Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Automated SSH login attempts?
From: Andrei Galca-Vasiliu <andrei () fq ro>
Date: Sun, 25 Jul 2004 22:31:28 +0300

I've seen that too, on several machines, different range of ip's. I guess it`s
some sort of a mass bruteforce exploit (there were 50 or more attempts on my
box in just 20-30 s). Anyone who can enlighten us, it will be appreciated,
i've searched too and couldn't find anything related.

Intr-un mail de pe data de Thursday 22 July 2004 17:47, Jay Libove povestea:
[ Posted to full disclosure and vulnwatch;  please edit reply address(es)
as appropriate. Thanks. -Jay ]

My Linux system, and a Linux system run by a friend here in the same city
but on a completely different netblock (different ISP), have both seen
apparently automated attempts to log in to our systems via SSH in the past
few days.  Looks like a script.


Here are some log entries from my system:

Jul 15 10:01:34 panther6 sshd[8267]: Illegal user test from 62.67.45.4
Jul 15 10:01:34 panther6 sshd[8267]: Failed password for illegal user test
from 62.67.45.4 port 39141 ssh2 Jul 15 10:01:36 panther6 sshd[8269]:
Illegal user guest from 62.67.45.4 Jul 15 10:01:36 panther6 sshd[8269]:
Failed password for illegal user guest from 62.67.45.4 port 39192 ssh2 Jul
15 10:01:37 panther6 sshd[8271]: Illegal user admin from 62.67.45.4 Jul 15
10:01:37 panther6 sshd[8271]: Failed password for illegal user admin from
62.67.45.4 port 39234 ssh2 Jul 15 10:01:38 panther6 sshd[8273]: Illegal
user user from 62.67.45.4 Jul 15 10:01:38 panther6 sshd[8273]: Failed
password for illegal user user from 62.67.45.4 port 39275 ssh2 Jul 15
10:01:39 panther6 sshd[8275]: Failed password for root from 62.67.45.4 port
39340 ssh2 Jul 15 10:01:41 panther6 sshd[8277]: Failed password for root
from 62.67.45.4 port 39386 ssh2 Jul 15 10:44:12 panther6 sshd[8300]:
Illegal user test from 62.67.45.4 Jul 15 10:44:12 panther6 sshd[8300]:
Failed password for illegal user test from 62.67.45.4 port 33771 ssh2 Jul
15 10:44:14 panther6 sshd[8302]: Illegal user guest from 62.67.45.4 Jul 15
10:44:14 panther6 sshd[8302]: Failed password for illegal user guest from
62.67.45.4 port 33828 ssh2 Jul 15 10:44:15 panther6 sshd[8304]: Illegal
user admin from 62.67.45.4 Jul 15 10:44:15 panther6 sshd[8304]: Failed
password for illegal user admin from 62.67.45.4 port 33876 ssh2 Jul 15
10:44:16 panther6 sshd[8306]: Illegal user user from 62.67.45.4 Jul 15
10:44:16 panther6 sshd[8306]: Failed password for illegal user user from
62.67.45.4 port 33916 ssh2 Jul 15 10:44:17 panther6 sshd[8308]: Failed
password for root from 62.67.45.4 port 33988 ssh2 Jul 15 10:44:19 panther6
sshd[8310]: Failed password for root from 62.67.45.4 port 34032 ssh2 Jul 15
17:07:15 panther6 sshd[8912]: Illegal user test from 131.234.36.152 Jul 15
17:07:15 panther6 sshd[8912]: Failed password for illegal user test from
131.234.36.152 port 38287 ssh2 Jul 15 17:07:16 panther6 sshd[8914]: Illegal
user guest from 131.234.36.152 Jul 15 17:07:16 panther6 sshd[8914]: Failed
password for illegal user guest from 131.234.36.152 port 38326 ssh2 Jul 15
17:07:18 panther6 sshd[8916]: Illegal user admin from 131.234.36.152 Jul 15
17:07:18 panther6 sshd[8916]: Failed password for illegal user admin from
131.234.36.152 port 38370 ssh2 Jul 15 17:07:19 panther6 sshd[8918]: Illegal
user admin from 131.234.36.152 Jul 15 17:07:19 panther6 sshd[8918]: Failed
password for illegal user admin from 131.234.36.152 port 38412 ssh2 Jul 15
17:07:21 panther6 sshd[8920]: Illegal user user from 131.234.36.152 Jul 15
17:07:21 panther6 sshd[8920]: Failed password for illegal user user from
131.234.36.152 port 38468 ssh2 Jul 15 17:07:22 panther6 sshd[8922]: Failed
password for root from 131.234.36.152 port 38516 ssh2 Jul 15 17:07:23
panther6 sshd[8924]: Failed password for root from 131.234.36.152 port
38558 ssh2 Jul 15 17:07:25 panther6 sshd[8926]: Failed password for root
from 131.234.36.152 port 38611 ssh2 Jul 15 17:07:26 panther6 sshd[8928]:
Illegal user test from 131.234.36.152 Jul 15 17:07:26 panther6 sshd[8928]:
Failed password for illegal user test from 131.234.36.152 port 38675 ssh2
Jul 19 22:05:07 panther6 sshd[30439]: Illegal user test from 83.103.27.66
Jul 19 22:05:07 panther6 sshd[30439]: Failed password for illegal user test
from 83.103.27.66 port 52671 ssh2 Jul 19 22:05:08 panther6 sshd[30441]:
Illegal user guest from 83.103.27.66 Jul 19 22:05:08 panther6 sshd[30441]:
Failed password for illegal user guest from 83.103.27.66 port 52687 ssh2
Jul 21 06:30:12 panther6 sshd[1103]: Illegal user test from 219.103.193.130
Jul 21 06:30:12 panther6 sshd[1103]: Failed password for illegal user test
from 219.103.193.130 port 55802 ssh2 Jul 21 06:30:14 panther6 sshd[1105]:
Illegal user guest from 219.103.193.130 Jul 21 06:30:14 panther6
sshd[1105]: Failed password for illegal user guest from 219.103.193.130
port 55823 ssh2


 .. and some log entries from my friend's system:

Jul 19 21:04:33 quack sshd[28379]: Illegal user test from 131.234.157.10
Jul 19 21:04:34 quack sshd[28381]: Illegal user guest from 131.234.157.10
Jul 19 21:04:36 quack sshd[28383]: Illegal user admin from 131.234.157.10
Jul 19 21:04:37 quack sshd[28385]: Illegal user admin from 131.234.157.10
Jul 19 21:04:38 quack sshd[28387]: Illegal user user from 131.234.157.10
Jul 19 21:04:43 quack sshd[28400]: Illegal user test from 131.234.157.10
Jul 22 09:39:10 quack sshd[7646]: Illegal user test from 156.17.99.11
Jul 22 09:39:11 quack sshd[7648]: Illegal user guest from 156.17.99.11


I have not seen any notes about this on the vulnerability disucssion
lists.  Has anyone else noticed it?  What specific vulnerability (or
default password?) is this looking for?

-Jay Libove, CISSP
libove () felines org
Atlanta, GA US

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

-- 
Andrei Galca-Vasiliu
Technical Support
Brasov Branch
Romania Data Systems
T: +402 68 474133  F: +402 68 474133
www.rdsnet.ro
--
Privileged/Confidential Information may be contained in this message. 
If you are not the addressee indicated in this message (or responsable 
for delivery of the message to such person), you may not copy or 
deliver this message to anyone. In such a case, you should destroy 
this message and kindly notify the sender by reply e-mail.
--

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault