[Dshield] ssh attacks

Barton L. Phillips admin at bartonphillips.com
Tue Oct 12 15:30:08 GMT 2004


In the last several days I have seen an increase in attempts to log into 
my server via SSH. Previously I was only seeing the "test" and "guest" 
attempts previously mentioned on this list. Here is an example of what I 
saw yesterday:

Failed logins from these:

   account/password from 213.136.124.8: 2 Time(s)
   account/password from 218.237.65.10: 2 Time(s)
   account/password from 66.93.56.95: 2 Time(s)
   adam/password from 213.136.124.8: 2 Time(s)
   adam/password from 218.237.65.10: 2 Time(s)
   adam/password from 66.93.56.95: 2 Time(s)
   adm/password from 213.136.124.8: 4 Time(s)
   adm/password from 218.237.65.10: 4 Time(s)
   adm/password from 66.93.56.95: 4 Time(s)
   alan/password from 213.136.124.8: 2 Time(s)
   alan/password from 218.237.65.10: 2 Time(s)
   alan/password from 66.93.56.95: 2 Time(s)
   apache/password from 213.136.124.8: 2 Time(s)
   apache/password from 218.237.65.10: 2 Time(s)
   apache/password from 66.93.56.95: 2 Time(s)
   backup/password from 213.136.124.8: 2 Time(s)
   backup/password from 218.237.65.10: 2 Time(s)
   backup/password from 66.93.56.95: 2 Time(s)
   cip51/password from 213.136.124.8: 2 Time(s)
   cip51/password from 218.237.65.10: 2 Time(s)
   cip51/password from 66.93.56.95: 2 Time(s)
   cip52/password from 213.136.124.8: 2 Time(s)
   cip52/password from 218.237.65.10: 2 Time(s)
   cip52/password from 66.93.56.95: 2 Time(s)
   cosmin/password from 213.136.124.8: 2 Time(s)
   cosmin/password from 218.237.65.10: 2 Time(s)
   cosmin/password from 66.93.56.95: 2 Time(s)
   cyrus/password from 213.136.124.8: 2 Time(s)
   cyrus/password from 218.237.65.10: 2 Time(s)
   cyrus/password from 66.93.56.95: 2 Time(s)
   data/password from 213.136.124.8: 2 Time(s)
   data/password from 218.237.65.10: 2 Time(s)
   data/password from 66.93.56.95: 2 Time(s)
   frank/password from 213.136.124.8: 2 Time(s)
   frank/password from 218.237.65.10: 2 Time(s)
   frank/password from 66.93.56.95: 2 Time(s)
   george/password from 213.136.124.8: 2 Time(s)
   george/password from 218.237.65.10: 2 Time(s)
   george/password from 66.93.56.95: 2 Time(s)
   glen/password from 66.15.2.200: 4 Time(s)
   glennt/password from 66.15.2.200: 2 Time(s)
   henry/password from 213.136.124.8: 2 Time(s)
   henry/password from 218.237.65.10: 2 Time(s)
   henry/password from 66.93.56.95: 2 Time(s)
   horde/password from 213.136.124.8: 2 Time(s)
   horde/password from 218.237.65.10: 2 Time(s)
   horde/password from 66.93.56.95: 2 Time(s)
   iceuser/password from 213.136.124.8: 2 Time(s)
   iceuser/password from 218.237.65.10: 2 Time(s)
   iceuser/password from 66.93.56.95: 2 Time(s)
   irc/password from 213.136.124.8: 4 Time(s)
   irc/password from 218.237.65.10: 4 Time(s)
   irc/password from 66.93.56.95: 4 Time(s)
   jane/password from 213.136.124.8: 2 Time(s)
   jane/password from 218.237.65.10: 2 Time(s)
   jane/password from 66.93.56.95: 2 Time(s)
   john/password from 213.136.124.8: 2 Time(s)
   john/password from 218.237.65.10: 2 Time(s)
   john/password from 66.93.56.95: 2 Time(s)
   johnz/password from 66.15.2.200: 10 Time(s)
   johnz/publickey from 66.15.2.200: 4 Time(s)
   master/password from 213.136.124.8: 2 Time(s)
   master/password from 218.237.65.10: 2 Time(s)
   master/password from 66.93.56.95: 2 Time(s)
   matt/password from 213.136.124.8: 2 Time(s)
   matt/password from 218.237.65.10: 2 Time(s)
   matt/password from 66.93.56.95: 2 Time(s)
   mysql/password from 213.136.124.8: 2 Time(s)
   mysql/password from 218.237.65.10: 2 Time(s)
   mysql/password from 66.93.56.95: 2 Time(s)
   nobody/password from 213.136.124.8: 2 Time(s)
   nobody/password from 218.237.65.10: 2 Time(s)
   nobody/password from 66.93.56.95: 2 Time(s)
   noc/password from 213.136.124.8: 2 Time(s)
   noc/password from 218.237.65.10: 2 Time(s)
   noc/password from 66.93.56.95: 2 Time(s)
   operator/password from 213.136.124.8: 2 Time(s)
   operator/password from 218.237.65.10: 2 Time(s)
   operator/password from 66.93.56.95: 2 Time(s)
   oracle/password from 213.136.124.8: 2 Time(s)
   oracle/password from 218.237.65.10: 2 Time(s)
   oracle/password from 66.93.56.95: 2 Time(s)
   pamela/password from 213.136.124.8: 2 Time(s)
   pamela/password from 218.237.65.10: 2 Time(s)
   pamela/password from 66.93.56.95: 2 Time(s)
   patrick/password from 213.136.124.8: 4 Time(s)
   patrick/password from 218.237.65.10: 4 Time(s)
   patrick/password from 66.93.56.95: 4 Time(s)
   rolo/password from 213.136.124.8: 2 Time(s)
   rolo/password from 218.237.65.10: 2 Time(s)
   rolo/password from 66.93.56.95: 2 Time(s)
   root/password from 213.136.124.8: 118 Time(s)
   root/password from 218.237.65.10: 118 Time(s)
   root/password from 66.93.56.95: 118 Time(s)
   server/password from 213.136.124.8: 2 Time(s)
   server/password from 218.237.65.10: 2 Time(s)
   server/password from 66.93.56.95: 2 Time(s)
   sybase/password from 213.136.124.8: 2 Time(s)
   sybase/password from 218.237.65.10: 2 Time(s)
   sybase/password from 66.93.56.95: 2 Time(s)
   test/password from 213.136.124.8: 10 Time(s)
   test/password from 218.237.65.10: 10 Time(s)
   test/password from 66.93.56.95: 10 Time(s)
   user/password from 213.136.124.8: 6 Time(s)
   user/password from 218.237.65.10: 6 Time(s)
   user/password from 66.93.56.95: 6 Time(s)
   web/password from 213.136.124.8: 4 Time(s)
   web/password from 218.237.65.10: 4 Time(s)
   web/password from 66.93.56.95: 4 Time(s)
   webmaster/password from 213.136.124.8: 2 Time(s)
   webmaster/password from 218.237.65.10: 2 Time(s)
   webmaster/password from 66.93.56.95: 2 Time(s)
   www-data/password from 213.136.124.8: 2 Time(s)
   www-data/password from 218.237.65.10: 2 Time(s)
   www-data/password from 66.93.56.95: 2 Time(s)
   www/password from 213.136.124.8: 2 Time(s)
   www/password from 218.237.65.10: 2 Time(s)
   www/password from 66.93.56.95: 2 Time(s)
   wwwrun/password from 213.136.124.8: 2 Time(s)
   wwwrun/password from 218.237.65.10: 2 Time(s)
   wwwrun/password from 66.93.56.95: 2 Time(s)

Has anyone else been seeing this?

-- 
----------------
Barton L. Phillips
Applied Technology Resources, Inc.
Tel: (818)652-9850
Web: http://www.applitec.com





More information about the list mailing list