Re: [MLUG] SSH attempts from admin, guest, test, user

Email address obfuscation in effect -- please click here to turn it off.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: MLUG Members <EMAIL:PROTECTED>
Subject: Re: [MLUG] SSH attempts from admin, guest, test, user
From: George Robb <EMAIL:PROTECTED>
Date: Thu, 12 Aug 2004 08:21:35 -0500
In-reply-to: <EMAIL:PROTECTED>
References: <EMAIL:PROTECTED>
Reply-to: EMAIL:PROTECTED, MLUG Members <EMAIL:PROTECTED>
Sender: EMAIL:PROTECTED
User-agent: Mozilla Thunderbird 0.7.1 (X11/20040804)

Take a look at the 66.28.207.16  (9 times total)  looks like somebody 
might be making you a target more than a worm or virus...

also it might just be a script kiddie...  take a look at the user name 
suggestions...  I don't know anyone who allows root to ssh in so why try 
it along with they are using guest a whole lot, that indicates to me 
that they have no clue what os the box they are pounding on is running...

have you done any reverse lookups or found when the ip is alive the most...

You could have a great time screwing with them by putting in the echoart 
ping response with some crazy ASCII art...

Happy hunting

George


Jason McIntosh wrote:

> Hey, thought I'd ask the LUG as no one else seems to have a clue in 
> hell what this is. I've been for several weeks/months getting repeated 
> attempts on an ssh port on our linux boxen here at work. :
>
> admin/password from 66.28.207.16: 2 Time(s)
> guest/password from 203.251.69.201: 2 Time(s)
> guest/password from 65.120.161.253: 1 Time(s)
> guest/password from 66.28.207.16: 1 Time(s)
> root/password from 66.28.207.16: 3 Time(s)
> test/password from 140.122.85.152: 1 Time(s)
> test/password from 203.251.69.201: 2 Time(s)
> test/password from 65.120.161.253: 1 Time(s)
> test/password from 66.28.207.16: 2 Time(s)
> user/password from 66.28.207.16: 1 Time(s)
>
> Authentication Failures:
> root (server106.extremerack.com ): 3 Time(s)
> unknown (ns2.itbank.net ): 4 Time(s)
> unknown (black.bibliodirect.com ): 2 Time(s)
> unknown (140.122.85.152 ): 1 Time(s)
> unknown (server106.extremerack.com ): 6 Time(s)
>
> Anyone heard of something like this, or have half a clue what the heck 
> is going on? I've been monitoring these attempts for weeks (maybe 
> months - can't remember the first time I saw it). It looks like a worm 
> from the way it's acting, but it's weird. Thoughts anyone?
> Thanks!
> Jason
>
> /--------------------------------------|---------------------------\
> | Jason McIntosh | CELL: 573-424-7612 |
> | Webmaster, thinker, Programmer, etc. | WORK: 573-884-3865 |
> | http://poetshome.com/ | |
> |------------------------------------------------------------------|
> |"How should I know if it works? That's what beta testers are |
> |for. I only coded it." |
> |(Attributed to Linus Torvalds, somewhere in a posting) |
> \--------------------------------------|---------------------------/
> GnuPG Key: http://poetshome.com/about/jmcintosh_mlug.missouri.edu.gpgkey
>
>------------------------------------------------------------------------
>
>_______________________________________________
>members mailing list
>EMAIL:PROTECTED
>http://mlug.missouri.edu/mailman/listinfo/members
>  
>

_______________________________________________
members mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/members

References:
- [MLUG] SSH attempts from admin, guest, test, user
  - From: Jason McIntosh <EMAIL:PROTECTED>

Prev by Date: [MLUG] SSH attempts from admin, guest, test, user
Next by Date: Re: [MLUG] SSH attempts from admin, guest, test, user
Previous by thread: [MLUG] SSH attempts from admin, guest, test, user
Next by thread: Re: [MLUG] SSH attempts from admin, guest, test, user
Index(es):
- Date
- Thread