Re: Illegal user ssh probes

From: Bartek Krajnik (bmk_at_bicom.pl)
Date: 10/20/04

  • Next message: Rail mail: "Re: Illegal user ssh probes" 
    Date:	Wed, 20 Oct 2004 20:02:11 +0200
To: Calvin Maready <cc.cal@verizon.net>, strong@castrovalva.com, secureshell@securityfocus.com

    On 19-10-2004 at 09:24:51PM -0700, Calvin Maready wrote:
    CM> -----BEGIN PGP SIGNED MESSAGE-----
    CM> Hash: SHA1
    CM>
    CM> In the last 2 months or so i've seen alot of these too, except i also get root
    CM> attempts. on k-otiks site they have a brute forcing script for ssh that i
    CM> think that a number of these scans are coming from even though it was only
    CM> release on the 20th of last month. Here is the direct link
    CM> http://www.k-otik.com/exploits/08202004.brutessh2.c.php .
    CM> On Saturday 16 October 2004 21:05, Christopher Strong wrote:
    CM> > In-Reply-To: <002f01c4a2d2$e0056ba0$6301010a@CPQ7380>
    CM> >
    CM> > >On examining /var/log/secure for several firewalls I manage remotely using
    CM> > >ssh I have observed a recurrent pattern of probing over the last several
    CM> > >that attempts to connect using user id's in the following order...
    CM> > >
    CM> > >test / guest / admin / admin / user / test
    CM> >
    CM> > I am seeing this, along with random usernames in large blocks from
    CM> > compromised IPs
    CM> >
    CM> > >Is it worth reporting the behaviour to the net block assignees in case
    CM> > > they aren't aware their server might be compromised?
    CM> >
    CM> > Usually not. They are generally fools who won't reply, or if they do they
    CM> > will blow you off.
    CM>

    Use this:
    http://www.bmk.bz/log-auth-check/index.html

    works fine for me.

    Best regards,
       Bartek.

  • Next message: Rail mail: "Re: Illegal user ssh probes"

    Relevant Pages

    • Re: Illegal user ssh probes
      ... on k-otiks site they have a brute forcing script for ssh that i ... >>ssh I have observed a recurrent pattern of probing over the last several ... > compromised IPs ... >>Is it worth reporting the behaviour to the net block assignees in case ...
      (SSH)
    • Re: Illegal user ssh probes
      ... >ssh I have observed a recurrent pattern of probing over the last several ... along with random usernames in large blocks from compromised IPs ...
      (SSH)