Re: SSH scans...

From: Gerry Dalton (gerry_at_wts.net)
Date: 12/20/04

  • Next message: Keith Morgan: "Re: SSH scans..." 
    Date: Mon, 20 Dec 2004 12:04:54 -0600
To: "Dejan Markovic" <dejanmarkovic@hotmail.com>

    I have seen similar probes over the last 2 months. Most all have been from APNIC address blocks. I got so tired of some of it I just went ahead and blocked a full range of addresses from getting past our border routers.

    So far these have just been a nuisance.

    Gerry
     

    At 09:21 AM 12/20/2004, Dejan Markovic wrote:

    >Hi Guys,
    >
    >Don't know whether this is the right list, but need to ask if others have
    >the same entries in their logs for the past number of months. Let me take a
    >step back, I maintain a number of networks on different IP ranges and they
    >are all being probed by what looks like a tool, or maybe it is the same
    >group/script. The originating computers range from open proxies to owned
    >boxes and there are two distinct patterns I've seen so far. The following
    >scan is a recent example where the root/password from x.x.x.x: 59 Time(s)
    >caught my attention the first time a while back, and still getting the same
    >scans on a daily basis:
    >
    >account/password from 210.245.168.28: 1 Time(s)
    >adam/password from 210.245.168.28: 1 Time(s)
    >adm/password from 210.245.168.28: 2 Time(s)
    >alan/password from 210.245.168.28: 1 Time(s)
    >apache/password from 210.245.168.28: 1 Time(s)
    >backup/password from 210.245.168.28: 1 Time(s)
    >cip51/password from 210.245.168.28: 1 Time(s)
    >cip52/password from 210.245.168.28: 1 Time(s)
    >cosmin/password from 210.245.168.28: 1 Time(s)
    >cyrus/password from 210.245.168.28: 1 Time(s)
    >data/password from 210.245.168.28: 1 Time(s)
    >frank/password from 210.245.168.28: 1 Time(s)
    >george/password from 210.245.168.28: 1 Time(s)
    >henry/password from 210.245.168.28: 1 Time(s)
    >horde/password from 210.245.168.28: 1 Time(s)
    >iceuser/password from 210.245.168.28: 1 Time(s)
    >irc/password from 210.245.168.28: 2 Time(s)
    >jane/password from 210.245.168.28: 1 Time(s)
    >john/password from 210.245.168.28: 1 Time(s)
    >master/password from 210.245.168.28: 1 Time(s)
    >matt/password from 210.245.168.28: 1 Time(s)
    >mysql/password from 210.245.168.28: 1 Time(s)
    >nobody/password from 210.245.168.28: 1 Time(s)
    >noc/password from 210.245.168.28: 1 Time(s)
    >operator/password from 210.245.168.28: 1 Time(s)
    >oracle/password from 210.245.168.28: 1 Time(s)
    >pamela/password from 210.245.168.28: 1 Time(s)
    >patrick/password from 210.245.168.28: 2 Time(s)
    >rolo/password from 210.245.168.28: 1 Time(s)
    >root/password from 210.245.168.28: 59 Time(s)
    >server/password from 210.245.168.28: 1 Time(s)
    >sybase/password from 210.245.168.28: 1 Time(s)
    >test/password from 210.245.168.28: 5 Time(s)
    >user/password from 210.245.168.28: 3 Time(s)
    >web/password from 210.245.168.28: 2 Time(s)
    >webmaster/password from 210.245.168.28: 1 Time(s)
    >www-data/password from 210.245.168.28: 1 Time(s)
    >www/password from 210.245.168.28: 1 Time(s)
    >wwwrun/password from 210.245.168.28: 1 Time(s)
    >
    >Regards,
    >Dan

  • Next message: Keith Morgan: "Re: SSH scans..."