Re: SSH scans...

From: Keith Morgan (keith.morgan_at_terradon.com)
Date: 12/20/04

Next message: Dejan Markovic: "Re: SSH scans..."

Previous message: Gerry Dalton: "Re: SSH scans..."
In reply to: Dejan Markovic: "SSH scans..."
Next in thread: Raymond Lillard: "Re: SSH scans..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Dejan Markovic <dejanmarkovic@hotmail.com>
Date: Mon, 20 Dec 2004 11:19:39 -0500

I tried to report similar incidents to this list about a month ago, but
my posts weren't acted upon, and eventually auto-rejected. Don't know
if this was a planned "list closure" or if someone was asleep at the
wheel.

I digress.

We've been seeing an increase across multiple networks of brute force
attacks against common usernames for about three months now. I don't
have a feel for the rate of attacks off the top of my head, but the
scans tend to attack sequential IP's.

On Mon, 2004-12-20 at 10:21 -0500, Dejan Markovic wrote:
> Hi Guys,
>
> Don't know whether this is the right list, but need to ask if others have
> the same entries in their logs for the past number of months. Let me take a
> step back, I maintain a number of networks on different IP ranges and they
> are all being probed by what looks like a tool, or maybe it is the same
> group/script. The originating computers range from open proxies to owned
> boxes and there are two distinct patterns I've seen so far. The following
> scan is a recent example where the root/password from x.x.x.x: 59 Time(s)
> caught my attention the first time a while back, and still getting the same
> scans on a daily basis:
>
> account/password from 210.245.168.28: 1 Time(s)
> adam/password from 210.245.168.28: 1 Time(s)
> adm/password from 210.245.168.28: 2 Time(s)
> alan/password from 210.245.168.28: 1 Time(s)
> apache/password from 210.245.168.28: 1 Time(s)
> backup/password from 210.245.168.28: 1 Time(s)
> cip51/password from 210.245.168.28: 1 Time(s)
> cip52/password from 210.245.168.28: 1 Time(s)
> cosmin/password from 210.245.168.28: 1 Time(s)
> cyrus/password from 210.245.168.28: 1 Time(s)
> data/password from 210.245.168.28: 1 Time(s)
> frank/password from 210.245.168.28: 1 Time(s)
> george/password from 210.245.168.28: 1 Time(s)
> henry/password from 210.245.168.28: 1 Time(s)
> horde/password from 210.245.168.28: 1 Time(s)
> iceuser/password from 210.245.168.28: 1 Time(s)
> irc/password from 210.245.168.28: 2 Time(s)
> jane/password from 210.245.168.28: 1 Time(s)
> john/password from 210.245.168.28: 1 Time(s)
> master/password from 210.245.168.28: 1 Time(s)
> matt/password from 210.245.168.28: 1 Time(s)
> mysql/password from 210.245.168.28: 1 Time(s)
> nobody/password from 210.245.168.28: 1 Time(s)
> noc/password from 210.245.168.28: 1 Time(s)
> operator/password from 210.245.168.28: 1 Time(s)
> oracle/password from 210.245.168.28: 1 Time(s)
> pamela/password from 210.245.168.28: 1 Time(s)
> patrick/password from 210.245.168.28: 2 Time(s)
> rolo/password from 210.245.168.28: 1 Time(s)
> root/password from 210.245.168.28: 59 Time(s)
> server/password from 210.245.168.28: 1 Time(s)
> sybase/password from 210.245.168.28: 1 Time(s)
> test/password from 210.245.168.28: 5 Time(s)
> user/password from 210.245.168.28: 3 Time(s)
> web/password from 210.245.168.28: 2 Time(s)
> webmaster/password from 210.245.168.28: 1 Time(s)
> www-data/password from 210.245.168.28: 1 Time(s)
> www/password from 210.245.168.28: 1 Time(s)
> wwwrun/password from 210.245.168.28: 1 Time(s)
>
> Regards,
> Dan

-- 
Why yes!  I am using Linux in your windows environment!
Keith T. Morgan
Terradon Communications Group
**************************************************************************************************
The contents of this email and any attachments are confidential.
It is intended for the named recipient(s) only.
If you have received this email in error please notify the system manager or  the 
sender immediately and do not disclose the contents to anyone or make copies.
** this message has been scanned for viruses, vandals and malicious content **
**************************************************************************************************

Next message: Dejan Markovic: "Re: SSH scans..."

Previous message: Gerry Dalton: "Re: SSH scans..."
In reply to: Dejan Markovic: "SSH scans..."
Next in thread: Raymond Lillard: "Re: SSH scans..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Eric T Hu, aka, eric da ferrie~ FRAUD, CON MAN AND LIAR ~Pussy Half breed Chink POS Devil Worshi
... Ignore the convicted criminal Eric T Hu, Hu only posts lies, slanders ... He organized attacks on me by his gang that did get me removed from ... not be convicted criminals. ...
(rec.sport.billiard)
Re: Best way to force a JComponent to repaint itself
... otherwise say are disagreeable and nonconstructive personal attacks on ... they even go beyond that and accuse people randomly of being other ... poster of being "NewsMaestro" where those posts didn't have that server ... They're an oddly-blind sort of narcissistic personality type -- only ...
(comp.lang.java.programmer)
Archive in Google: Eric T Hu, works for VSR Financial services, Eric T Hu, 1659 Rt 27, Edison, NJ, 0
... Here are Just SOME of the Posts Larry Made During His Grieving Process ... not be convicted criminals. ... Ignore the convicted criminal Eric T Hu, Hu only posts lies, slanders ... He organized attacks on me by his gang that did get me removed from ...
(rec.sport.billiard)
Re: Temporary Ban On Links In Posts To SRI
... As has been noted, these attacks, ... HIGH: Apple QuickTime Multiple Vulnerabilities ... Microsoft Windows ... This presents a danger to those readers who expect links in SRI posts ...
(soc.religion.islam)
Re: First Night Celebration
... > attitudes and beliefs and that made him mad, ... (READ POSTS BELOW). ... & PERSONAL NEGATIVE ATTACKS FROM STEVE ON REC: ...
(rec.juggling)