Re: Illegal user ssh probes

From: Rail mail (railmail_at_gmail.com)
Date: 10/20/04

  • Next message: Robert Hajime Lanning: "Re: scp problems with RedHat Machines to Unix w/SSH"
    Date: Tue, 19 Oct 2004 20:18:36 -0400
    To: Calvin Maready <cc.cal@verizon.net>
    
    

    I have gotten many probes of some rouge trying ssh to root (diffrent ips)

    I got OpenSSH running on freebsd
    no root logins and only using proto v2 applied

    I am wondering if they are actually logging in?

    does any one know of anything I should be aware of or looking for?

    On Tue, 19 Oct 2004 21:24:51 -0700, Calvin Maready <cc.cal@verizon.net> wrote:
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > In the last 2 months or so i've seen alot of these too, except i also get root
    > attempts. on k-otiks site they have a brute forcing script for ssh that i
    > think that a number of these scans are coming from even though it was only
    > release on the 20th of last month. Here is the direct link
    > http://www.k-otik.com/exploits/08202004.brutessh2.c.php .
    >
    >
    > On Saturday 16 October 2004 21:05, Christopher Strong wrote:
    > > In-Reply-To: <002f01c4a2d2$e0056ba0$6301010a@CPQ7380>
    > >
    > > >On examining /var/log/secure for several firewalls I manage remotely using
    > > >ssh I have observed a recurrent pattern of probing over the last several
    > > >that attempts to connect using user id's in the following order...
    > > >
    > > >test / guest / admin / admin / user / test
    > >
    > > I am seeing this, along with random usernames in large blocks from
    > > compromised IPs
    > >
    > > >Is it worth reporting the behaviour to the net block assignees in case
    > > > they aren't aware their server might be compromised?
    > >
    > > Usually not. They are generally fools who won't reply, or if they do they
    > > will blow you off.
    >
    > - --
    > _______________
    > Calvin Maready
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.2.4 (GNU/Linux)
    >
    > iQEVAwUBQXXollvjNZV1G9miAQI14Qf+OyuWuI7BdndXjAKvro/a6Ki4Rlqoyzhe
    > WnnRRm4NTaYT1Cvww6mF0zqNwPGz7rKZWNs7TTGVOMRENMuDbKZ+TO1VH4bq3xQQ
    > lRjycu9d51CunLodKwdVzDsSId/6hpSnkaWTUNrr9Ixl6+TyplTQlXXXM6Xwt2+N
    > 26Kuj7xNhqOFdwV2TR9OPYof6viU1S+Vdn9Detuxa13CMLiMcMSk73MunIV84uWJ
    > NynOclOlFSJOGaeLd2JMdZSEuxpjFKqKQtHsmvHNu+rQ3SqNJqgk2Eksxs+FIcOc
    > DJw5vyhZzvJYcuuGEjqwdbhEdmFn2yX5CkGlrjypWhkmvO919fx9DQ==
    > =A8yk
    > -----END PGP SIGNATURE-----
    >


  • Next message: Robert Hajime Lanning: "Re: scp problems with RedHat Machines to Unix w/SSH"

    Relevant Pages

    • RE: Linux hacked
      ... Also, what exactly did the history file show, can you paste it into a mail ... > First let me say I'm a security novice. ... > been unsuccessful in getting root back. ... > via ssh but you could su in once logged in as one of three users. ...
      (Security-Basics)
    • Re: Linux hacked
      ... To find out what kernel version you are running, type "uname -a" without ... > been unsuccessful in getting root back. ... > via ssh but you could su in once logged in as one of three users. ...
      (Security-Basics)
    • RE: Linux hacked
      ... Was any of the sites running a php nuke or another portal or system that is vuln ... been able to use that with a locla root exploit to gain root on the machine. ... > hack the box, pull the drive and save it. ... > Use the newest versions of Gentoo, Apache, SSH, PHP and Squirl Mail. ...
      (Security-Basics)
    • Re: X11Forwarding, ssh -X, and /bin/su
      ... ]>but I'm not really tunneled using ssh then, ... ]connecting to the X server and have the home directory NFS-mounted ... ](unless you leave root unmapped over NFS, ... ]root-readable place and set the environment $XAUTHORITY variable ...
      (comp.security.ssh)
    • RE: Linux hacked
      ... hack the box, pull the drive and save it. ... Use the newest versions of Gentoo, Apache, SSH, PHP and Squirl Mail. ... been unsuccessful in getting root back. ... I found a hidden directory /var/tmp/.tmp that has a bunch of directories ...
      (Security-Basics)