[Intrusions] Re: FYI - SSH bruteforcing

M. Shirk shirkdog_list at hotmail.com
Mon Dec 6 16:33:26 GMT 2004 

This weekend I found the same results. I forward my logs to the Storm Center 
which included all of the same user accounts. Everyone should use some of 
the config options from the following dairy entry from the ISC:

http://isc.sans.org//diary.php?date=2004-11-04



Shirkdog
http://www.shirkdog.us



>From: "Maxime Ducharme" <mducharme at cybergeneration.com>
>Reply-To: "Intrusions List (GCIA Practicals)" <intrusions at lists.sans.org>
>To: "Intrusions List (GCIA Practicals)" <intrusions at lists.sans.org>
>Subject: Re: [Intrusions] Re: FYI - SSH bruteforcing
>Date: Fri, 3 Dec 2004 16:52:21 -0500
>
>
>Hi list
>
>I also noticed new attempts other than root/test/guest/admin
>
>Yesterday :
>
>nbrAttemps - username - IP
>
>9 account 131.211.57.161
>9 adam 131.211.57.161
>9 alan 131.211.57.161
>9 backup 131.211.57.161
>10 cip51 131.211.57.161
>10 cip52 131.211.57.161
>10 cosmin 131.211.57.161
>11 cyrus 131.211.57.161
>10 data 131.211.57.161
>9 frank 131.211.57.161
>9 george 131.211.57.161
>9 henry 131.211.57.161
>11 horde 131.211.57.161
>11 iceuser 131.211.57.161
>20 irc 131.211.57.161
>10 jane 131.211.57.161
>9 john 131.211.57.161
>9 master 131.211.57.161
>10 matt 131.211.57.161
>10 noc 131.211.57.161
>9 oracle 131.211.57.161
>10 pamela 131.211.57.161
>22 patrick 131.211.57.161
>11 rolo 131.211.57.161
>9 server 131.211.57.161
>9 sybase 131.211.57.161
>49 test 131.211.57.161
>30 user 131.211.57.161
>20 web 131.211.57.161
>10 webmaster 131.211.57.161
>10 www 131.211.57.161
>10 www-data 131.211.57.161
>10 wwwrun 131.211.57.161
>
>
>Common users we see since some months :
>       nobody (ph57161.pharm.uu.nl ): 11 Time(s)
>       root (ph57161.pharm.uu.nl ): 590 Time(s)
>       adm (ph57161.pharm.uu.nl ): 20 Time(s)
>       apache (ph57161.pharm.uu.nl ): 10 Time(s)
>       mysql (ph57161.pharm.uu.nl ): 10 Time(s)
>       operator (ph57161.pharm.uu.nl ): 10 Time(s)
>
>2 days ago :
>       apache (www.wean.at ): 11 Time(s)
>       adm (server.comdatacenter.com ): 20 Time(s)
>       adm (www.wean.at ): 22 Time(s)
>       apache (server.comdatacenter.com ): 10 Time(s)
>       operator (server.comdatacenter.com ): 10 Time(s)
>       root (211.138.113.23 ): 30 Time(s)
>       root (www.wean.at ): 601 Time(s)
>       mysql (server.comdatacenter.com ): 10 Time(s)
>       root (server.comdatacenter.com ): 598 Time(s)
>       root (211.33.175.54 ): 25 Time(s)
>       operator (www.wean.at ): 11 Time(s)
>       nobody (server.comdatacenter.com ): 12 Time(s)
>       nobody (211.33.175.54 ): 12 Time(s)
>       mysql (www.wean.at ): 11 Time(s)
>       nobody (www.wean.at ): 12 Time(s)
>
>      10  account  212.16.32.183
>      10  account  67.15.14.46
>      10  adam  212.16.32.183
>      10  adam  67.15.14.46
>      10  alan  212.16.32.183
>      10  alan  67.15.14.46
>      10  backup  212.16.32.183
>      10  backup  67.15.14.46
>      10  cip51  212.16.32.183
>      10  cip51  67.15.14.46
>      10  cip52  212.16.32.183
>      10  cip52  67.15.14.46
>      10  cosmin  212.16.32.183
>      10  cosmin  67.15.14.46
>      10  data  212.16.32.183
>      10  data  67.15.14.46
>      10  frank  212.16.32.183
>      10  frank  67.15.14.46
>      10  george  212.16.32.183
>      10  george  67.15.14.46
>      10  guest  211.138.113.23
>      10  henry  212.16.32.183
>      10  henry  67.15.14.46
>      10  jane  212.16.32.183
>      10  jane  67.15.14.46
>      10  john  212.16.32.183
>      10  john  67.15.14.46
>      10  master  212.16.32.183
>      10  master  67.15.14.46
>      10  noc  212.16.32.183
>      10  noc  67.15.14.46
>      10  oracle  212.16.32.183
>      10  oracle  67.15.14.46
>      10  pamela  212.16.32.183
>      10  pamela  67.15.14.46
>      10  server  212.16.32.183
>      10  server  67.15.14.46
>      10  sybase  212.16.32.183
>      10  sybase  67.15.14.46
>      10  user  211.138.113.23
>      10  webmaster  212.16.32.183
>      10  webmaster  67.15.14.46
>      10  www-data  67.15.14.46
>      11  cyrus  67.15.14.46
>      11  horde  67.15.14.46
>      11  iceuser  67.15.14.46
>      11  matt  67.15.14.46
>      11  rolo  67.15.14.46
>      11  www-data  212.16.32.183
>      11  www  67.15.14.46
>      11  wwwrun  67.15.14.46
>      12  cyrus  212.16.32.183
>      12  horde  212.16.32.183
>      12  iceuser  212.16.32.183
>      12  matt  212.16.32.183
>      12  rolo  212.16.32.183
>      12  www  212.16.32.183
>      12  wwwrun  212.16.32.183
>      20  admin  211.138.113.23
>      20  irc  67.15.14.46
>      20  patrick  211.33.175.54
>      20  test  211.138.113.23
>      20  web  212.16.32.183
>      20  web  67.15.14.46
>      22  irc  212.16.32.183
>      24  patrick  212.16.32.183
>      24  patrick  67.15.14.46
>      30  user  212.16.32.183
>      30  user  67.15.14.46
>      51  test  67.15.14.46
>      58  test  212.16.32.183
>
>Have a nice day
>
>Maxime Ducharme
>Programmeur / Spécialiste en sécurité réseau
>

_________________________________________________________________
Don’t just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/

More information about the Intrusions mailing list