Re: illegal and failed logins from virus?

From: Sheldon T. Hall (obviously.fake_at_example.com)
Date: 08/10/04


Date: Mon, 09 Aug 2004 17:02:22 -0700

On Mon, 09 Aug 2004 23:21:08 GMT, Troy Piggins
<usenet-experiment@piggo.com> wrote:

>Hi. I have been getting the following entries in my logwatch. I assume
>they are virus type attacks, and the IP addresses of the attempted
>logins are spoofed - they are always the same pattern, but 'whois' on
>the IPs show them from Ukraine, Italy, Hungary, China, Korea, Japan, and
>all over the place.
>
>I am pretty sure all is OK, but should these bother me at all? Port 22
>is the only open port on this machine (which is obviously open to
>internet), and the passwords are in place, no root login, only few users
>allowed.
>
>## logwatch extract ###################################################
>
>Failed logins from these:
> admin/password from 164.125.104.82: 2 Time(s)
> admin/password from 202.78.172.20: 2 Time(s)
> guest/password from 150.185.72.253: 1 Time(s)
> guest/password from 164.125.104.82: 1 Time(s)
> guest/password from 202.78.172.20: 1 Time(s)
> guest/password from 218.244.240.195: 1 Time(s)
> root/password from 164.125.104.82: 3 Time(s)
> root/password from 202.78.172.20: 3 Time(s)
> test/password from 150.185.72.253: 1 Time(s)
> test/password from 164.125.104.82: 2 Time(s)
> test/password from 202.78.172.20: 2 Time(s)
> test/password from 218.244.240.195: 1 Time(s)
> user/password from 164.125.104.82: 1 Time(s)
> user/password from 202.78.172.20: 1 Time(s)
>
>**Unmatched Entries**
>Illegal user test from 164.125.104.82
>Illegal user guest from 164.125.104.82
>Illegal user admin from 164.125.104.82
>Illegal user admin from 164.125.104.82
>Illegal user user from 164.125.104.82
>User root not allowed because not listed in AllowUsers
>User root not allowed because not listed in AllowUsers
>User root not allowed because not listed in AllowUsers
>Illegal user test from 164.125.104.82
>Illegal user test from 202.78.172.20
>Illegal user guest from 202.78.172.20
>Illegal user admin from 202.78.172.20
>Illegal user admin from 202.78.172.20
>Illegal user user from 202.78.172.20
>User root not allowed because not listed in AllowUsers
>User root not allowed because not listed in AllowUsers
>User root not allowed because not listed in AllowUsers
>Illegal user test from 202.78.172.20
>Illegal user test from 218.244.240.195
>Illegal user guest from 218.244.240.195
>Illegal user test from 150.185.72.253
>Illegal user guest from 150.185.72.253
>
>## end extract ####################################################
>

When this started happening to my systems, a bit of Googling indicated
that this is some distributed exploit which is looking for a
particular version of Linux, and it's using default passwords for the
accounts.

I'm not running Linux, and those accounts are locked, but I assume
that the attackers are logging the IP addresses of systems with SSH of
any sort exposed.

So I moved SSH to another port, replacing it on port 22 with a script
that logs the attacker's IP address.

You can find an analysis of the attack by Googling "ssh guest test
yahaa.at". Whether it's definitive, I have no idea.

-Shel



Relevant Pages

  • illegal and failed logins from virus?
    ... Illegal user test from 164.125.104.82 ... Illegal user guest from 164.125.104.82 ... User root not allowed because not listed in AllowUsers ...
    (comp.security.ssh)
  • Illegal access attempt - FreeBSD 5.4 Release - please advise
    ... access to my server (see snippet from log files ... AllowUsers in sshd contained only users that I ... Aug 23 08:19:06 free sshd: Illegal user admin ...
    (freebsd-questions)
  • Re: More SSH trolling
    ... Illegal user patrick from 220.95.231.137 ... Illegal user iceuser from 220.95.231.137 ... Illegal user test from 220.95.231.137 ...
    (Fedora)
  • Re: NIS, RedHat Linux, and OpenSSH
    ... "illegal user" from sshd, even though I had no AllowUsers ... box did not exist on the Linux machine. ...
    (comp.security.ssh)