from 131.234.36.152 Jul 15
    >>17:07:15 panther6 sshd[8912]: Failed password for illegal user test from
    >>131.234.36.152 port 38287 ssh2 Jul 15 17:07:16 panther6 sshd[8914]: Illegal
    >>user guest from 131.234.36.152 Jul 15 17:07:16 panther6 sshd[8914]: Failed
    >>password for illegal user guest from 131.234.36.152 port 38326 ssh2 Jul 15
    >>17:07:18 panther6 sshd[8916]: Illegal user admin from 131.234.36.152 Jul 15
    >>17:07:18 panther6 sshd[8916]: Failed password for illegal user admin from
    >>131.234.36.152 port 38370 ssh2 Jul 15 17:07:19 panther6 sshd[8918]: Illegal
    >>user admin from 131.234.36.152 Jul 15 17:07:19 panther6 sshd[8918]: Failed
    >>password for illegal user admin from 131.234.36.152 port 38412 ssh2 Jul 15
    >>17:07:21 panther6 sshd[8920]: Illegal user user from 131.234.36.152 Jul 15
    >>17:07:21 panther6 sshd[8920]: Failed password for illegal user user from
    >>131.234.36.152 port 38468 ssh2 Jul 15 17:07:22 panther6 sshd[8922]: Failed
    >>password for root from 131.234.36.152 port 38516 ssh2 Jul 15 17:07:23
    >>panther6 sshd[8924]: Failed password for root from 131.234.36.152 port
    >>38558 ssh2 Jul 15 17:07:25 panther6 sshd[8926]: Failed password for root
    >>from 131.234.36.152 port 38611 ssh2 Jul 15 17:07:26 panther6 sshd[8928]:
    >>Illegal user test from 131.234.36.152 Jul 15 17:07:26 panther6 sshd[8928]:
    >>Failed password for illegal user test from 131.234.36.152 port 38675 ssh2
    >>Jul 19 22:05:07 panther6 sshd[30439]: Illegal user test from 83.103.27.66
    >>Jul 19 22:05:07 panther6 sshd[30439]: Failed password for illegal user test
    >>from 83.103.27.66 port 52671 ssh2 Jul 19 22:05:08 panther6 sshd[30441]:
    >>Illegal user guest from 83.103.27.66 Jul 19 22:05:08 panther6 sshd[30441]:
    >>Failed password for illegal user guest from 83.103.27.66 port 52687 ssh2
    >>Jul 21 06:30:12 panther6 sshd[1103]: Illegal user test from 219.103.193.130
    >>Jul 21 06:30:12 panther6 sshd[1103]: Failed password for illegal user test
    >>from 219.103.193.130 port 55802 ssh2 Jul 21 06:30:14 panther6 sshd[1105]:
    >>Illegal user guest from 219.103.193.130 Jul 21 06:30:14 panther6
    >>sshd[1105]: Failed password for illegal user guest from 219.103.193.130
    >>port 55823 ssh2
    >>
    >>
    >> .. and some log entries from my friend's system:
    >>
    >>Jul 19 21:04:33 quack sshd[28379]: Illegal user test from 131.234.157.10
    >>Jul 19 21:04:34 quack sshd[28381]: Illegal user guest from 131.234.157.10
    >>Jul 19 21:04:36 quack sshd[28383]: Illegal user admin from 131.234.157.10
    >>Jul 19 21:04:37 quack sshd[28385]: Illegal user admin from 131.234.157.10
    >>Jul 19 21:04:38 quack sshd[28387]: Illegal user user from 131.234.157.10
    >>Jul 19 21:04:43 quack sshd[28400]: Illegal user test from 131.234.157.10
    >>Jul 22 09:39:10 quack sshd[7646]: Illegal user test from 156.17.99.11
    >>Jul 22 09:39:11 quack sshd[7648]: Illegal user guest from 156.17.99.11
    >>
    >>
    >>I have not seen any notes about this on the vulnerability disucssion
    >>lists. Has anyone else noticed it? What specific vulnerability (or
    >>default password?) is this looking for?
    >>
    >>-Jay Libove, CISSP
    >>libove@felines.org
    >>Atlanta, GA US
    >>
    >>_______________________________________________
    >>Full-Disclosure - We believe in it.
    >>Charter: http://lists.netsys.com/full-disclosure-charter.html
    >
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Barry Fitzgerald: "Re: [Full-Disclosure] Re: OpenServer 5.0.6 OpenServer 5.0.7 : Multiple Vulnerabilities in Sendmail"