RE: SSH attacks?

From: Herman Frederick Ebeling Jr. (hfebelingjr_at_lycos.com)
Date: 07/29/04

  • Next message: Robin: "Re: SSH attacks?"
    To: <incidents@securityfocus.com>
    Date: Thu, 29 Jul 2004 14:32:52 -0400
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Andrew,

            Looking at the list of IP addresses that you listed I got curious and fired up
    McAfee's Visual Trace, and with the
    exception of two of them they've all come from overseas. And then mostly from
    Asia, with one ending in Europe. I
    wonder IF we're looking at a "gang" of cyber-criminals from Asia, or if it's
    just a coincidence that most of them seem
    to have originated in Asia???

    Herman

    - -----Original Message-----
    From: Andrew J Caines [mailto:A.J.Caines@halplant.com]
    Sent: Wednesday, 28 July, 2004 20:22
    To: incidents@securityfocus.com
    Subject: Re: SSH attacks?

    FWIW, here's what I've seen on my single IP cable connection:

    Jul 17 04:54:46 test 129.194.21.5
    Jul 17 04:54:47 guest 129.194.21.5
    Jul 22 04:38:49 test 61.237.13.234
    Jul 22 04:38:52 guest 61.237.13.234
    Jul 23 10:55:46 test 61.109.156.5
    Jul 23 10:55:49 guest 61.109.156.5
    Jul 24 19:40:48 test 202.6.75.195
    Jul 24 19:40:50 guest 202.6.75.195
    Jul 24 20:24:31 test 69.0.134.72
    Jul 24 20:24:31 guest 69.0.134.72
    Jul 24 20:24:32 admin 69.0.134.72
    Jul 24 20:24:33 admin 69.0.134.72
    Jul 24 20:24:34 user 69.0.134.72
    Jul 24 20:24:37 test 69.0.134.72
    Jul 25 02:51:10 test 211.202.3.148
    Jul 25 02:51:12 guest 211.202.3.148
    Jul 25 16:30:34 test 219.234.216.150
    Jul 25 16:30:37 guest 219.234.216.150
    Jul 27 16:12:08 test 210.92.210.67
    Jul 27 16:12:10 guest 210.92.210.67
    Jul 28 11:52:43 test 65.61.98.16
    Jul 28 11:52:45 guest 65.61.98.16

    The timing and distribution of userids indicates to me that this is more
    than a simple probe for vulnerable SSH servers.

    > Reality must take precedence over public relations, for Mother Nature
    > cannot be fooled. -- R.P. Feynman

    "Physics is like sex: sure, it may give some practical results, but
     thats not why we do it." - Feynman

    - -Andrew-
    - --
     _______________________________________________________________________
    | -Andrew J. Caines- Unix Systems Engineer A.J.Caines@halplant.com |
    | "They that can give up essential liberty to obtain a little temporary |
    | safety deserve neither liberty nor safety" - Benjamin Franklin, 1759 |

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0.3

    iQA/AwUBQQlB/h/i52nbE9vTEQKJvACg4JnEdK+2DGEF9izjRFblcOiRX9UAn0Sp
    4HcbCl/cFnYRIQFN5cgGmyCO
    =Fo8t
    -----END PGP SIGNATURE-----


  • Next message: Robin: "Re: SSH attacks?"

    Relevant Pages

    • Re: Samba - trouble with simple smb.conf
      ... dsl is admin ... and there is a guest account and a sambapassword for each: ... on the linux box for each of the Samba users? ... Error connecting to 192.168.0.8 (Connection refused) ...
      (Debian-User)
    • Re: Office 2003 Setup
      ... | User1 (Admin) to have access to Outlook and Word ... | Guest to have access to Outlook ... | as Guest or a user who doesn't have Admin rights. ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Lost opening log on screen
      ... in XP Home you can login as built-in Administrator only in Safe Mode. ... now that my Admin and Guest icons are back at each startup ...
      (microsoft.public.windowsxp.basics)
    • Re: Removeing a user icon from the graphical welcome screen
      ... How is it done for the Admin & Guest users? ... I've downloaded power toys for WinXP from MS site. ... selective users display on the welcome screen, but the user in question is ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Lost opening log on screen
      ... Ramesh - Microsoft MVP ... now that my Admin and Guest icons are back at each startup ...
      (microsoft.public.windowsxp.basics)