Re: SSH scans...

From: Harald Nesland (maillists-hn_at_interweb.no)
Date: 12/20/04

  • Next message: Barrie Dempster: "Re: SSH scans..." 
    Date: Mon, 20 Dec 2004 17:18:33 +0100
To: Dejan Markovic <dejanmarkovic@hotmail.com>

    Hi,

    You're not alone :)

    I'm beeing scanned too, from various ip-addresses for various users.

    I guess the solution is to block SSH in your firewall, and open it to
    your needs.

    Dejan Markovic wrote:
    > Hi Guys,
    >
    > Don't know whether this is the right list, but need to ask if others have
    > the same entries in their logs for the past number of months. Let me take a
    > step back, I maintain a number of networks on different IP ranges and they
    > are all being probed by what looks like a tool, or maybe it is the same
    > group/script. The originating computers range from open proxies to owned
    > boxes and there are two distinct patterns I've seen so far. The following
    > scan is a recent example where the root/password from x.x.x.x: 59 Time(s)
    > caught my attention the first time a while back, and still getting the same
    > scans on a daily basis:
    >
    > account/password from 210.245.168.28: 1 Time(s)
    > adam/password from 210.245.168.28: 1 Time(s)
    > adm/password from 210.245.168.28: 2 Time(s)
    > alan/password from 210.245.168.28: 1 Time(s)
    > apache/password from 210.245.168.28: 1 Time(s)
    > backup/password from 210.245.168.28: 1 Time(s)
    > cip51/password from 210.245.168.28: 1 Time(s)
    > cip52/password from 210.245.168.28: 1 Time(s)
    > cosmin/password from 210.245.168.28: 1 Time(s)
    > cyrus/password from 210.245.168.28: 1 Time(s)
    > data/password from 210.245.168.28: 1 Time(s)
    > frank/password from 210.245.168.28: 1 Time(s)
    > george/password from 210.245.168.28: 1 Time(s)
    > henry/password from 210.245.168.28: 1 Time(s)
    > horde/password from 210.245.168.28: 1 Time(s)
    > iceuser/password from 210.245.168.28: 1 Time(s)
    > irc/password from 210.245.168.28: 2 Time(s)
    > jane/password from 210.245.168.28: 1 Time(s)
    > john/password from 210.245.168.28: 1 Time(s)
    > master/password from 210.245.168.28: 1 Time(s)
    > matt/password from 210.245.168.28: 1 Time(s)
    > mysql/password from 210.245.168.28: 1 Time(s)
    > nobody/password from 210.245.168.28: 1 Time(s)
    > noc/password from 210.245.168.28: 1 Time(s)
    > operator/password from 210.245.168.28: 1 Time(s)
    > oracle/password from 210.245.168.28: 1 Time(s)
    > pamela/password from 210.245.168.28: 1 Time(s)
    > patrick/password from 210.245.168.28: 2 Time(s)
    > rolo/password from 210.245.168.28: 1 Time(s)
    > root/password from 210.245.168.28: 59 Time(s)
    > server/password from 210.245.168.28: 1 Time(s)
    > sybase/password from 210.245.168.28: 1 Time(s)
    > test/password from 210.245.168.28: 5 Time(s)
    > user/password from 210.245.168.28: 3 Time(s)
    > web/password from 210.245.168.28: 2 Time(s)
    > webmaster/password from 210.245.168.28: 1 Time(s)
    > www-data/password from 210.245.168.28: 1 Time(s)
    > www/password from 210.245.168.28: 1 Time(s)
    > wwwrun/password from 210.245.168.28: 1 Time(s)
    >
    > Regards,
    > Dan

    Cheers, 

    -- 
   _____        __ Ú---------------------Â---------------------------¿
  |_ _\ \      / / | Harald Nesland      | email: harald@interweb.no |
   | | \ \ /\ / /  | Interweb Norge AS   | t l f: +47 380 58 200     |
   | |  \ V  V /   | Ægirsvei 10         | f a x: +47 380 58 201     |
  |___|  \_/\_/    | 4630 Kristiansand   | p g p: 0 x 43951F95       |
  www.interweb.no  À---------------------Á---------------------------Ù
  • Next message: Barrie Dempster: "Re: SSH scans..."