Re: Illegal user ssh probes

From: Calvin Maready (cc.cal_at_verizon.net)
Date: 10/20/04

Next message: Calvin Maready: "Re: Illegal user ssh probes"

Previous message: Eloi Granado: "Re: syslogin_perform_logout: logout() returned an error"
In reply to: Christopher Strong: "Re: Illegal user ssh probes"
Next in thread: Bartek Krajnik: "Re: Illegal user ssh probes"
Reply: Bartek Krajnik: "Re: Illegal user ssh probes"
Reply: Rail mail: "Re: Illegal user ssh probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: secureshell@securityfocus.com
Date: Tue, 19 Oct 2004 21:24:51 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In the last 2 months or so i've seen alot of these too, except i also get root
attempts. on k-otiks site they have a brute forcing script for ssh that i
think that a number of these scans are coming from even though it was only
release on the 20th of last month. Here is the direct link
http://www.k-otik.com/exploits/08202004.brutessh2.c.php .
On Saturday 16 October 2004 21:05, Christopher Strong wrote:
> In-Reply-To: <002f01c4a2d2$e0056ba0$6301010a@CPQ7380>
>
> >On examining /var/log/secure for several firewalls I manage remotely using
> >ssh I have observed a recurrent pattern of probing over the last several
> >that attempts to connect using user id's in the following order...
> >
> >test / guest / admin / admin / user / test
>
> I am seeing this, along with random usernames in large blocks from
> compromised IPs
>
> >Is it worth reporting the behaviour to the net block assignees in case
> > they aren't aware their server might be compromised?
>
> Usually not. They are generally fools who won't reply, or if they do they
> will blow you off.

- --
_______________
Calvin Maready
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iQEVAwUBQXXollvjNZV1G9miAQI14Qf+OyuWuI7BdndXjAKvro/a6Ki4Rlqoyzhe
WnnRRm4NTaYT1Cvww6mF0zqNwPGz7rKZWNs7TTGVOMRENMuDbKZ+TO1VH4bq3xQQ
lRjycu9d51CunLodKwdVzDsSId/6hpSnkaWTUNrr9Ixl6+TyplTQlXXXM6Xwt2+N
26Kuj7xNhqOFdwV2TR9OPYof6viU1S+Vdn9Detuxa13CMLiMcMSk73MunIV84uWJ
NynOclOlFSJOGaeLd2JMdZSEuxpjFKqKQtHsmvHNu+rQ3SqNJqgk2Eksxs+FIcOc
DJw5vyhZzvJYcuuGEjqwdbhEdmFn2yX5CkGlrjypWhkmvO919fx9DQ==
=A8yk
-----END PGP SIGNATURE-----

Next message: Calvin Maready: "Re: Illegal user ssh probes"

Previous message: Eloi Granado: "Re: syslogin_perform_logout: logout() returned an error"
In reply to: Christopher Strong: "Re: Illegal user ssh probes"
Next in thread: Bartek Krajnik: "Re: Illegal user ssh probes"
Reply: Bartek Krajnik: "Re: Illegal user ssh probes"
Reply: Rail mail: "Re: Illegal user ssh probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Illegal user ssh probes
... on k-otiks site they have a brute forcing script for ssh that i ... CM>>>ssh I have observed a recurrent pattern of probing over the last several ... CM>> compromised IPs ... CM>>>Is it worth reporting the behaviour to the net block assignees in case ...
(SSH)
Re: Illegal user ssh probes
... >ssh I have observed a recurrent pattern of probing over the last several ... along with random usernames in large blocks from compromised IPs ...
(SSH)