SSH scans...
From: Dejan Markovic (dejanmarkovic_at_hotmail.com)
Date: 12/20/04
- Previous message: James Eaton-Lee: "Re: PHP injection attempt from 200.222.244.154"
- Next in thread: Harald Nesland: "Re: SSH scans..."
- Reply: Harald Nesland: "Re: SSH scans..."
- Reply: Barrie Dempster: "Re: SSH scans..."
- Reply: Tim Kennedy: "Re: [incidents] SSH scans..."
- Reply: Gerry Dalton: "Re: SSH scans..."
- Reply: Keith Morgan: "Re: SSH scans..."
- Reply: Raymond Lillard: "Re: SSH scans..."
- Maybe reply: brian_at_ethernet.org: "re: SSH scans..."
- Maybe reply: Dejan Markovic: "Re: SSH scans..."
- Reply: nixsec: "Re: SSH scans..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <INCIDENTS@SECURITYFOCUS.COM> Date: Mon, 20 Dec 2004 10:21:19 -0500
Hi Guys,
Don't know whether this is the right list, but need to ask if others have
the same entries in their logs for the past number of months. Let me take a
step back, I maintain a number of networks on different IP ranges and they
are all being probed by what looks like a tool, or maybe it is the same
group/script. The originating computers range from open proxies to owned
boxes and there are two distinct patterns I've seen so far. The following
scan is a recent example where the root/password from x.x.x.x: 59 Time(s)
caught my attention the first time a while back, and still getting the same
scans on a daily basis:
account/password from 210.245.168.28: 1 Time(s)
adam/password from 210.245.168.28: 1 Time(s)
adm/password from 210.245.168.28: 2 Time(s)
alan/password from 210.245.168.28: 1 Time(s)
apache/password from 210.245.168.28: 1 Time(s)
backup/password from 210.245.168.28: 1 Time(s)
cip51/password from 210.245.168.28: 1 Time(s)
cip52/password from 210.245.168.28: 1 Time(s)
cosmin/password from 210.245.168.28: 1 Time(s)
cyrus/password from 210.245.168.28: 1 Time(s)
data/password from 210.245.168.28: 1 Time(s)
frank/password from 210.245.168.28: 1 Time(s)
george/password from 210.245.168.28: 1 Time(s)
henry/password from 210.245.168.28: 1 Time(s)
horde/password from 210.245.168.28: 1 Time(s)
iceuser/password from 210.245.168.28: 1 Time(s)
irc/password from 210.245.168.28: 2 Time(s)
jane/password from 210.245.168.28: 1 Time(s)
john/password from 210.245.168.28: 1 Time(s)
master/password from 210.245.168.28: 1 Time(s)
matt/password from 210.245.168.28: 1 Time(s)
mysql/password from 210.245.168.28: 1 Time(s)
nobody/password from 210.245.168.28: 1 Time(s)
noc/password from 210.245.168.28: 1 Time(s)
operator/password from 210.245.168.28: 1 Time(s)
oracle/password from 210.245.168.28: 1 Time(s)
pamela/password from 210.245.168.28: 1 Time(s)
patrick/password from 210.245.168.28: 2 Time(s)
rolo/password from 210.245.168.28: 1 Time(s)
root/password from 210.245.168.28: 59 Time(s)
server/password from 210.245.168.28: 1 Time(s)
sybase/password from 210.245.168.28: 1 Time(s)
test/password from 210.245.168.28: 5 Time(s)
user/password from 210.245.168.28: 3 Time(s)
web/password from 210.245.168.28: 2 Time(s)
webmaster/password from 210.245.168.28: 1 Time(s)
www-data/password from 210.245.168.28: 1 Time(s)
www/password from 210.245.168.28: 1 Time(s)
wwwrun/password from 210.245.168.28: 1 Time(s)
Regards,
Dan
- Previous message: James Eaton-Lee: "Re: PHP injection attempt from 200.222.244.154"
- Next in thread: Harald Nesland: "Re: SSH scans..."
- Reply: Harald Nesland: "Re: SSH scans..."
- Reply: Barrie Dempster: "Re: SSH scans..."
- Reply: Tim Kennedy: "Re: [incidents] SSH scans..."
- Reply: Gerry Dalton: "Re: SSH scans..."
- Reply: Keith Morgan: "Re: SSH scans..."
- Reply: Raymond Lillard: "Re: SSH scans..."
- Maybe reply: brian_at_ethernet.org: "re: SSH scans..."
- Maybe reply: Dejan Markovic: "Re: SSH scans..."
- Reply: nixsec: "Re: SSH scans..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
