[Dshield] Interesting SSH attempt

Brenden Walker BKWalker at drbsystems.com
Wed Jan 28 18:56:30 GMT 2009


> -----Original Message-----
> From: list-bounces at lists.sans.org [mailto:list-bounces at lists.sans.org]
> On Behalf Of David Brodbeck
> Sent: Tuesday, January 27, 2009 1:24 PM
> To: list at lists.sans.org
> Subject: [Dshield] Interesting SSH attempt
>
> I'm used to seeing SSH brute force attempts, by now, but recently I
> got one with some "interesting" usernames in it:
>
> Jan 23 13:54:14 192.168.100.50 sshd[14092]: Invalid user %c]# from
> 219.76.75.6
> Jan 23 13:54:14 192.168.100.50 sshd[14093]: input_userauth_request:
> invalid user %c]#
> Jan 23 13:54:14 192.168.100.50 sshd[14092]: pam_unix(sshd:auth): bad
<snip>
> Jan 23 13:54:24 192.168.100.50 sshd[14100]: pam_succeed_if(sshd:auth):
> error retrieving information about user [%n@%m

Looks to me like a poorly written script some kiddy is using.  Stuff like %n@%m seems like parameters that should have been replaced had the luser been using the tool correctly ;-)

I've noticed a large increase in the number of spam emails coming in with subjects like %s and similar to/from  names, etc.



More information about the Dshield mailing list