[Intrusions] Re: FYI - SSH bruteforcing

Ron Shuck rshuck at Buchanan.com
Fri Dec 3 16:54:15 GMT 2004 

Hi,

I have observed this activity on several SMTP Relay servers that I
manage. The guesses did not appear to be based on actual users at the
site. Most originated from APNIC or LACNIC addresses, how odd.  ;-)


Ron Shuck, CISSP, GCIA, CCSE - Managing Consultant
Buchanan Associates - A Technology Company in the People Business 

-----Original Message-----
From: intrusions-bounces at lists.sans.org
[mailto:intrusions-bounces at lists.sans.org] On Behalf Of Tom Glaab
Sent: Friday, December 03, 2004 6:10 AM
To: Intrusions List (GCIA Practicals)
Subject: [Intrusions] Re: FYI - SSH bruteforcing

Andrew Daviel wrote:

>Recently we had a brute-force attempt to guess SSH passwords from a 
>machine in taiwan 203.95.227.177 (www.shark-tw.net)
>
>The process identifies itself as SSH-2.0-libssh-0.1 and tries to guess 
>passwords for the users root,admin, test and guest.
>

I'm seeing them several times a week. The list of "users" is growing
too. This is yesterday's collection from one box (reported by LogWatch):

Illegal users from these:

   andrew/none from 66.36.241.244: 1 Time(s)
   andrew/password from 66.36.241.244: 1 Time(s)
   angel/none from 66.36.241.244: 1 Time(s)
   angel/password from 66.36.241.244: 1 Time(s)
   barbara/none from 66.36.241.244: 1 Time(s)
   barbara/password from 66.36.241.244: 1 Time(s)
   ben/none from 66.36.241.244: 1 Time(s)
   ben/password from 66.36.241.244: 1 Time(s)
   betty/none from 66.36.241.244: 1 Time(s)
   betty/password from 66.36.241.244: 1 Time(s)
   billy/none from 66.36.241.244: 1 Time(s)
   billy/password from 66.36.241.244: 1 Time(s)
   black/none from 66.36.241.244: 1 Time(s)
   black/password from 66.36.241.244: 1 Time(s)
   blue/none from 66.36.241.244: 1 Time(s)
   blue/password from 66.36.241.244: 1 Time(s)
   brandon/none from 66.36.241.244: 1 Time(s)
   brandon/password from 66.36.241.244: 1 Time(s)
   brian/none from 66.36.241.244: 1 Time(s)
   brian/password from 66.36.241.244: 1 Time(s)
   buddy/none from 66.36.241.244: 1 Time(s)
   buddy/password from 66.36.241.244: 1 Time(s)
   carmen/none from 66.36.241.244: 1 Time(s)
   carmen/password from 66.36.241.244: 1 Time(s)
   charlie/none from 66.36.241.244: 1 Time(s)
   charlie/password from 66.36.241.244: 1 Time(s)
   cosmin/none from 211.33.175.54: 1 Time(s)
   cosmin/password from 211.33.175.54: 1 Time(s)
   cyrus/none from 211.33.175.54: 1 Time(s)
   cyrus/password from 211.33.175.54: 1 Time(s)
   daniel/none from 66.36.241.244: 1 Time(s)
   daniel/password from 66.36.241.244: 1 Time(s)
   david/none from 66.36.241.244: 1 Time(s)
   david/password from 66.36.241.244: 1 Time(s)
   dog/none from 66.36.241.244: 1 Time(s)
   dog/password from 66.36.241.244: 1 Time(s)
   emily/none from 66.36.241.244: 1 Time(s)
   emily/password from 66.36.241.244: 1 Time(s)
   eric/none from 66.36.241.244: 1 Time(s)
   eric/password from 66.36.241.244: 1 Time(s)
   god/none from 66.36.241.244: 1 Time(s)
   god/password from 66.36.241.244: 1 Time(s)
   green/none from 66.36.241.244: 1 Time(s)
   green/password from 66.36.241.244: 1 Time(s)
   henry/none from 66.36.241.244: 1 Time(s)
   henry/password from 66.36.241.244: 1 Time(s)
   horde/none from 211.33.175.54: 1 Time(s)
   horde/password from 211.33.175.54: 1 Time(s)
   iceuser/none from 211.33.175.54: 1 Time(s)
   iceuser/password from 211.33.175.54: 1 Time(s)
   irc/none from 211.33.175.54: 2 Time(s)
   irc/password from 211.33.175.54: 2 Time(s)
   jane/none from 211.33.175.54: 1 Time(s)
   jane/none from 66.36.241.244: 1 Time(s)
   jane/password from 211.33.175.54: 1 Time(s)
   jane/password from 66.36.241.244: 1 Time(s)
   jason/none from 66.36.241.244: 1 Time(s)
   jason/password from 66.36.241.244: 1 Time(s)
   jeremy/none from 66.36.241.244: 1 Time(s)
   jeremy/password from 66.36.241.244: 1 Time(s)
   joe/none from 66.36.241.244: 1 Time(s)
   joe/password from 66.36.241.244: 1 Time(s)
   johnny/none from 66.36.241.244: 1 Time(s)
   johnny/password from 66.36.241.244: 1 Time(s)
   jordan/none from 66.36.241.244: 1 Time(s)
   jordan/password from 66.36.241.244: 1 Time(s)
   justin/none from 66.36.241.244: 1 Time(s)
   justin/password from 66.36.241.244: 1 Time(s)
   larisa/none from 66.36.241.244: 1 Time(s)
   larisa/password from 66.36.241.244: 1 Time(s)
   lion/none from 66.36.241.244: 1 Time(s)
   lion/password from 66.36.241.244: 1 Time(s)
   lucy/none from 66.36.241.244: 1 Time(s)
   lucy/password from 66.36.241.244: 1 Time(s)
   magic/none from 66.36.241.244: 1 Time(s)
   magic/password from 66.36.241.244: 1 Time(s)
   maria/none from 66.36.241.244: 1 Time(s)
   maria/password from 66.36.241.244: 1 Time(s)
   market/none from 66.36.241.244: 1 Time(s)
   market/password from 66.36.241.244: 1 Time(s)
   matt/none from 211.33.175.54: 1 Time(s)
   matt/password from 211.33.175.54: 1 Time(s)
   matthew/none from 66.36.241.244: 1 Time(s)
   matthew/password from 66.36.241.244: 1 Time(s)
   max/none from 66.36.241.244: 1 Time(s)
   max/password from 66.36.241.244: 1 Time(s)
   michael/none from 66.36.241.244: 1 Time(s)
   michael/password from 66.36.241.244: 1 Time(s)
   nathan/none from 66.36.241.244: 1 Time(s)
   nathan/password from 66.36.241.244: 1 Time(s)
   nicholas/none from 66.36.241.244: 1 Time(s)
   nicholas/password from 66.36.241.244: 1 Time(s)
   nicole/none from 66.36.241.244: 1 Time(s)
   nicole/password from 66.36.241.244: 1 Time(s)
   pamela/none from 211.33.175.54: 1 Time(s)
   pamela/password from 211.33.175.54: 1 Time(s)
   patrick/none from 211.33.175.54: 2 Time(s)
   patrick/password from 211.33.175.54: 2 Time(s)
   pub/none from 66.36.241.244: 1 Time(s)
   pub/password from 66.36.241.244: 1 Time(s)
   red/none from 66.36.241.244: 1 Time(s)
   red/password from 66.36.241.244: 1 Time(s)
   robin/none from 66.36.241.244: 1 Time(s)
   robin/password from 66.36.241.244: 1 Time(s)
   rolo/none from 211.33.175.54: 1 Time(s)
   rolo/password from 211.33.175.54: 1 Time(s)
   rose/none from 66.36.241.244: 1 Time(s)
   rose/password from 66.36.241.244: 1 Time(s)
   shell/none from 66.36.241.244: 1 Time(s)
   shell/password from 66.36.241.244: 1 Time(s)
   stephen/none from 66.36.241.244: 1 Time(s)
   stephen/password from 66.36.241.244: 1 Time(s)
   steven/none from 66.36.241.244: 1 Time(s)
   steven/password from 66.36.241.244: 1 Time(s)
   system/none from 66.36.241.244: 1 Time(s)
   system/password from 66.36.241.244: 1 Time(s)
   test/none from 211.33.175.54: 4 Time(s)
   test/password from 211.33.175.54: 4 Time(s)
   tom/none from 66.36.241.244: 1 Time(s)
   tom/password from 66.36.241.244: 1 Time(s)
   vampire/none from 66.36.241.244: 1 Time(s)
   vampire/password from 66.36.241.244: 1 Time(s)
   william/none from 66.36.241.244: 1 Time(s)
   william/password from 66.36.241.244: 1 Time(s)
   www-data/none from 211.33.175.54: 1 Time(s)
   www-data/password from 211.33.175.54: 1 Time(s)
   www/none from 211.33.175.54: 1 Time(s)
   www/password from 211.33.175.54: 1 Time(s)
   wwwrun/none from 211.33.175.54: 1 Time(s)
   wwwrun/password from 211.33.175.54: 1 Time(s)
   yellow/none from 66.36.241.244: 1 Time(s)
   yellow/password from 66.36.241.244: 1 Time(s)

tg.


_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions

More information about the Intrusions mailing list