MORE SSH Hacking: heads-up

Brad Smith usernamenumber at gmail.com
Fri Jul 30 21:37:03 UTC 2004


Well I've never had exactly what you seem to be describing, but what
I've been seeing reported more often are attempts to guess weak
name/pw combos. It's either a worm I've never heard of or a few sadly
successfull but otherwise very unimaginative script kiddies. Here's
some excerpts from my logwatch reports:

-- 7/29/04 : This one's from Korea --
Failed logins from these:
   guest/password from 61.109.156.5: 1 Time(s)
   test/password from 61.109.156.5: 1 Time(s)

-- 7/27/04 : This one's from legatovideo.net. I emailed the admin
contact w/no reply --
Failed logins from these:
   guest/password from 12.181.128.5: 2 Time(s)
   test/password from 12.181.128.5: 2 Time(s)

And a friend gave me these from his logs:
# Not sure who this is
Jul 29 04:02:59 www sshd[4037]: Illegal user test from ::ffff:208.145.229.70 
Jul 29 04:03:02 www sshd[4037]: Failed password for illegal user test
from ::ffff:208.145.229.70 port 4965 ssh2
Jul 29 04:03:03 www sshd[4044]: Illegal user guest from ::ffff:208.145.229.70 
Jul 29 04:03:05 www sshd[4044]: Failed password for illegal user guest
from ::ffff:208.145.229.70 port 4967 ssh2

# A Spanish distance-learning university
Jul 29 08:59:49 www sshd[5330]: Illegal user test from ::ffff:62.204.197.193 
Jul 29 08:59:54 www sshd[5330]: Failed password for illegal user test
from ::ffff:62.204.197.193 port 37838 ssh2
Jul 29 08:59:55 www sshd[5332]: Illegal user guest from ::ffff:62.204.197.193 
Jul 29 08:59:58 www sshd[5332]: Failed password for illegal user guest
from ::ffff:62.204.197.193 port 38151 ssh2
Jul 29 09:00:00 www sshd[5334]: Illegal user admin from ::ffff:62.204.197.193 
Jul 29 09:00:02 www sshd[5334]: Failed password for illegal user admin
from ::ffff:62.204.197.193 port 38342 ssh2
Jul 29 09:00:04 www sshd[5336]: Illegal user admin from ::ffff:62.204.197.193 
Jul 29 09:00:06 www sshd[5336]: Failed password for illegal user admin
from ::ffff:62.204.197.193 port 38523 ssh2
Jul 29 09:00:08 www sshd[5338]: Illegal user user from ::ffff:62.204.197.193 
Jul 29 09:00:10 www sshd[5338]: Failed password for illegal user user
from ::ffff:62.204.197.193 port 38679 ssh2
Jul 29 09:00:14 www sshd[5340]: Failed password for root from
::ffff:62.204.197.193 port 38860 ssh2
Jul 29 09:00:18 www sshd[5342]: Failed password for root from
::ffff:62.204.197.193 port 38981 ssh2
Jul 29 09:00:22 www sshd[5350]: Failed password for root from
::ffff:62.204.197.193 port 39122 ssh2
Jul 29 09:00:24 www sshd[5352]: Illegal user test from ::ffff:62.204.197.193 
Jul 29 09:00:27 www sshd[5352]: Failed password for illegal user test
from ::ffff:62.204.197.193 port 39258 ssh2





More information about the users mailing list