RE: SSH probes?

From: Jerry Shenk (jshenk_at_decommunications.com)
Date: 05/10/04

  • Next message: Meidinger Chris: "RE: Port 3889 Traffic" 
    To: "'Devdas Bhagat'" <devdas@dvb.homelinux.org>, <incidents@securityfocus.com>
Date: Mon, 10 May 2004 11:21:51 -0400

    At first glance, that sure does seem like somebody's a little overly
    interested;) Do you know who 211.216.53.20 is? It looks like it
    belongs to a block from Korea....generally not a good sign unless you
    have a partner there. I'd be very tempted to just block the ip block
    that this machine comes from.

    How about the usernames. The one listed here is ftp - any other
    usernames, particularly valid ones that belong to real people in your
    organization.

    -----Original Message-----
    From: Devdas Bhagat [mailto:devdas@dvb.homelinux.org]
    Sent: Sunday, May 09, 2004 12:35 PM
    To: incidents@securityfocus.com
    Subject: SSH probes?

    I got about 61 of these in my logs before I turned sshd off. This looks
    like a brute force attempt at getting a login.

    May 9 21:35:03 evita sshd(pam_unix)[16332]: authentication failure;
    logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.216.53.20 user=ftp
    May 9 21:35:10 evita sshd(pam_unix)[16374]: check pass; user unknown
    May 9 21:35:10 evita sshd(pam_unix)[16374]: authentication failure;
    logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.216.53.20
    May 9 21:35:16 evita sshd(pam_unix)[16375]: check pass; user unknown

    Anyone else seeing events like this?
    The box is patched, up to date and still uncompromised. Timezone is
    UTC +0530 and synchronised to ntp.

    Devdas Bhagat

    ------------------------------------------------------------------------ 

    ---
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
----------------------------------------------------------------------------
  • Next message: Meidinger Chris: "RE: Port 3889 Traffic"