Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: [Dshield] ssh attacks
.

  • To: General DShield Discussion List <[EMAIL PROTECTED]>
  • Subject: Re: [Dshield] ssh attacks
  • From: JD Durick <[EMAIL PROTECTED]>
  • Date: Tue, 12 Oct 2004 12:39:40 -0400
  • In-reply-to: <[EMAIL PROTECTED]>
  • References: <[EMAIL PROTECTED]>
  • Reply-to: General DShield Discussion List <[EMAIL PROTECTED]>
  • Sender: [EMAIL PROTECTED]
.
 
According to our IDS/FW logs, we have been seeing similar activity on our DMZ. Most of the traffic seems to be coming from far eastern owned ip addresses. 

jd

Barton L. Phillips wrote:
In the last several days I have seen an increase in attempts to log into my server via SSH. Previously I was only seeing the "test" and "guest" attempts previously mentioned on this list. Here is an example of what I saw yesterday: 

Failed logins from these:

  account/password from 213.136.124.8: 2 Time(s)
  account/password from 218.237.65.10: 2 Time(s)
  account/password from 66.93.56.95: 2 Time(s)
  adam/password from 213.136.124.8: 2 Time(s)
  adam/password from 218.237.65.10: 2 Time(s)
  adam/password from 66.93.56.95: 2 Time(s)
  adm/password from 213.136.124.8: 4 Time(s)
  adm/password from 218.237.65.10: 4 Time(s)
  adm/password from 66.93.56.95: 4 Time(s)
  alan/password from 213.136.124.8: 2 Time(s)
  alan/password from 218.237.65.10: 2 Time(s)
  alan/password from 66.93.56.95: 2 Time(s)
  apache/password from 213.136.124.8: 2 Time(s)
  apache/password from 218.237.65.10: 2 Time(s)
  apache/password from 66.93.56.95: 2 Time(s)
  backup/password from 213.136.124.8: 2 Time(s)
  backup/password from 218.237.65.10: 2 Time(s)
  backup/password from 66.93.56.95: 2 Time(s)
  cip51/password from 213.136.124.8: 2 Time(s)
  cip51/password from 218.237.65.10: 2 Time(s)
  cip51/password from 66.93.56.95: 2 Time(s)
  cip52/password from 213.136.124.8: 2 Time(s)
  cip52/password from 218.237.65.10: 2 Time(s)
  cip52/password from 66.93.56.95: 2 Time(s)
  cosmin/password from 213.136.124.8: 2 Time(s)
  cosmin/password from 218.237.65.10: 2 Time(s)
  cosmin/password from 66.93.56.95: 2 Time(s)
  cyrus/password from 213.136.124.8: 2 Time(s)
  cyrus/password from 218.237.65.10: 2 Time(s)
  cyrus/password from 66.93.56.95: 2 Time(s)
  data/password from 213.136.124.8: 2 Time(s)
  data/password from 218.237.65.10: 2 Time(s)
  data/password from 66.93.56.95: 2 Time(s)
  frank/password from 213.136.124.8: 2 Time(s)
  frank/password from 218.237.65.10: 2 Time(s)
  frank/password from 66.93.56.95: 2 Time(s)
  george/password from 213.136.124.8: 2 Time(s)
  george/password from 218.237.65.10: 2 Time(s)
  george/password from 66.93.56.95: 2 Time(s)
  glen/password from 66.15.2.200: 4 Time(s)
  glennt/password from 66.15.2.200: 2 Time(s)
  henry/password from 213.136.124.8: 2 Time(s)
  henry/password from 218.237.65.10: 2 Time(s)
  henry/password from 66.93.56.95: 2 Time(s)
  horde/password from 213.136.124.8: 2 Time(s)
  horde/password from 218.237.65.10: 2 Time(s)
  horde/password from 66.93.56.95: 2 Time(s)
  iceuser/password from 213.136.124.8: 2 Time(s)
  iceuser/password from 218.237.65.10: 2 Time(s)
  iceuser/password from 66.93.56.95: 2 Time(s)
  irc/password from 213.136.124.8: 4 Time(s)
  irc/password from 218.237.65.10: 4 Time(s)
  irc/password from 66.93.56.95: 4 Time(s)
  jane/password from 213.136.124.8: 2 Time(s)
  jane/password from 218.237.65.10: 2 Time(s)
  jane/password from 66.93.56.95: 2 Time(s)
  john/password from 213.136.124.8: 2 Time(s)
  john/password from 218.237.65.10: 2 Time(s)
  john/password from 66.93.56.95: 2 Time(s)
  johnz/password from 66.15.2.200: 10 Time(s)
  johnz/publickey from 66.15.2.200: 4 Time(s)
  master/password from 213.136.124.8: 2 Time(s)
  master/password from 218.237.65.10: 2 Time(s)
  master/password from 66.93.56.95: 2 Time(s)
  matt/password from 213.136.124.8: 2 Time(s)
  matt/password from 218.237.65.10: 2 Time(s)
  matt/password from 66.93.56.95: 2 Time(s)
  mysql/password from 213.136.124.8: 2 Time(s)
  mysql/password from 218.237.65.10: 2 Time(s)
  mysql/password from 66.93.56.95: 2 Time(s)
  nobody/password from 213.136.124.8: 2 Time(s)
  nobody/password from 218.237.65.10: 2 Time(s)
  nobody/password from 66.93.56.95: 2 Time(s)
  noc/password from 213.136.124.8: 2 Time(s)
  noc/password from 218.237.65.10: 2 Time(s)
  noc/password from 66.93.56.95: 2 Time(s)
  operator/password from 213.136.124.8: 2 Time(s)
  operator/password from 218.237.65.10: 2 Time(s)
  operator/password from 66.93.56.95: 2 Time(s)
  oracle/password from 213.136.124.8: 2 Time(s)
  oracle/password from 218.237.65.10: 2 Time(s)
  oracle/password from 66.93.56.95: 2 Time(s)
  pamela/password from 213.136.124.8: 2 Time(s)
  pamela/password from 218.237.65.10: 2 Time(s)
  pamela/password from 66.93.56.95: 2 Time(s)
  patrick/password from 213.136.124.8: 4 Time(s)
  patrick/password from 218.237.65.10: 4 Time(s)
  patrick/password from 66.93.56.95: 4 Time(s)
  rolo/password from 213.136.124.8: 2 Time(s)
  rolo/password from 218.237.65.10: 2 Time(s)
  rolo/password from 66.93.56.95: 2 Time(s)
  root/password from 213.136.124.8: 118 Time(s)
  root/password from 218.237.65.10: 118 Time(s)
  root/password from 66.93.56.95: 118 Time(s)
  server/password from 213.136.124.8: 2 Time(s)
  server/password from 218.237.65.10: 2 Time(s)
  server/password from 66.93.56.95: 2 Time(s)
  sybase/password from 213.136.124.8: 2 Time(s)
  sybase/password from 218.237.65.10: 2 Time(s)
  sybase/password from 66.93.56.95: 2 Time(s)
  test/password from 213.136.124.8: 10 Time(s)
  test/password from 218.237.65.10: 10 Time(s)
  test/password from 66.93.56.95: 10 Time(s)
  user/password from 213.136.124.8: 6 Time(s)
  user/password from 218.237.65.10: 6 Time(s)
  user/password from 66.93.56.95: 6 Time(s)
  web/password from 213.136.124.8: 4 Time(s)
  web/password from 218.237.65.10: 4 Time(s)
  web/password from 66.93.56.95: 4 Time(s)
  webmaster/password from 213.136.124.8: 2 Time(s)
  webmaster/password from 218.237.65.10: 2 Time(s)
  webmaster/password from 66.93.56.95: 2 Time(s)
  www-data/password from 213.136.124.8: 2 Time(s)
  www-data/password from 218.237.65.10: 2 Time(s)
  www-data/password from 66.93.56.95: 2 Time(s)
  www/password from 213.136.124.8: 2 Time(s)
  www/password from 218.237.65.10: 2 Time(s)
  www/password from 66.93.56.95: 2 Time(s)
  wwwrun/password from 213.136.124.8: 2 Time(s)
  wwwrun/password from 218.237.65.10: 2 Time(s)
  wwwrun/password from 66.93.56.95: 2 Time(s)

Has anyone else been seeing this?



--
JD Durick
Senior INFOSEC Engineer
The MITRE Corporation
Work:  (703) 883-5543
GPG: 466B D540 71CA BBA3 F1DF 3881 08D4 8448 780A 29C0


_______________________________________________
DShield and the Internet Storm Center are sponsored by the SANS Institute.
To learn more about current SANS training, see http://www.sans.org .

_______________________________________________
send all posts to [EMAIL PROTECTED]
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.