Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Automated SSH login attempts?
From: Jay Libove <libove () felines org>
Date: Thu, 22 Jul 2004 10:47:46 -0400 (EDT)

[ Posted to full disclosure and vulnwatch;  please edit reply address(es)
as appropriate. Thanks. -Jay ]

My Linux system, and a Linux system run by a friend here in the same city
but on a completely different netblock (different ISP), have both seen
apparently automated attempts to log in to our systems via SSH in the past
few days.  Looks like a script.


Here are some log entries from my system:

Jul 15 10:01:34 panther6 sshd[8267]: Illegal user test from 62.67.45.4
Jul 15 10:01:34 panther6 sshd[8267]: Failed password for illegal user test from 62.67.45.4 port 39141 ssh2
Jul 15 10:01:36 panther6 sshd[8269]: Illegal user guest from 62.67.45.4
Jul 15 10:01:36 panther6 sshd[8269]: Failed password for illegal user guest from 62.67.45.4 port 39192 ssh2
Jul 15 10:01:37 panther6 sshd[8271]: Illegal user admin from 62.67.45.4
Jul 15 10:01:37 panther6 sshd[8271]: Failed password for illegal user admin from 62.67.45.4 port 39234 ssh2
Jul 15 10:01:38 panther6 sshd[8273]: Illegal user user from 62.67.45.4
Jul 15 10:01:38 panther6 sshd[8273]: Failed password for illegal user user from 62.67.45.4 port 39275 ssh2
Jul 15 10:01:39 panther6 sshd[8275]: Failed password for root from 62.67.45.4 port 39340 ssh2
Jul 15 10:01:41 panther6 sshd[8277]: Failed password for root from 62.67.45.4 port 39386 ssh2
Jul 15 10:44:12 panther6 sshd[8300]: Illegal user test from 62.67.45.4
Jul 15 10:44:12 panther6 sshd[8300]: Failed password for illegal user test from 62.67.45.4 port 33771 ssh2
Jul 15 10:44:14 panther6 sshd[8302]: Illegal user guest from 62.67.45.4
Jul 15 10:44:14 panther6 sshd[8302]: Failed password for illegal user guest from 62.67.45.4 port 33828 ssh2
Jul 15 10:44:15 panther6 sshd[8304]: Illegal user admin from 62.67.45.4
Jul 15 10:44:15 panther6 sshd[8304]: Failed password for illegal user admin from 62.67.45.4 port 33876 ssh2
Jul 15 10:44:16 panther6 sshd[8306]: Illegal user user from 62.67.45.4
Jul 15 10:44:16 panther6 sshd[8306]: Failed password for illegal user user from 62.67.45.4 port 33916 ssh2
Jul 15 10:44:17 panther6 sshd[8308]: Failed password for root from 62.67.45.4 port 33988 ssh2
Jul 15 10:44:19 panther6 sshd[8310]: Failed password for root from 62.67.45.4 port 34032 ssh2
Jul 15 17:07:15 panther6 sshd[8912]: Illegal user test from 131.234.36.152
Jul 15 17:07:15 panther6 sshd[8912]: Failed password for illegal user test from 131.234.36.152 port 38287 ssh2
Jul 15 17:07:16 panther6 sshd[8914]: Illegal user guest from 131.234.36.152
Jul 15 17:07:16 panther6 sshd[8914]: Failed password for illegal user guest from 131.234.36.152 port 38326 ssh2
Jul 15 17:07:18 panther6 sshd[8916]: Illegal user admin from 131.234.36.152
Jul 15 17:07:18 panther6 sshd[8916]: Failed password for illegal user admin from 131.234.36.152 port 38370 ssh2
Jul 15 17:07:19 panther6 sshd[8918]: Illegal user admin from 131.234.36.152
Jul 15 17:07:19 panther6 sshd[8918]: Failed password for illegal user admin from 131.234.36.152 port 38412 ssh2
Jul 15 17:07:21 panther6 sshd[8920]: Illegal user user from 131.234.36.152
Jul 15 17:07:21 panther6 sshd[8920]: Failed password for illegal user user from 131.234.36.152 port 38468 ssh2
Jul 15 17:07:22 panther6 sshd[8922]: Failed password for root from 131.234.36.152 port 38516 ssh2
Jul 15 17:07:23 panther6 sshd[8924]: Failed password for root from 131.234.36.152 port 38558 ssh2
Jul 15 17:07:25 panther6 sshd[8926]: Failed password for root from 131.234.36.152 port 38611 ssh2
Jul 15 17:07:26 panther6 sshd[8928]: Illegal user test from 131.234.36.152
Jul 15 17:07:26 panther6 sshd[8928]: Failed password for illegal user test from 131.234.36.152 port 38675 ssh2
Jul 19 22:05:07 panther6 sshd[30439]: Illegal user test from 83.103.27.66
Jul 19 22:05:07 panther6 sshd[30439]: Failed password for illegal user test from 83.103.27.66 port 52671 ssh2
Jul 19 22:05:08 panther6 sshd[30441]: Illegal user guest from 83.103.27.66
Jul 19 22:05:08 panther6 sshd[30441]: Failed password for illegal user guest from 83.103.27.66 port 52687 ssh2
Jul 21 06:30:12 panther6 sshd[1103]: Illegal user test from 219.103.193.130
Jul 21 06:30:12 panther6 sshd[1103]: Failed password for illegal user test from 219.103.193.130 port 55802 ssh2
Jul 21 06:30:14 panther6 sshd[1105]: Illegal user guest from 219.103.193.130
Jul 21 06:30:14 panther6 sshd[1105]: Failed password for illegal user guest from 219.103.193.130 port 55823 ssh2


 .. and some log entries from my friend's system:

Jul 19 21:04:33 quack sshd[28379]: Illegal user test from 131.234.157.10
Jul 19 21:04:34 quack sshd[28381]: Illegal user guest from 131.234.157.10
Jul 19 21:04:36 quack sshd[28383]: Illegal user admin from 131.234.157.10
Jul 19 21:04:37 quack sshd[28385]: Illegal user admin from 131.234.157.10
Jul 19 21:04:38 quack sshd[28387]: Illegal user user from 131.234.157.10
Jul 19 21:04:43 quack sshd[28400]: Illegal user test from 131.234.157.10
Jul 22 09:39:10 quack sshd[7646]: Illegal user test from 156.17.99.11
Jul 22 09:39:11 quack sshd[7648]: Illegal user guest from 156.17.99.11


I have not seen any notes about this on the vulnerability disucssion
lists.  Has anyone else noticed it?  What specific vulnerability (or
default password?) is this looking for?

-Jay Libove, CISSP
libove () felines org
Atlanta, GA US

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault