[Dshield] SSH bruteforce with logname "lp"

Bernardo Maia Rodrigues bmr at csirt.pop-mg.rnp.br
Tue Jul 1 11:47:32 GMT 2008


Hi all,

I'm getting the same thing here. There are loads of SSH bruteforce
attempts using "lp" and "access" as their attempted login.

Jun 30 09:41:23 * sshd[92676]: error: PAM: authentication error for
illegal user lp from 64.129.22.104
Jun 30 09:41:23 * sshd[92676]: Failed keyboard-interactive/pam for
invalid user lp from 64.129.22.104 port 50993 ssh2
Jun 30 09:41:29 * sshd[92683]: error: PAM: authentication error for
illegal user lp from 64.129.22.104
Jun 30 09:41:29 * sshd[92683]: Failed keyboard-interactive/pam for
invalid user lp from 64.129.22.104 port 52591 ssh2
Jun 30 09:41:31 * sshd[92688]: error: PAM: authentication error for
illegal user lp from 64.129.22.104
Jun 30 09:41:31 * sshd[92688]: Failed keyboard-interactive/pam for
invalid user lp from 64.129.22.104 port 53109 ssh2
Jun 30 09:41:33 * sshd[92691]: error: PAM: authentication error for
illegal user lp from 64.129.22.104
Jun 30 09:41:33 * sshd[92691]: Failed keyboard-interactive/pam for
invalid user lp from 64.129.22.104 port 53632 ssh2
Jun 30 09:41:34 * sshd[92696]: error: PAM: authentication error for
illegal user lp from 64.129.22.104
Jun 30 09:41:34 * sshd[92696]: Failed keyboard-interactive/pam for
invalid user lp from 64.129.22.104 port 54142 ssh2
Jun 30 09:41:36 * sshd[92701]: error: PAM: authentication error for
illegal user access from 64.129.22.104
Jun 30 09:41:36 * sshd[92701]: Failed keyboard-interactive/pam for
invalid user access from 64.129.22.104 port 54664 ssh2
Jun 30 09:41:38 * sshd[92704]: error: PAM: authentication error for
illegal user access from 64.129.22.104
Jun 30 09:41:38 * sshd[92704]: Failed keyboard-interactive/pam for
invalid user access from 64.129.22.104 port 55176 ssh2
Jun 30 09:41:40 * sshd[92709]: error: PAM: authentication error for
illegal user access from 64.129.22.104
Jun 30 09:41:40 * sshd[92709]: Failed keyboard-interactive/pam for
invalid user access from 64.129.22.104 port 55686 ssh2
Jun 30 09:43:24 * sshd[92803]: error: PAM: authentication error for
illegal user lp from 201.37.67.184
Jun 30 09:43:24 * sshd[92803]: Failed keyboard-interactive/pam for
invalid user lp from 201.37.67.184 port 33629 ssh2
Jun 30 09:43:30 * sshd[92808]: error: PAM: authentication error for
illegal user lp from 201.37.67.184
Jun 30 09:43:30 * sshd[92808]: Failed keyboard-interactive/pam for
invalid user lp from 201.37.67.184 port 34342 ssh2
Jun 30 09:43:37 * sshd[92815]: error: PAM: authentication error for
illegal user lp from 201.37.67.184
Jun 30 09:43:37 * sshd[92815]: Failed keyboard-interactive/pam for
invalid user lp from 201.37.67.184 port 35190 ssh2
Jun 30 09:43:41 * sshd[92822]: error: PAM: authentication error for
illegal user access from 201.37.67.184
Jun 30 09:43:41 * sshd[92822]: Failed keyboard-interactive/pam for
invalid user access from 201.37.67.184 port 36152 ssh2
Jun 30 09:43:45 * sshd[92829]: error: PAM: authentication error for
illegal user access from 201.37.67.184
Jun 30 09:43:45 * sshd[92829]: Failed keyboard-interactive/pam for
invalid user access from 201.37.67.184 port 36693 ssh2
Jun 30 09:43:50 * sshd[92834]: error: PAM: authentication error for
illegal user access from 201.37.67.184
Jun 30 09:43:50 * sshd[92834]: Failed keyboard-interactive/pam for
invalid user access from 201.37.67.184 port 37387 ssh2
Jun 30 09:43:56 * sshd[92841]: error: PAM: authentication error for
illegal user access from 201.37.67.184
Jun 30 09:43:56 * sshd[92841]: Failed keyboard-interactive/pam for
invalid user access from 201.37.67.184 port 38226 ssh2
Jun 30 09:44:04 * sshd[92850]: error: PAM: authentication error for
illegal user access from 201.37.67.184
Jun 30 09:44:04 * sshd[92850]: Failed keyboard-interactive/pam for
invalid user access from 201.37.67.184 port 39488 ssh2
Jun 30 10:23:43 * sshd[95156]: error: PAM: authentication error for
illegal user lp from 75.38.40.51
Jun 30 10:23:43 * sshd[95156]: Failed keyboard-interactive/pam for
invalid user lp from 75.38.40.51 port 22215 ssh2
Jun 30 10:23:52 * sshd[95163]: error: PAM: authentication error for
illegal user lp from 75.38.40.51
Jun 30 10:23:52 * sshd[95163]: Failed keyboard-interactive/pam for
invalid user lp from 75.38.40.51 port 22778 ssh2
Jun 30 10:24:01 * sshd[95176]: error: PAM: authentication error for
illegal user lp from 75.38.40.51
Jun 30 10:24:01 * sshd[95176]: Failed keyboard-interactive/pam for
invalid user lp from 75.38.40.51 port 23597 ssh2
Jun 30 10:24:05 * sshd[95183]: error: PAM: authentication error for
illegal user lp from 75.38.40.51
Jun 30 10:24:05 * sshd[95183]: Failed keyboard-interactive/pam for
invalid user lp from 75.38.40.51 port 24029 ssh2
Jun 30 10:29:19 * sshd[95466]: error: PAM: authentication error for
illegal user lp from 81.223.220.141
Jun 30 10:29:19 * sshd[95466]: Failed keyboard-interactive/pam for
invalid user lp from 81.223.220.141 port 47004 ssh2
Jun 30 10:29:26 * sshd[95475]: error: PAM: authentication error for
illegal user lp from 81.223.220.141
Jun 30 10:29:26 * sshd[95475]: Failed keyboard-interactive/pam for
invalid user lp from 81.223.220.141 port 47611 ssh2
Jun 30 10:29:31 * sshd[95482]: error: PAM: authentication error for
illegal user lp from 81.223.220.141
Jun 30 10:29:31 * sshd[95482]: Failed keyboard-interactive/pam for
invalid user lp from 81.223.220.141 port 48050 ssh2
Jun 30 10:29:36 * sshd[95489]: error: PAM: authentication error for
illegal user lp from 81.223.220.141
Jun 30 10:29:36 * sshd[95489]: Failed keyboard-interactive/pam for
invalid user lp from 81.223.220.141 port 48372 ssh2
Jun 30 10:29:40 * sshd[95496]: error: PAM: authentication error for
illegal user lp from 81.223.220.141
Jun 30 10:29:40 * sshd[95496]: Failed keyboard-interactive/pam for
invalid user lp from 81.223.220.141 port 48680 ssh2
Jun 30 14:40:17 * sshd[9838]: error: PAM: authentication error for
illegal user lp from 208.124.205.234
Jun 30 14:40:17 * sshd[9838]: Failed keyboard-interactive/pam for
invalid user lp from 208.124.205.234 port 58376 ssh2
Jun 30 14:40:21 * sshd[9859]: error: PAM: authentication error for
illegal user lp from 208.124.205.234
Jun 30 14:40:21 * sshd[9859]: Failed keyboard-interactive/pam for
invalid user lp from 208.124.205.234 port 58602 ssh2
Jun 30 14:40:25 * sshd[9864]: error: PAM: authentication error for
illegal user lp from 208.124.205.234
Jun 30 14:40:25 * sshd[9864]: Failed keyboard-interactive/pam for
invalid user lp from 208.124.205.234 port 58845 ssh2
Jun 30 14:40:28 * sshd[9871]: error: PAM: authentication error for
illegal user lp from 208.124.205.234
Jun 30 14:40:28 * sshd[9871]: Failed keyboard-interactive/pam for
invalid user lp from 208.124.205.234 port 59165 ssh2
Jun 30 14:40:31 * sshd[9876]: error: PAM: authentication error for
illegal user lp from 208.124.205.234
Jun 30 14:40:31 * sshd[9876]: Failed keyboard-interactive/pam for
invalid user lp from 208.124.205.234 port 59383 ssh2

--
Bernardo Maia Rodrigues
bmr at csirt.pop-mg.rnp.br

Tomas L. Byrnes wrote:
> You can check to see if the sources are attacking lots of others, by
> putting the IP into the "Check your logs" function on ThreatSTOP.
> 
> We check it against all the feeds we have (which include an SSH brute
> force cracker honeynet), and return whether we've seen it or not.
> 
> The admins can tell you which feed when, and we're working on a version
> of that for our users.
> 
>  
> 
>> -----Original Message-----
>> From: list-bounces at lists.dshield.org 
>> [mailto:list-bounces at lists.dshield.org] On Behalf Of Shaun
>> Sent: Monday, June 30, 2008 7:32 AM
>> To: list at lists.dshield.org
>> Subject: [Dshield] SSH bruteforce with logname "lp"
>>
>> Hi all,
>>
>> I'm seeing a large surge in SSH attempts this morning. Large, 
>> as in, more than 10% of the hosts I've blocked for 
>> bruteforcing all year are from today.
>>
>> They're coming from a variety of different sources (mostly 
>> APNIC, no surprise), but all are using "lp" as their 
>> attempted login. Haven't seen this particular pattern before. 
>> Curious whether anyone else is getting the same thing, or if 
>> this is some sort of targeted attack.
>>
>> -s
>> _________________________________________
>> SANSFIRE !! The Internet Storm Center Conference 
>> http://www.sans.org/sansfire08/
>>
> 
> _________________________________________
> SANSFIRE !! The Internet Storm Center Conference
> http://www.sans.org/sansfire08/
> 


More information about the list mailing list