Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: SSH scans...

Re: SSH scans...

From: Gerry Dalton <gerry_at_wts.net>
Date: Mon, 20 Dec 2004 12:04:54 -0600

I have seen similar probes over the last 2 months. Most all have been from APNIC address blocks. I got so tired of some of it I just went ahead and blocked a full range of addresses from getting past our border routers.

So far these have just been a nuisance.

Gerry
 

At 09:21 AM 12/20/2004, Dejan Markovic wrote:

>Hi Guys,
>
>Don't know whether this is the right list, but need to ask if others have
>the same entries in their logs for the past number of months. Let me take a
>step back, I maintain a number of networks on different IP ranges and they
>are all being probed by what looks like a tool, or maybe it is the same
>group/script. The originating computers range from open proxies to owned
>boxes and there are two distinct patterns I've seen so far. The following
>scan is a recent example where the root/password from x.x.x.x: 59 Time(s)
>caught my attention the first time a while back, and still getting the same
>scans on a daily basis:
>
>account/password from 210.245.168.28: 1 Time(s)
>adam/password from 210.245.168.28: 1 Time(s)
>adm/password from 210.245.168.28: 2 Time(s)
>alan/password from 210.245.168.28: 1 Time(s)
>apache/password from 210.245.168.28: 1 Time(s)
>backup/password from 210.245.168.28: 1 Time(s)
>cip51/password from 210.245.168.28: 1 Time(s)
>cip52/password from 210.245.168.28: 1 Time(s)
>cosmin/password from 210.245.168.28: 1 Time(s)
>cyrus/password from 210.245.168.28: 1 Time(s)
>data/password from 210.245.168.28: 1 Time(s)
>frank/password from 210.245.168.28: 1 Time(s)
>george/password from 210.245.168.28: 1 Time(s)
>henry/password from 210.245.168.28: 1 Time(s)
>horde/password from 210.245.168.28: 1 Time(s)
>iceuser/password from 210.245.168.28: 1 Time(s)
>irc/password from 210.245.168.28: 2 Time(s)
>jane/password from 210.245.168.28: 1 Time(s)
>john/password from 210.245.168.28: 1 Time(s)
>master/password from 210.245.168.28: 1 Time(s)
>matt/password from 210.245.168.28: 1 Time(s)
>mysql/password from 210.245.168.28: 1 Time(s)
>nobody/password from 210.245.168.28: 1 Time(s)
>noc/password from 210.245.168.28: 1 Time(s)
>operator/password from 210.245.168.28: 1 Time(s)
>oracle/password from 210.245.168.28: 1 Time(s)
>pamela/password from 210.245.168.28: 1 Time(s)
>patrick/password from 210.245.168.28: 2 Time(s)
>rolo/password from 210.245.168.28: 1 Time(s)
>root/password from 210.245.168.28: 59 Time(s)
>server/password from 210.245.168.28: 1 Time(s)
>sybase/password from 210.245.168.28: 1 Time(s)
>test/password from 210.245.168.28: 5 Time(s)
>user/password from 210.245.168.28: 3 Time(s)
>web/password from 210.245.168.28: 2 Time(s)
>webmaster/password from 210.245.168.28: 1 Time(s)
>www-data/password from 210.245.168.28: 1 Time(s)
>www/password from 210.245.168.28: 1 Time(s)
>wwwrun/password from 210.245.168.28: 1 Time(s)
>
>Regards,
>Dan
Received on Dec 20 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos