|
Security Incidents
mailing list archives
RE: SSH probes?
From: "Jerry Shenk" <jshenk () decommunications com>
Date: Mon, 10 May 2004 11:21:51 -0400
At first glance, that sure does seem like somebody's a little overly
interested;) Do you know who 211.216.53.20 is? It looks like it
belongs to a block from Korea....generally not a good sign unless you
have a partner there. I'd be very tempted to just block the ip block
that this machine comes from.
How about the usernames. The one listed here is ftp - any other
usernames, particularly valid ones that belong to real people in your
organization.
-----Original Message-----
From: Devdas Bhagat [mailto:devdas () dvb homelinux org]
Sent: Sunday, May 09, 2004 12:35 PM
To: incidents () securityfocus com
Subject: SSH probes?
I got about 61 of these in my logs before I turned sshd off. This looks
like a brute force attempt at getting a login.
May 9 21:35:03 evita sshd(pam_unix)[16332]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.216.53.20 user=ftp
May 9 21:35:10 evita sshd(pam_unix)[16374]: check pass; user unknown
May 9 21:35:10 evita sshd(pam_unix)[16374]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.216.53.20
May 9 21:35:16 evita sshd(pam_unix)[16375]: check pass; user unknown
Anyone else seeing events like this?
The box is patched, up to date and still uncompromised. Timezone is
UTC +0530 and synchronised to ntp.
Devdas Bhagat
------------------------------------------------------------------------
---
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
----------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
|
Intro
