[Full-disclosure] Distributed SSH username/password brute force attack



Hello,

since this night I experience distributed SSH username/password
guessing brute force attacks. Anyone seen something similar?

Up until this night always one host tried to guess username/password
combinations until it got banned by fail2ban. But now I see in my
logfiles:

Oct 22 01:42:18 myhost sshd[2672]: error: PAM: Authentication failure
for illegal user root from xxxx.de
Oct 22 01:44:49 myhost sshd[2832]: error: PAM: Authentication failure
for illegal user root from xxxx.85
Oct 22 01:47:16 myhost sshd[2981]: error: PAM: Authentication failure
for illegal user root from xxxx.86
Oct 22 01:50:33 myhost sshd[3233]: error: PAM: Authentication failure
for illegal user root from xxxx.ar
Oct 22 01:52:38 myhost sshd[3307]: error: PAM: Authentication failure
for illegal user root from xxxx.be
Oct 22 01:55:34 myhost sshd[3551]: error: PAM: Authentication failure
for illegal user root from xxxx.106
Oct 22 01:58:04 myhost sshd[3691]: error: PAM: Authentication failure
for illegal user root from xxxx.11
Oct 22 02:00:44 myhost sshd[3999]: error: PAM: Authentication failure
for illegal user root from xxxx.cl

The time is CEST and the attacks are still ongoing.

kind regards,

Philipp

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages