RE: Illegal user ssh probes

From: Robert Schultz (rhs_at_umich.edu)
Date: 09/29/04

  • Next message: Bartek Krajnik: "Re: OpenSSH -- a way to block recurrent login failures?"
    Date: Wed, 29 Sep 2004 10:50:59 -0400 (EDT)
    To: secureshell@securityfocus.com
    
    

    i wrote this to frank directly but the wider group may find it of
    interest. the attack origins are not limited to one geopolitical region:
    ........
    hi frank -
    i saw this came up last month on my logs and it was noted on the NetSec
    list, which fwd'd the EDUCAUSE Security list msgs:
    http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind0408&L=security&T=0&F=&S=&P=11857
    http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind0408&L=security&T=0&F=&S=&P=19493

    hope this helps -robert

    On Tue, 28 Sep 2004, Huijsmans, JCM (Jan) wrote:

    > > On examining /var/log/secure for several firewalls I manage
    > > remotely using
    > > ssh I have observed a recurrent pattern of probing over the
    > > last several
    > > that attempts to connect using user id's in the following order...
    > >
    > > test / guest / admin / admin / user / test
    >
    > We are seeing the same on 1 of the systems of my private company, coming from several systems from the former eastern europe. (mostly 80.x.x.x) In our set of users they try are also the user root and an attempt without a user (NO_USER or something like that, I don't have access to the logs right now)
    >
    > > However I am wondering if anyone has characterised the probe and/or
    > > performed a risk assessment/analysis? The rate of probes is
    > > very low so I don't think there is a DOS attack just yet!
    >
    > Not yet, but on our system we're see a probe pop up every 2-3 hours. (started with 1 every 2-3 days)
    >
    > > Is it worth reporting the behaviour to the net block
    > > assignees in case they
    > > aren't aware their server might be compromised?
    >
    > I think we should at least compare the ip blocks off list to see if there are similarities.
    >
    > Jan Huijsmans
    >
    >
    > ================================================
    > De informatie opgenomen in dit bericht kan vertrouwelijk zijn en
    > is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht
    > onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en
    > de afzender direct te informeren door het bericht te retourneren.
    > ================================================
    > The information contained in this message may be confidential
    > and is intended to be exclusively for the addressee. Should you
    > receive this message unintentionally, please do not use the contents
    > herein and notify the sender immediately by return e-mail.
    >
    >
    >


  • Next message: Bartek Krajnik: "Re: OpenSSH -- a way to block recurrent login failures?"

    Relevant Pages

    • Re: Hunter pve build
      ... De informatie opgenomen in dit bericht kan vertrouwelijk zijn en ... onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en ...
      (alt.games.warcraft)
    • Re: Hunter pve build
      ... right now i am just waiting for Burning Crusade to continue leveling past ... Aliase female hume rogue lvl 52 PVE solo ... De informatie opgenomen in dit bericht kan vertrouwelijk zijn en ...
      (alt.games.warcraft)
    • RE: Illegal user ssh probes
      ... > ssh I have observed a recurrent pattern of probing over the ... De informatie opgenomen in dit bericht kan vertrouwelijk zijn en ...
      (SSH)
    • Re: Items Im wearing now showing?
      ... interface options show head and cloak:P ... De informatie opgenomen in dit bericht kan vertrouwelijk zijn en ...
      (alt.games.warcraft)
    • Re: Key strokes logger
      ... Subject: Key strokes logger ... > c> I'm looking for a key-strokes logging utility for an NT4.0 host. ... > De informatie opgenomen in dit bericht kan vertrouwelijk zijn en ...
      (Security-Basics)