[Intrusions] Re: FYI - SSH bruteforcing

Maxime Ducharme mducharme at cybergeneration.com
Fri Dec 3 21:52:21 GMT 2004 

Hi list

I also noticed new attempts other than root/test/guest/admin

Yesterday :

nbrAttemps - username - IP

9 account 131.211.57.161
9 adam 131.211.57.161
9 alan 131.211.57.161
9 backup 131.211.57.161
10 cip51 131.211.57.161
10 cip52 131.211.57.161
10 cosmin 131.211.57.161
11 cyrus 131.211.57.161
10 data 131.211.57.161
9 frank 131.211.57.161
9 george 131.211.57.161
9 henry 131.211.57.161
11 horde 131.211.57.161
11 iceuser 131.211.57.161
20 irc 131.211.57.161
10 jane 131.211.57.161
9 john 131.211.57.161
9 master 131.211.57.161
10 matt 131.211.57.161
10 noc 131.211.57.161
9 oracle 131.211.57.161
10 pamela 131.211.57.161
22 patrick 131.211.57.161
11 rolo 131.211.57.161
9 server 131.211.57.161
9 sybase 131.211.57.161
49 test 131.211.57.161
30 user 131.211.57.161
20 web 131.211.57.161
10 webmaster 131.211.57.161
10 www 131.211.57.161
10 www-data 131.211.57.161
10 wwwrun 131.211.57.161


Common users we see since some months :
      nobody (ph57161.pharm.uu.nl ): 11 Time(s)
      root (ph57161.pharm.uu.nl ): 590 Time(s)
      adm (ph57161.pharm.uu.nl ): 20 Time(s)
      apache (ph57161.pharm.uu.nl ): 10 Time(s)
      mysql (ph57161.pharm.uu.nl ): 10 Time(s)
      operator (ph57161.pharm.uu.nl ): 10 Time(s)

2 days ago :
      apache (www.wean.at ): 11 Time(s)
      adm (server.comdatacenter.com ): 20 Time(s)
      adm (www.wean.at ): 22 Time(s)
      apache (server.comdatacenter.com ): 10 Time(s)
      operator (server.comdatacenter.com ): 10 Time(s)
      root (211.138.113.23 ): 30 Time(s)
      root (www.wean.at ): 601 Time(s)
      mysql (server.comdatacenter.com ): 10 Time(s)
      root (server.comdatacenter.com ): 598 Time(s)
      root (211.33.175.54 ): 25 Time(s)
      operator (www.wean.at ): 11 Time(s)
      nobody (server.comdatacenter.com ): 12 Time(s)
      nobody (211.33.175.54 ): 12 Time(s)
      mysql (www.wean.at ): 11 Time(s)
      nobody (www.wean.at ): 12 Time(s)

     10  account  212.16.32.183
     10  account  67.15.14.46
     10  adam  212.16.32.183
     10  adam  67.15.14.46
     10  alan  212.16.32.183
     10  alan  67.15.14.46
     10  backup  212.16.32.183
     10  backup  67.15.14.46
     10  cip51  212.16.32.183
     10  cip51  67.15.14.46
     10  cip52  212.16.32.183
     10  cip52  67.15.14.46
     10  cosmin  212.16.32.183
     10  cosmin  67.15.14.46
     10  data  212.16.32.183
     10  data  67.15.14.46
     10  frank  212.16.32.183
     10  frank  67.15.14.46
     10  george  212.16.32.183
     10  george  67.15.14.46
     10  guest  211.138.113.23
     10  henry  212.16.32.183
     10  henry  67.15.14.46
     10  jane  212.16.32.183
     10  jane  67.15.14.46
     10  john  212.16.32.183
     10  john  67.15.14.46
     10  master  212.16.32.183
     10  master  67.15.14.46
     10  noc  212.16.32.183
     10  noc  67.15.14.46
     10  oracle  212.16.32.183
     10  oracle  67.15.14.46
     10  pamela  212.16.32.183
     10  pamela  67.15.14.46
     10  server  212.16.32.183
     10  server  67.15.14.46
     10  sybase  212.16.32.183
     10  sybase  67.15.14.46
     10  user  211.138.113.23
     10  webmaster  212.16.32.183
     10  webmaster  67.15.14.46
     10  www-data  67.15.14.46
     11  cyrus  67.15.14.46
     11  horde  67.15.14.46
     11  iceuser  67.15.14.46
     11  matt  67.15.14.46
     11  rolo  67.15.14.46
     11  www-data  212.16.32.183
     11  www  67.15.14.46
     11  wwwrun  67.15.14.46
     12  cyrus  212.16.32.183
     12  horde  212.16.32.183
     12  iceuser  212.16.32.183
     12  matt  212.16.32.183
     12  rolo  212.16.32.183
     12  www  212.16.32.183
     12  wwwrun  212.16.32.183
     20  admin  211.138.113.23
     20  irc  67.15.14.46
     20  patrick  211.33.175.54
     20  test  211.138.113.23
     20  web  212.16.32.183
     20  web  67.15.14.46
     22  irc  212.16.32.183
     24  patrick  212.16.32.183
     24  patrick  67.15.14.46
     30  user  212.16.32.183
     30  user  67.15.14.46
     51  test  67.15.14.46
     58  test  212.16.32.183

Have a nice day

Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau

----- Original Message ----- 
From: "Ron Shuck" <rshuck at buchanan.com>
To: "Intrusions List (GCIA Practicals)" <intrusions at lists.sans.org>
Sent: Friday, December 03, 2004 11:54 AM
Subject: RE: [Intrusions] Re: FYI - SSH bruteforcing


> Hi,
>
> I have observed this activity on several SMTP Relay servers that I
> manage. The guesses did not appear to be based on actual users at the
> site. Most originated from APNIC or LACNIC addresses, how odd.  ;-)
>
>
> Ron Shuck, CISSP, GCIA, CCSE - Managing Consultant
> Buchanan Associates - A Technology Company in the People Business
>
> -----Original Message-----
> From: intrusions-bounces at lists.sans.org
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of Tom Glaab
> Sent: Friday, December 03, 2004 6:10 AM
> To: Intrusions List (GCIA Practicals)
> Subject: [Intrusions] Re: FYI - SSH bruteforcing
>
> Andrew Daviel wrote:
>
> >Recently we had a brute-force attempt to guess SSH passwords from a
> >machine in taiwan 203.95.227.177 (www.shark-tw.net)
> >
> >The process identifies itself as SSH-2.0-libssh-0.1 and tries to guess
> >passwords for the users root,admin, test and guest.
> >
>
> I'm seeing them several times a week. The list of "users" is growing
> too. This is yesterday's collection from one box (reported by LogWatch):
>
> Illegal users from these:
>
>    andrew/none from 66.36.241.244: 1 Time(s)
>    andrew/password from 66.36.241.244: 1 Time(s)
>    angel/none from 66.36.241.244: 1 Time(s)
>    angel/password from 66.36.241.244: 1 Time(s)
>    barbara/none from 66.36.241.244: 1 Time(s)
>    barbara/password from 66.36.241.244: 1 Time(s)
>    ben/none from 66.36.241.244: 1 Time(s)
>    ben/password from 66.36.241.244: 1 Time(s)
>    betty/none from 66.36.241.244: 1 Time(s)
>    betty/password from 66.36.241.244: 1 Time(s)
>    billy/none from 66.36.241.244: 1 Time(s)
>    billy/password from 66.36.241.244: 1 Time(s)
>    black/none from 66.36.241.244: 1 Time(s)
>    black/password from 66.36.241.244: 1 Time(s)
>    blue/none from 66.36.241.244: 1 Time(s)
>    blue/password from 66.36.241.244: 1 Time(s)
>    brandon/none from 66.36.241.244: 1 Time(s)
>    brandon/password from 66.36.241.244: 1 Time(s)
>    brian/none from 66.36.241.244: 1 Time(s)
>    brian/password from 66.36.241.244: 1 Time(s)
>    buddy/none from 66.36.241.244: 1 Time(s)
>    buddy/password from 66.36.241.244: 1 Time(s)
>    carmen/none from 66.36.241.244: 1 Time(s)
>    carmen/password from 66.36.241.244: 1 Time(s)
>    charlie/none from 66.36.241.244: 1 Time(s)
>    charlie/password from 66.36.241.244: 1 Time(s)
>    cosmin/none from 211.33.175.54: 1 Time(s)
>    cosmin/password from 211.33.175.54: 1 Time(s)
>    cyrus/none from 211.33.175.54: 1 Time(s)
>    cyrus/password from 211.33.175.54: 1 Time(s)
>    daniel/none from 66.36.241.244: 1 Time(s)
>    daniel/password from 66.36.241.244: 1 Time(s)
>    david/none from 66.36.241.244: 1 Time(s)
>    david/password from 66.36.241.244: 1 Time(s)
>    dog/none from 66.36.241.244: 1 Time(s)
>    dog/password from 66.36.241.244: 1 Time(s)
>    emily/none from 66.36.241.244: 1 Time(s)
>    emily/password from 66.36.241.244: 1 Time(s)
>    eric/none from 66.36.241.244: 1 Time(s)
>    eric/password from 66.36.241.244: 1 Time(s)
>    god/none from 66.36.241.244: 1 Time(s)
>    god/password from 66.36.241.244: 1 Time(s)
>    green/none from 66.36.241.244: 1 Time(s)
>    green/password from 66.36.241.244: 1 Time(s)
>    henry/none from 66.36.241.244: 1 Time(s)
>    henry/password from 66.36.241.244: 1 Time(s)
>    horde/none from 211.33.175.54: 1 Time(s)
>    horde/password from 211.33.175.54: 1 Time(s)
>    iceuser/none from 211.33.175.54: 1 Time(s)
>    iceuser/password from 211.33.175.54: 1 Time(s)
>    irc/none from 211.33.175.54: 2 Time(s)
>    irc/password from 211.33.175.54: 2 Time(s)
>    jane/none from 211.33.175.54: 1 Time(s)
>    jane/none from 66.36.241.244: 1 Time(s)
>    jane/password from 211.33.175.54: 1 Time(s)
>    jane/password from 66.36.241.244: 1 Time(s)
>    jason/none from 66.36.241.244: 1 Time(s)
>    jason/password from 66.36.241.244: 1 Time(s)
>    jeremy/none from 66.36.241.244: 1 Time(s)
>    jeremy/password from 66.36.241.244: 1 Time(s)
>    joe/none from 66.36.241.244: 1 Time(s)
>    joe/password from 66.36.241.244: 1 Time(s)
>    johnny/none from 66.36.241.244: 1 Time(s)
>    johnny/password from 66.36.241.244: 1 Time(s)
>    jordan/none from 66.36.241.244: 1 Time(s)
>    jordan/password from 66.36.241.244: 1 Time(s)
>    justin/none from 66.36.241.244: 1 Time(s)
>    justin/password from 66.36.241.244: 1 Time(s)
>    larisa/none from 66.36.241.244: 1 Time(s)
>    larisa/password from 66.36.241.244: 1 Time(s)
>    lion/none from 66.36.241.244: 1 Time(s)
>    lion/password from 66.36.241.244: 1 Time(s)
>    lucy/none from 66.36.241.244: 1 Time(s)
>    lucy/password from 66.36.241.244: 1 Time(s)
>    magic/none from 66.36.241.244: 1 Time(s)
>    magic/password from 66.36.241.244: 1 Time(s)
>    maria/none from 66.36.241.244: 1 Time(s)
>    maria/password from 66.36.241.244: 1 Time(s)
>    market/none from 66.36.241.244: 1 Time(s)
>    market/password from 66.36.241.244: 1 Time(s)
>    matt/none from 211.33.175.54: 1 Time(s)
>    matt/password from 211.33.175.54: 1 Time(s)
>    matthew/none from 66.36.241.244: 1 Time(s)
>    matthew/password from 66.36.241.244: 1 Time(s)
>    max/none from 66.36.241.244: 1 Time(s)
>    max/password from 66.36.241.244: 1 Time(s)
>    michael/none from 66.36.241.244: 1 Time(s)
>    michael/password from 66.36.241.244: 1 Time(s)
>    nathan/none from 66.36.241.244: 1 Time(s)
>    nathan/password from 66.36.241.244: 1 Time(s)
>    nicholas/none from 66.36.241.244: 1 Time(s)
>    nicholas/password from 66.36.241.244: 1 Time(s)
>    nicole/none from 66.36.241.244: 1 Time(s)
>    nicole/password from 66.36.241.244: 1 Time(s)
>    pamela/none from 211.33.175.54: 1 Time(s)
>    pamela/password from 211.33.175.54: 1 Time(s)
>    patrick/none from 211.33.175.54: 2 Time(s)
>    patrick/password from 211.33.175.54: 2 Time(s)
>    pub/none from 66.36.241.244: 1 Time(s)
>    pub/password from 66.36.241.244: 1 Time(s)
>    red/none from 66.36.241.244: 1 Time(s)
>    red/password from 66.36.241.244: 1 Time(s)
>    robin/none from 66.36.241.244: 1 Time(s)
>    robin/password from 66.36.241.244: 1 Time(s)
>    rolo/none from 211.33.175.54: 1 Time(s)
>    rolo/password from 211.33.175.54: 1 Time(s)
>    rose/none from 66.36.241.244: 1 Time(s)
>    rose/password from 66.36.241.244: 1 Time(s)
>    shell/none from 66.36.241.244: 1 Time(s)
>    shell/password from 66.36.241.244: 1 Time(s)
>    stephen/none from 66.36.241.244: 1 Time(s)
>    stephen/password from 66.36.241.244: 1 Time(s)
>    steven/none from 66.36.241.244: 1 Time(s)
>    steven/password from 66.36.241.244: 1 Time(s)
>    system/none from 66.36.241.244: 1 Time(s)
>    system/password from 66.36.241.244: 1 Time(s)
>    test/none from 211.33.175.54: 4 Time(s)
>    test/password from 211.33.175.54: 4 Time(s)
>    tom/none from 66.36.241.244: 1 Time(s)
>    tom/password from 66.36.241.244: 1 Time(s)
>    vampire/none from 66.36.241.244: 1 Time(s)
>    vampire/password from 66.36.241.244: 1 Time(s)
>    william/none from 66.36.241.244: 1 Time(s)
>    william/password from 66.36.241.244: 1 Time(s)
>    www-data/none from 211.33.175.54: 1 Time(s)
>    www-data/password from 211.33.175.54: 1 Time(s)
>    www/none from 211.33.175.54: 1 Time(s)
>    www/password from 211.33.175.54: 1 Time(s)
>    wwwrun/none from 211.33.175.54: 1 Time(s)
>    wwwrun/password from 211.33.175.54: 1 Time(s)
>    yellow/none from 66.36.241.244: 1 Time(s)
>    yellow/password from 66.36.241.244: 1 Time(s)
>
> tg.
>
>
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>

More information about the Intrusions mailing list