Re: SSH scans...

From: nixsec (nixsec_at_area66.org)
Date: 12/21/04

  • Next message: Kerry Thompson: "re: SSH scans..." 
    Date: Tue, 21 Dec 2004 16:46:40 -0600
To: Dejan Markovic <dejanmarkovic@hotmail.com>

    I have gotten these attacks before and did some research on it, its a
    SSH bruteforce program released a few months ago that can be located at:
    http://www.k-otik.com/exploits/08202004.brutessh2.c.php

    Something that would be nice is some feature in ssh that would only
    allow 3 login atempts from 1 IP, if they get it wrong 3 times to
    automaticly block any connections from that ip.

    Paulo Ferreira.
     

    Dejan Markovic wrote:

    >Hi Guys,
    >
    >Don't know whether this is the right list, but need to ask if others have
    >the same entries in their logs for the past number of months. Let me take a
    >step back, I maintain a number of networks on different IP ranges and they
    >are all being probed by what looks like a tool, or maybe it is the same
    >group/script. The originating computers range from open proxies to owned
    >boxes and there are two distinct patterns I've seen so far. The following
    >scan is a recent example where the root/password from x.x.x.x: 59 Time(s)
    >caught my attention the first time a while back, and still getting the same
    >scans on a daily basis:
    >
    >account/password from 210.245.168.28: 1 Time(s)
    >adam/password from 210.245.168.28: 1 Time(s)
    >adm/password from 210.245.168.28: 2 Time(s)
    >alan/password from 210.245.168.28: 1 Time(s)
    >apache/password from 210.245.168.28: 1 Time(s)
    >backup/password from 210.245.168.28: 1 Time(s)
    >cip51/password from 210.245.168.28: 1 Time(s)
    >cip52/password from 210.245.168.28: 1 Time(s)
    >cosmin/password from 210.245.168.28: 1 Time(s)
    >cyrus/password from 210.245.168.28: 1 Time(s)
    >data/password from 210.245.168.28: 1 Time(s)
    >frank/password from 210.245.168.28: 1 Time(s)
    >george/password from 210.245.168.28: 1 Time(s)
    >henry/password from 210.245.168.28: 1 Time(s)
    >horde/password from 210.245.168.28: 1 Time(s)
    >iceuser/password from 210.245.168.28: 1 Time(s)
    >irc/password from 210.245.168.28: 2 Time(s)
    >jane/password from 210.245.168.28: 1 Time(s)
    >john/password from 210.245.168.28: 1 Time(s)
    >master/password from 210.245.168.28: 1 Time(s)
    >matt/password from 210.245.168.28: 1 Time(s)
    >mysql/password from 210.245.168.28: 1 Time(s)
    >nobody/password from 210.245.168.28: 1 Time(s)
    >noc/password from 210.245.168.28: 1 Time(s)
    >operator/password from 210.245.168.28: 1 Time(s)
    >oracle/password from 210.245.168.28: 1 Time(s)
    >pamela/password from 210.245.168.28: 1 Time(s)
    >patrick/password from 210.245.168.28: 2 Time(s)
    >rolo/password from 210.245.168.28: 1 Time(s)
    >root/password from 210.245.168.28: 59 Time(s)
    >server/password from 210.245.168.28: 1 Time(s)
    >sybase/password from 210.245.168.28: 1 Time(s)
    >test/password from 210.245.168.28: 5 Time(s)
    >user/password from 210.245.168.28: 3 Time(s)
    >web/password from 210.245.168.28: 2 Time(s)
    >webmaster/password from 210.245.168.28: 1 Time(s)
    >www-data/password from 210.245.168.28: 1 Time(s)
    >www/password from 210.245.168.28: 1 Time(s)
    >wwwrun/password from 210.245.168.28: 1 Time(s)
    >
    >Regards,
    >Dan
    >
    >
    >
    >

  • Next message: Kerry Thompson: "re: SSH scans..."