Re: Illegal user ssh probes

From: Christopher Strong (strong_at_castrovalva.com)
Date: 10/17/04

  • Next message: rn001: "sshd windows server - automatic ssh linux authentication."
    Date: 17 Oct 2004 04:05:47 -0000
    To: secureshell@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <002f01c4a2d2$e0056ba0$6301010a@CPQ7380>

    >
    >On examining /var/log/secure for several firewalls I manage remotely using
    >ssh I have observed a recurrent pattern of probing over the last several
    >that attempts to connect using user id's in the following order...
    >
    >test / guest / admin / admin / user / test
    >

    I am seeing this, along with random usernames in large blocks from compromised IPs

    >Is it worth reporting the behaviour to the net block assignees in case they
    >aren't aware their server might be compromised?

    Usually not. They are generally fools who won't reply, or if they do they will blow you off.


  • Next message: rn001: "sshd windows server - automatic ssh linux authentication."

    Relevant Pages

    • Re: Illegal user ssh probes
      ... On Sat, 2004-09-25 at 17:39 +1000, Frank Hamersley wrote: ... > ssh I have observed a recurrent pattern of probing over the last several ...
      (SSH)
    • Re: Illegal user ssh probes
      ... on k-otiks site they have a brute forcing script for ssh that i ... >>ssh I have observed a recurrent pattern of probing over the last several ... > compromised IPs ... >>Is it worth reporting the behaviour to the net block assignees in case ...
      (SSH)
    • Re: Illegal user ssh probes
      ... on k-otiks site they have a brute forcing script for ssh that i ... CM>>>ssh I have observed a recurrent pattern of probing over the last several ... CM>> compromised IPs ... CM>>>Is it worth reporting the behaviour to the net block assignees in case ...
      (SSH)