[Dshield] ssh attacks

Tod D. Ihde toon at warmerbythelake.com
Tue Oct 12 16:53:28 GMT 2004


Barton L. Phillips wrote:
> In the last several days I have seen an increase in attempts to log into 
> my server via SSH. Previously I was only seeing the "test" and "guest" 
> attempts previously mentioned on this list. Here is an example of what I 
> saw yesterday:
> 
> Failed logins from these:
> 
>   account/password from 213.136.124.8: 2 Time(s)
>   account/password from 218.237.65.10: 2 Time(s)
>   account/password from 66.93.56.95: 2 Time(s)
>   adam/password from 213.136.124.8: 2 Time(s)
>   adam/password from 218.237.65.10: 2 Time(s)
>   adam/password from 66.93.56.95: 2 Time(s)
>   adm/password from 213.136.124.8: 4 Time(s)
>   adm/password from 218.237.65.10: 4 Time(s)
>   adm/password from 66.93.56.95: 4 Time(s)
>   alan/password from 213.136.124.8: 2 Time(s)
>   alan/password from 218.237.65.10: 2 Time(s)
>   alan/password from 66.93.56.95: 2 Time(s)
>   apache/password from 213.136.124.8: 2 Time(s)
>   apache/password from 218.237.65.10: 2 Time(s)
>   apache/password from 66.93.56.95: 2 Time(s)
>   backup/password from 213.136.124.8: 2 Time(s)
>   backup/password from 218.237.65.10: 2 Time(s)
>   backup/password from 66.93.56.95: 2 Time(s)
>   cip51/password from 213.136.124.8: 2 Time(s)
>   cip51/password from 218.237.65.10: 2 Time(s)
>   cip51/password from 66.93.56.95: 2 Time(s)
>   cip52/password from 213.136.124.8: 2 Time(s)
>   cip52/password from 218.237.65.10: 2 Time(s)
>   cip52/password from 66.93.56.95: 2 Time(s)
>   cosmin/password from 213.136.124.8: 2 Time(s)
>   cosmin/password from 218.237.65.10: 2 Time(s)
>   cosmin/password from 66.93.56.95: 2 Time(s)
>   cyrus/password from 213.136.124.8: 2 Time(s)
>   cyrus/password from 218.237.65.10: 2 Time(s)
>   cyrus/password from 66.93.56.95: 2 Time(s)
>   data/password from 213.136.124.8: 2 Time(s)
>   data/password from 218.237.65.10: 2 Time(s)
>   data/password from 66.93.56.95: 2 Time(s)
>   frank/password from 213.136.124.8: 2 Time(s)
>   frank/password from 218.237.65.10: 2 Time(s)
>   frank/password from 66.93.56.95: 2 Time(s)
>   george/password from 213.136.124.8: 2 Time(s)
>   george/password from 218.237.65.10: 2 Time(s)
>   george/password from 66.93.56.95: 2 Time(s)
>   glen/password from 66.15.2.200: 4 Time(s)
>   glennt/password from 66.15.2.200: 2 Time(s)
>   henry/password from 213.136.124.8: 2 Time(s)
>   henry/password from 218.237.65.10: 2 Time(s)
>   henry/password from 66.93.56.95: 2 Time(s)
>   horde/password from 213.136.124.8: 2 Time(s)
>   horde/password from 218.237.65.10: 2 Time(s)
>   horde/password from 66.93.56.95: 2 Time(s)
>   iceuser/password from 213.136.124.8: 2 Time(s)
>   iceuser/password from 218.237.65.10: 2 Time(s)
>   iceuser/password from 66.93.56.95: 2 Time(s)
>   irc/password from 213.136.124.8: 4 Time(s)
>   irc/password from 218.237.65.10: 4 Time(s)
>   irc/password from 66.93.56.95: 4 Time(s)
>   jane/password from 213.136.124.8: 2 Time(s)
>   jane/password from 218.237.65.10: 2 Time(s)
>   jane/password from 66.93.56.95: 2 Time(s)
>   john/password from 213.136.124.8: 2 Time(s)
>   john/password from 218.237.65.10: 2 Time(s)
>   john/password from 66.93.56.95: 2 Time(s)
>   johnz/password from 66.15.2.200: 10 Time(s)
>   johnz/publickey from 66.15.2.200: 4 Time(s)
>   master/password from 213.136.124.8: 2 Time(s)
>   master/password from 218.237.65.10: 2 Time(s)
>   master/password from 66.93.56.95: 2 Time(s)
>   matt/password from 213.136.124.8: 2 Time(s)
>   matt/password from 218.237.65.10: 2 Time(s)
>   matt/password from 66.93.56.95: 2 Time(s)
>   mysql/password from 213.136.124.8: 2 Time(s)
>   mysql/password from 218.237.65.10: 2 Time(s)
>   mysql/password from 66.93.56.95: 2 Time(s)
>   nobody/password from 213.136.124.8: 2 Time(s)
>   nobody/password from 218.237.65.10: 2 Time(s)
>   nobody/password from 66.93.56.95: 2 Time(s)
>   noc/password from 213.136.124.8: 2 Time(s)
>   noc/password from 218.237.65.10: 2 Time(s)
>   noc/password from 66.93.56.95: 2 Time(s)
>   operator/password from 213.136.124.8: 2 Time(s)
>   operator/password from 218.237.65.10: 2 Time(s)
>   operator/password from 66.93.56.95: 2 Time(s)
>   oracle/password from 213.136.124.8: 2 Time(s)
>   oracle/password from 218.237.65.10: 2 Time(s)
>   oracle/password from 66.93.56.95: 2 Time(s)
>   pamela/password from 213.136.124.8: 2 Time(s)
>   pamela/password from 218.237.65.10: 2 Time(s)
>   pamela/password from 66.93.56.95: 2 Time(s)
>   patrick/password from 213.136.124.8: 4 Time(s)
>   patrick/password from 218.237.65.10: 4 Time(s)
>   patrick/password from 66.93.56.95: 4 Time(s)
>   rolo/password from 213.136.124.8: 2 Time(s)
>   rolo/password from 218.237.65.10: 2 Time(s)
>   rolo/password from 66.93.56.95: 2 Time(s)
>   root/password from 213.136.124.8: 118 Time(s)
>   root/password from 218.237.65.10: 118 Time(s)
>   root/password from 66.93.56.95: 118 Time(s)
>   server/password from 213.136.124.8: 2 Time(s)
>   server/password from 218.237.65.10: 2 Time(s)
>   server/password from 66.93.56.95: 2 Time(s)
>   sybase/password from 213.136.124.8: 2 Time(s)
>   sybase/password from 218.237.65.10: 2 Time(s)
>   sybase/password from 66.93.56.95: 2 Time(s)
>   test/password from 213.136.124.8: 10 Time(s)
>   test/password from 218.237.65.10: 10 Time(s)
>   test/password from 66.93.56.95: 10 Time(s)
>   user/password from 213.136.124.8: 6 Time(s)
>   user/password from 218.237.65.10: 6 Time(s)
>   user/password from 66.93.56.95: 6 Time(s)
>   web/password from 213.136.124.8: 4 Time(s)
>   web/password from 218.237.65.10: 4 Time(s)
>   web/password from 66.93.56.95: 4 Time(s)
>   webmaster/password from 213.136.124.8: 2 Time(s)
>   webmaster/password from 218.237.65.10: 2 Time(s)
>   webmaster/password from 66.93.56.95: 2 Time(s)
>   www-data/password from 213.136.124.8: 2 Time(s)
>   www-data/password from 218.237.65.10: 2 Time(s)
>   www-data/password from 66.93.56.95: 2 Time(s)
>   www/password from 213.136.124.8: 2 Time(s)
>   www/password from 218.237.65.10: 2 Time(s)
>   www/password from 66.93.56.95: 2 Time(s)
>   wwwrun/password from 213.136.124.8: 2 Time(s)
>   wwwrun/password from 218.237.65.10: 2 Time(s)
>   wwwrun/password from 66.93.56.95: 2 Time(s)
> 
> Has anyone else been seeing this?
> 

Same thing here, on 3 different servers. Been going on a few weeks now.



More information about the list mailing list