Re: SSH scans...
From: Dejan Markovic (dejanmarkovic_at_hotmail.com)
Date: 12/22/04
- Previous message: Jim Halfpenny: "Re: Strange command histories in hacked shell server"
- Maybe in reply to: Dejan Markovic: "SSH scans..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "nixsec" <nixsec@area66.org> Date: Wed, 22 Dec 2004 10:15:46 -0500
Hi Paulo,
Just replied to Brian, he wrote a code called timelox, it's been posted on
the list, I'll check it out later when I get a chance, but seems to do just
that. Talk to you later. Thanks,
Regards,
Dan
----- Original Message -----
From: "nixsec" <nixsec@area66.org>
To: "Dejan Markovic" <dejanmarkovic@hotmail.com>
Cc: <INCIDENTS@securityfocus.com>
Sent: Tuesday, December 21, 2004 5:46 PM
Subject: Re: SSH scans...
I have gotten these attacks before and did some research on it, its a
SSH bruteforce program released a few months ago that can be located at:
http://www.k-otik.com/exploits/08202004.brutessh2.c.php
Something that would be nice is some feature in ssh that would only
allow 3 login atempts from 1 IP, if they get it wrong 3 times to
automaticly block any connections from that ip.
Paulo Ferreira.
Dejan Markovic wrote:
>Hi Guys,
>
>Don't know whether this is the right list, but need to ask if others have
>the same entries in their logs for the past number of months. Let me take a
>step back, I maintain a number of networks on different IP ranges and they
>are all being probed by what looks like a tool, or maybe it is the same
>group/script. The originating computers range from open proxies to owned
>boxes and there are two distinct patterns I've seen so far. The following
>scan is a recent example where the root/password from x.x.x.x: 59 Time(s)
>caught my attention the first time a while back, and still getting the same
>scans on a daily basis:
>
>account/password from 210.245.168.28: 1 Time(s)
>adam/password from 210.245.168.28: 1 Time(s)
>adm/password from 210.245.168.28: 2 Time(s)
>alan/password from 210.245.168.28: 1 Time(s)
>apache/password from 210.245.168.28: 1 Time(s)
>backup/password from 210.245.168.28: 1 Time(s)
>cip51/password from 210.245.168.28: 1 Time(s)
>cip52/password from 210.245.168.28: 1 Time(s)
>cosmin/password from 210.245.168.28: 1 Time(s)
>cyrus/password from 210.245.168.28: 1 Time(s)
>data/password from 210.245.168.28: 1 Time(s)
>frank/password from 210.245.168.28: 1 Time(s)
>george/password from 210.245.168.28: 1 Time(s)
>henry/password from 210.245.168.28: 1 Time(s)
>horde/password from 210.245.168.28: 1 Time(s)
>iceuser/password from 210.245.168.28: 1 Time(s)
>irc/password from 210.245.168.28: 2 Time(s)
>jane/password from 210.245.168.28: 1 Time(s)
>john/password from 210.245.168.28: 1 Time(s)
>master/password from 210.245.168.28: 1 Time(s)
>matt/password from 210.245.168.28: 1 Time(s)
>mysql/password from 210.245.168.28: 1 Time(s)
>nobody/password from 210.245.168.28: 1 Time(s)
>noc/password from 210.245.168.28: 1 Time(s)
>operator/password from 210.245.168.28: 1 Time(s)
>oracle/password from 210.245.168.28: 1 Time(s)
>pamela/password from 210.245.168.28: 1 Time(s)
>patrick/password from 210.245.168.28: 2 Time(s)
>rolo/password from 210.245.168.28: 1 Time(s)
>root/password from 210.245.168.28: 59 Time(s)
>server/password from 210.245.168.28: 1 Time(s)
>sybase/password from 210.245.168.28: 1 Time(s)
>test/password from 210.245.168.28: 5 Time(s)
>user/password from 210.245.168.28: 3 Time(s)
>web/password from 210.245.168.28: 2 Time(s)
>webmaster/password from 210.245.168.28: 1 Time(s)
>www-data/password from 210.245.168.28: 1 Time(s)
>www/password from 210.245.168.28: 1 Time(s)
>wwwrun/password from 210.245.168.28: 1 Time(s)
>
>Regards,
>Dan
>
>
>
>
- Previous message: Jim Halfpenny: "Re: Strange command histories in hacked shell server"
- Maybe in reply to: Dejan Markovic: "SSH scans..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
