Re: Illegal user ssh probes

From: Calvin Maready (cc.cal_at_verizon.net)
Date: 10/21/04

Next message: Michael A Gilchrist: "Re: scp problems with RedHat Machines to Unix w/SSH"

Previous message: Calvin Maready: "Re: Illegal user ssh probes"
Maybe in reply to: Christopher Strong: "Re: Illegal user ssh probes"
Next in thread: Les Bell: "Re: Illegal user ssh probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Rail mail <railmail@gmail.com>
Date: Wed, 20 Oct 2004 17:27:59 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have protocol 2 forced too. I have logging of sshd set up...i have this in
my sshd_config to log...
#Logging
#obsoletes QuietMode and FascistLogging
SyslogFacility LOCAL7
LogLevel VERBOSE

in the log it will tell if the user was denied or accepted. Here is a snippet
from the log...
Oct 20 05:54:48 slackbox sshd[1132]: Connection from 218.38.136.47 port 56125
Oct 20 05:54:49 slackbox sshd[1132]: Invalid user test from 218.38.136.47
Oct 20 05:54:49 slackbox sshd[1132]: error: Could not get shadow information
for NOUSER
Oct 20 05:54:49 slackbox sshd[1132]: Failed password for invalid user test
from 218.38.136.47 port 56125 ssh2
Oct 20 05:54:50 slackbox sshd[1134]: Connection from 218.38.136.47 port 56214
Oct 20 05:54:51 slackbox sshd[1134]: Invalid user guest from 218.38.136.47
Oct 20 05:54:51 slackbox sshd[1134]: error: Could not get shadow information
for NOUSER
Oct 20 05:54:51 slackbox sshd[1134]: Failed password for invalid user guest
from 218.38.136.47 port 56214 ssh2
Oct 20 05:54:51 slackbox sshd[1136]: Connection from 218.38.136.47 port 56298
Oct 20 05:54:52 slackbox sshd[1136]: Invalid user admin from 218.38.136.47
Oct 20 05:54:52 slackbox sshd[1136]: error: Could not get shadow information
for NOUSER
Oct 20 05:54:52 slackbox sshd[1136]: Failed password for invalid user admin
from 218.38.136.47 port 56298 ssh2
Oct 20 05:54:53 slackbox sshd[1138]: Connection from 218.38.136.47 port 56365
Oct 20 05:54:54 slackbox sshd[1138]: Invalid user admin from 218.38.136.47
Oct 20 05:54:54 slackbox sshd[1138]: error: Could not get shadow information
for NOUSER
Oct 20 05:54:54 slackbox sshd[1138]: Failed password for invalid user admin
from 218.38.136.47 port 56365 ssh2
Oct 20 05:54:54 slackbox sshd[1140]: Connection from 218.38.136.47 port 56436
Oct 20 05:54:55 slackbox sshd[1140]: Invalid user user from 218.38.136.47
Oct 20 05:54:55 slackbox sshd[1140]: error: Could not get shadow information
for NOUSER
Oct 20 05:54:55 slackbox sshd[1140]: Failed password for invalid user user
from 218.38.136.47 port 56436 ssh2
Oct 20 05:54:56 slackbox sshd[1142]: Connection from 218.38.136.47 port 56529
Oct 20 05:54:57 slackbox sshd[1142]: Failed password for root from
218.38.136.47 port 56529 ssh2
Oct 20 05:54:57 slackbox sshd[1144]: Connection from 218.38.136.47 port 56598
Oct 20 05:54:59 slackbox sshd[1144]: Failed password for root from
218.38.136.47 port 56598 ssh2
Oct 20 05:54:59 slackbox sshd[1146]: Connection from 218.38.136.47 port 56691
Oct 20 05:55:00 slackbox sshd[1146]: Failed password for root from
218.38.136.47 port 56691 ssh2
Oct 20 05:55:00 slackbox sshd[1149]: Connection from 218.38.136.47 port 56762
Oct 20 05:55:02 slackbox sshd[1149]: Invalid user test from 218.38.136.47
Oct 20 05:55:02 slackbox sshd[1149]: error: Could not get shadow information
for NOUSER
Oct 20 05:55:02 slackbox sshd[1149]: Failed password for invalid user test
from 218.38.136.47 port 56762 ssh2
which sounds like the probes you are getting, the test guest admin sequence.
set up that loggin and it will tell you if it were accepted or denied.
Looking from the script on k-otik's site the passwords are VERY basic
passwords, only 1 word passwords. So succsessfull attempts of these probes
should be minimal unless there is a very week password in place.

On Tuesday 19 October 2004 17:18, Rail mail wrote:
> I have gotten many probes of some rouge trying ssh to root (diffrent ips)
>
> I got OpenSSH running on freebsd
> no root logins and only using proto v2 applied
>
> I am wondering if they are actually logging in?
>
> does any one know of anything I should be aware of or looking for?
>
> On Tue, 19 Oct 2004 21:24:51 -0700, Calvin Maready <cc.cal@verizon.net>
wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > In the last 2 months or so i've seen alot of these too, except i also get
> > root attempts. on k-otiks site they have a brute forcing script for ssh
> > that i think that a number of these scans are coming from even though it
> > was only release on the 20th of last month. Here is the direct link
> > http://www.k-otik.com/exploits/08202004.brutessh2.c.php .
> >
> > On Saturday 16 October 2004 21:05, Christopher Strong wrote:
> > > In-Reply-To: <002f01c4a2d2$e0056ba0$6301010a@CPQ7380>
> > >
> > > >On examining /var/log/secure for several firewalls I manage remotely
> > > > using ssh I have observed a recurrent pattern of probing over the
> > > > last several that attempts to connect using user id's in the
> > > > following order...
> > > >
> > > >test / guest / admin / admin / user / test
> > >
> > > I am seeing this, along with random usernames in large blocks from
> > > compromised IPs
> > >
> > > >Is it worth reporting the behaviour to the net block assignees in case
> > > > they aren't aware their server might be compromised?
> > >
> > > Usually not. They are generally fools who won't reply, or if they do
> > > they will blow you off.
> >
> > - --
> > _______________
> > Calvin Maready
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.4 (GNU/Linux)
> >
> > iQEVAwUBQXXollvjNZV1G9miAQI14Qf+OyuWuI7BdndXjAKvro/a6Ki4Rlqoyzhe
> > WnnRRm4NTaYT1Cvww6mF0zqNwPGz7rKZWNs7TTGVOMRENMuDbKZ+TO1VH4bq3xQQ
> > lRjycu9d51CunLodKwdVzDsSId/6hpSnkaWTUNrr9Ixl6+TyplTQlXXXM6Xwt2+N
> > 26Kuj7xNhqOFdwV2TR9OPYof6viU1S+Vdn9Detuxa13CMLiMcMSk73MunIV84uWJ
> > NynOclOlFSJOGaeLd2JMdZSEuxpjFKqKQtHsmvHNu+rQ3SqNJqgk2Eksxs+FIcOc
> > DJw5vyhZzvJYcuuGEjqwdbhEdmFn2yX5CkGlrjypWhkmvO919fx9DQ==
> > =A8yk
> > -----END PGP SIGNATURE-----

- --
_______________
Calvin Maready
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iQEVAwUBQXcCklvjNZV1G9miAQJP/wf/S+oSp9uDFDxG2Yz9YrYpzoBgmZrYdUXp
MySXoX592nJG5Afqm/qRjgiaOjdHCC9RSZPd/gh58xPAKdWDNRxZvnxE5Z+ns8cQ
9R8KJ/B3z4VQP4/ahoa25ch4zq+GJUrMeflSCtIrU5XMs1paeHJtfyxZxSzw/ffc
R8NCHHPw8+PLsAy2ruikLkXTAVWaw48r3veXGv3D0IfJNixQ3A0/DhhXnCm5qwQi
QfMPlXnDUs/3LicW/W0OmY9t7AD40bk92kWLCIimKrW94hBXhP0bwI09FLMyOM6e
DSodmlsXyq7QHeflbGLGOQUonwLwYv13yOmgP6oSNUm3aw5IWb3qEg==
=K9pK
-----END PGP SIGNATURE-----

Next message: Michael A Gilchrist: "Re: scp problems with RedHat Machines to Unix w/SSH"

Previous message: Calvin Maready: "Re: Illegal user ssh probes"
Maybe in reply to: Christopher Strong: "Re: Illegal user ssh probes"
Next in thread: Les Bell: "Re: Illegal user ssh probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Sind das Angriffe?
... Jan 16 06:44:22 micky sshd: Failed password for proxy from 38.97.212.172 port 52993 ssh2 ...
(de.comp.security.firewall)
Attempt to breakin
... port 42989 ssh2 ... Jul 6 21:37:53 findmoore sshd: Failed password for root from ...
(comp.os.linux.networking)
Grafting a SSH auto-drop chain onto Arnos 1.8.3-RC1
... Mar 21 13:16:06 gateway sshd: Failed password for illegal user ... anonymous from 213.64.252.243 port 59768 ssh2 ...
(comp.os.linux.security)
Enforce SSH Login Delay
... ::ffff:211.171.191.106 port 11328 ssh2 ... Dec 10 13:18:28 turf sshd: Failed password for root from ...
(comp.os.linux.misc)
bruteforce not restarting pf?
... port 56265 ssh2 ... Nov 7 07:06:58 zeus sshd: Failed password for illegal user miha from ...
(freebsd-questions)