[Dshield] ssh attacks

JD Durick jdurick at mitre.org
Tue Oct 12 16:39:40 GMT 2004


According to our IDS/FW logs, we have been seeing similar activity on 
our DMZ.  Most of the traffic seems to be coming from far eastern owned 
ip addresses.

jd

Barton L. Phillips wrote:

> In the last several days I have seen an increase in attempts to log 
> into my server via SSH. Previously I was only seeing the "test" and 
> "guest" attempts previously mentioned on this list. Here is an example 
> of what I saw yesterday:
>
> Failed logins from these:
>
>   account/password from 213.136.124.8: 2 Time(s)
>   account/password from 218.237.65.10: 2 Time(s)
>   account/password from 66.93.56.95: 2 Time(s)
>   adam/password from 213.136.124.8: 2 Time(s)
>   adam/password from 218.237.65.10: 2 Time(s)
>   adam/password from 66.93.56.95: 2 Time(s)
>   adm/password from 213.136.124.8: 4 Time(s)
>   adm/password from 218.237.65.10: 4 Time(s)
>   adm/password from 66.93.56.95: 4 Time(s)
>   alan/password from 213.136.124.8: 2 Time(s)
>   alan/password from 218.237.65.10: 2 Time(s)
>   alan/password from 66.93.56.95: 2 Time(s)
>   apache/password from 213.136.124.8: 2 Time(s)
>   apache/password from 218.237.65.10: 2 Time(s)
>   apache/password from 66.93.56.95: 2 Time(s)
>   backup/password from 213.136.124.8: 2 Time(s)
>   backup/password from 218.237.65.10: 2 Time(s)
>   backup/password from 66.93.56.95: 2 Time(s)
>   cip51/password from 213.136.124.8: 2 Time(s)
>   cip51/password from 218.237.65.10: 2 Time(s)
>   cip51/password from 66.93.56.95: 2 Time(s)
>   cip52/password from 213.136.124.8: 2 Time(s)
>   cip52/password from 218.237.65.10: 2 Time(s)
>   cip52/password from 66.93.56.95: 2 Time(s)
>   cosmin/password from 213.136.124.8: 2 Time(s)
>   cosmin/password from 218.237.65.10: 2 Time(s)
>   cosmin/password from 66.93.56.95: 2 Time(s)
>   cyrus/password from 213.136.124.8: 2 Time(s)
>   cyrus/password from 218.237.65.10: 2 Time(s)
>   cyrus/password from 66.93.56.95: 2 Time(s)
>   data/password from 213.136.124.8: 2 Time(s)
>   data/password from 218.237.65.10: 2 Time(s)
>   data/password from 66.93.56.95: 2 Time(s)
>   frank/password from 213.136.124.8: 2 Time(s)
>   frank/password from 218.237.65.10: 2 Time(s)
>   frank/password from 66.93.56.95: 2 Time(s)
>   george/password from 213.136.124.8: 2 Time(s)
>   george/password from 218.237.65.10: 2 Time(s)
>   george/password from 66.93.56.95: 2 Time(s)
>   glen/password from 66.15.2.200: 4 Time(s)
>   glennt/password from 66.15.2.200: 2 Time(s)
>   henry/password from 213.136.124.8: 2 Time(s)
>   henry/password from 218.237.65.10: 2 Time(s)
>   henry/password from 66.93.56.95: 2 Time(s)
>   horde/password from 213.136.124.8: 2 Time(s)
>   horde/password from 218.237.65.10: 2 Time(s)
>   horde/password from 66.93.56.95: 2 Time(s)
>   iceuser/password from 213.136.124.8: 2 Time(s)
>   iceuser/password from 218.237.65.10: 2 Time(s)
>   iceuser/password from 66.93.56.95: 2 Time(s)
>   irc/password from 213.136.124.8: 4 Time(s)
>   irc/password from 218.237.65.10: 4 Time(s)
>   irc/password from 66.93.56.95: 4 Time(s)
>   jane/password from 213.136.124.8: 2 Time(s)
>   jane/password from 218.237.65.10: 2 Time(s)
>   jane/password from 66.93.56.95: 2 Time(s)
>   john/password from 213.136.124.8: 2 Time(s)
>   john/password from 218.237.65.10: 2 Time(s)
>   john/password from 66.93.56.95: 2 Time(s)
>   johnz/password from 66.15.2.200: 10 Time(s)
>   johnz/publickey from 66.15.2.200: 4 Time(s)
>   master/password from 213.136.124.8: 2 Time(s)
>   master/password from 218.237.65.10: 2 Time(s)
>   master/password from 66.93.56.95: 2 Time(s)
>   matt/password from 213.136.124.8: 2 Time(s)
>   matt/password from 218.237.65.10: 2 Time(s)
>   matt/password from 66.93.56.95: 2 Time(s)
>   mysql/password from 213.136.124.8: 2 Time(s)
>   mysql/password from 218.237.65.10: 2 Time(s)
>   mysql/password from 66.93.56.95: 2 Time(s)
>   nobody/password from 213.136.124.8: 2 Time(s)
>   nobody/password from 218.237.65.10: 2 Time(s)
>   nobody/password from 66.93.56.95: 2 Time(s)
>   noc/password from 213.136.124.8: 2 Time(s)
>   noc/password from 218.237.65.10: 2 Time(s)
>   noc/password from 66.93.56.95: 2 Time(s)
>   operator/password from 213.136.124.8: 2 Time(s)
>   operator/password from 218.237.65.10: 2 Time(s)
>   operator/password from 66.93.56.95: 2 Time(s)
>   oracle/password from 213.136.124.8: 2 Time(s)
>   oracle/password from 218.237.65.10: 2 Time(s)
>   oracle/password from 66.93.56.95: 2 Time(s)
>   pamela/password from 213.136.124.8: 2 Time(s)
>   pamela/password from 218.237.65.10: 2 Time(s)
>   pamela/password from 66.93.56.95: 2 Time(s)
>   patrick/password from 213.136.124.8: 4 Time(s)
>   patrick/password from 218.237.65.10: 4 Time(s)
>   patrick/password from 66.93.56.95: 4 Time(s)
>   rolo/password from 213.136.124.8: 2 Time(s)
>   rolo/password from 218.237.65.10: 2 Time(s)
>   rolo/password from 66.93.56.95: 2 Time(s)
>   root/password from 213.136.124.8: 118 Time(s)
>   root/password from 218.237.65.10: 118 Time(s)
>   root/password from 66.93.56.95: 118 Time(s)
>   server/password from 213.136.124.8: 2 Time(s)
>   server/password from 218.237.65.10: 2 Time(s)
>   server/password from 66.93.56.95: 2 Time(s)
>   sybase/password from 213.136.124.8: 2 Time(s)
>   sybase/password from 218.237.65.10: 2 Time(s)
>   sybase/password from 66.93.56.95: 2 Time(s)
>   test/password from 213.136.124.8: 10 Time(s)
>   test/password from 218.237.65.10: 10 Time(s)
>   test/password from 66.93.56.95: 10 Time(s)
>   user/password from 213.136.124.8: 6 Time(s)
>   user/password from 218.237.65.10: 6 Time(s)
>   user/password from 66.93.56.95: 6 Time(s)
>   web/password from 213.136.124.8: 4 Time(s)
>   web/password from 218.237.65.10: 4 Time(s)
>   web/password from 66.93.56.95: 4 Time(s)
>   webmaster/password from 213.136.124.8: 2 Time(s)
>   webmaster/password from 218.237.65.10: 2 Time(s)
>   webmaster/password from 66.93.56.95: 2 Time(s)
>   www-data/password from 213.136.124.8: 2 Time(s)
>   www-data/password from 218.237.65.10: 2 Time(s)
>   www-data/password from 66.93.56.95: 2 Time(s)
>   www/password from 213.136.124.8: 2 Time(s)
>   www/password from 218.237.65.10: 2 Time(s)
>   www/password from 66.93.56.95: 2 Time(s)
>   wwwrun/password from 213.136.124.8: 2 Time(s)
>   wwwrun/password from 218.237.65.10: 2 Time(s)
>   wwwrun/password from 66.93.56.95: 2 Time(s)
>
> Has anyone else been seeing this?
>

-- 
JD Durick
Senior INFOSEC Engineer
The MITRE Corporation
Work:  (703) 883-5543
GPG: 466B D540 71CA BBA3 F1DF 3881 08D4 8448 780A 29C0





More information about the list mailing list