Re: Illegal user ssh probes

From: Rail mail (railmail_at_gmail.com)
Date: 10/20/04

  • Next message: Robert Hajime Lanning: "Re: scp problems with RedHat Machines to Unix w/SSH"
    Date: Tue, 19 Oct 2004 20:18:36 -0400
    To: Calvin Maready <cc.cal@verizon.net>
    
    

    I have gotten many probes of some rouge trying ssh to root (diffrent ips)

    I got OpenSSH running on freebsd
    no root logins and only using proto v2 applied

    I am wondering if they are actually logging in?

    does any one know of anything I should be aware of or looking for?

    On Tue, 19 Oct 2004 21:24:51 -0700, Calvin Maready <cc.cal@verizon.net> wrote:
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > In the last 2 months or so i've seen alot of these too, except i also get root
    > attempts. on k-otiks site they have a brute forcing script for ssh that i
    > think that a number of these scans are coming from even though it was only
    > release on the 20th of last month. Here is the direct link
    > http://www.k-otik.com/exploits/08202004.brutessh2.c.php .
    >
    >
    > On Saturday 16 October 2004 21:05, Christopher Strong wrote:
    > > In-Reply-To: <002f01c4a2d2$e0056ba0$6301010a@CPQ7380>
    > >
    > > >On examining /var/log/secure for several firewalls I manage remotely using
    > > >ssh I have observed a recurrent pattern of probing over the last several
    > > >that attempts to connect using user id's in the following order...
    > > >
    > > >test / guest / admin / admin / user / test
    > >
    > > I am seeing this, along with random usernames in large blocks from
    > > compromised IPs
    > >
    > > >Is it worth reporting the behaviour to the net block assignees in case
    > > > they aren't aware their server might be compromised?
    > >
    > > Usually not. They are generally fools who won't reply, or if they do they
    > > will blow you off.
    >
    > - --
    > _______________
    > Calvin Maready
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.2.4 (GNU/Linux)
    >
    > iQEVAwUBQXXollvjNZV1G9miAQI14Qf+OyuWuI7BdndXjAKvro/a6Ki4Rlqoyzhe
    > WnnRRm4NTaYT1Cvww6mF0zqNwPGz7rKZWNs7TTGVOMRENMuDbKZ+TO1VH4bq3xQQ
    > lRjycu9d51CunLodKwdVzDsSId/6hpSnkaWTUNrr9Ixl6+TyplTQlXXXM6Xwt2+N
    > 26Kuj7xNhqOFdwV2TR9OPYof6viU1S+Vdn9Detuxa13CMLiMcMSk73MunIV84uWJ
    > NynOclOlFSJOGaeLd2JMdZSEuxpjFKqKQtHsmvHNu+rQ3SqNJqgk2Eksxs+FIcOc
    > DJw5vyhZzvJYcuuGEjqwdbhEdmFn2yX5CkGlrjypWhkmvO919fx9DQ==
    > =A8yk
    > -----END PGP SIGNATURE-----
    >


  • Next message: Robert Hajime Lanning: "Re: scp problems with RedHat Machines to Unix w/SSH"