[Dshield] Interesting SSH attempt

David Brodbeck brodbd at u.washington.edu
Tue Jan 27 18:24:16 GMT 2009


I'm used to seeing SSH brute force attempts, by now, but recently I  
got one with some "interesting" usernames in it:

Jan 23 13:54:14 192.168.100.50 sshd[14092]: Invalid user %c]# from  
219.76.75.6
Jan 23 13:54:14 192.168.100.50 sshd[14093]: input_userauth_request:  
invalid user %c]#
Jan 23 13:54:14 192.168.100.50 sshd[14092]: pam_unix(sshd:auth): bad  
username [%c]#]
Jan 23 13:54:14 192.168.100.50 sshd[14092]: pam_succeed_if(sshd:auth):  
error retrieving information about user %c]#
Jan 23 13:54:15 192.168.100.50 sshd[14094]: Invalid user  
\267\215\0348\330\307&\370\371w\0313\260\273"\230 from 219.76.75.6
Jan 23 13:54:15 192.168.100.50 sshd[14095]: input_userauth_request:  
invalid user \267\215\0348\330\307&\370\371w\0313\260\273"\230
Jan 23 13:54:15 192.168.100.50 sshd[14094]: pam_unix(sshd:auth): bad  
username [·
8ØÇ&øùw3°»"˜]
Jan 23 13:54:15 192.168.100.50 sshd[14094]: pam_succeed_if(sshd:auth):  
error retrieving information about user ·
8ØÇ&øùw3°»"˜
Jan 23 13:54:17 192.168.100.50 sshd[14096]: Invalid user 39VAv4MjJ3ecw  
from 219.76.75.6
Jan 23 13:54:17 192.168.100.50 sshd[14097]: input_userauth_request:  
invalid user 39VAv4MjJ3ecw
Jan 23 13:54:17 192.168.100.50 sshd[14096]: pam_unix(sshd:auth): check  
pass; user unknown
Jan 23 13:54:17 192.168.100.50 sshd[14096]: pam_succeed_if(sshd:auth):  
error retrieving information about user 39VAv4MjJ3ecw
Jan 23 13:54:20 192.168.100.50 sshd[14098]: Invalid user fadhjsfh from  
219.76.75.6
Jan 23 13:54:20 192.168.100.50 sshd[14099]: input_userauth_request:  
invalid user fadhjsfh
Jan 23 13:54:20 192.168.100.50 sshd[14098]: pam_unix(sshd:auth): check  
pass; user unknown
Jan 23 13:54:20 192.168.100.50 sshd[14098]: pam_succeed_if(sshd:auth):  
error retrieving information about user fadhjsfh
Jan 23 13:54:24 192.168.100.50 sshd[14100]: Invalid user [%n@%m from  
219.76.75.6
Jan 23 13:54:24 192.168.100.50 sshd[14103]: input_userauth_request:  
invalid user [%n@%m
Jan 23 13:54:24 192.168.100.50 sshd[14100]: pam_unix(sshd:auth): bad  
username [[%n@%m]
Jan 23 13:54:24 192.168.100.50 sshd[14100]: pam_succeed_if(sshd:auth):  
error retrieving information about user [%n@%m

I'm wondering if these are attempts to exploit a bug in a particular  
SSH lockout program.  They don't look like any SSH server bugs I  
remember hearing about.






More information about the Dshield mailing list