AW: [suse-security] ssh-Attack?
Use puplic-key only, and the sick feeling is gone ;-D Thers also an other Thread in this List with same Topic "SSH password attacks" enJoY dA SuN haVe fUn
-----Ursprüngliche Nachricht----- Von: joao marka [mailto:joao@kildare.com.br] Gesendet: Donnerstag, 2. Dezember 2004 13:09 An: Kai Pfeiffer; suse-security@suse.com Betreff: Re: [suse-security] ssh-Attack?
howdy!
I´ve seen the same ssh tryes in one server´s log in wich i´ve got better luck than others... it seems to be a password list used by scriptkiddies... it is probably available for download... even the timing match with the logs i´ve seen!
take it back! give him some fun.
Hello list,
in my logs I found the appended entries. My question is, what is the intention of this guy. I don't understand, why he uses a few loginnames many times and others only one time. There is no account on my box which matches to one of the tested loginnames.
Another thing. I get this userlist (exactly the same names in the same order) from many different IPs.
Any hints?
regards
Kai Pfeiffer
Dec 1 11:02:54 mybox sshd[14251]: Illegal user patrick from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:55 mybox sshd[14253]: Illegal user patrick from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:55 mybox sshd[14265]: Illegal user rolo from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:56 mybox sshd[14267]: Illegal user iceuser from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:56 mybox sshd[14269]: Illegal user horde from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:56 mybox sshd[14271]: Illegal user cyrus from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:56 mybox sshd[14273]: Illegal user www from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:56 mybox sshd[14277]: Illegal user matt from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:57 mybox sshd[14279]: Illegal user test from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:57 mybox sshd[14281]: Illegal user test from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:57 mybox sshd[14283]: Illegal user test from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:57 mybox sshd[14285]: Illegal user test from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:57 mybox sshd[14287]: Illegal user www-data from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:57 mybox sshd[14291]: Illegal user operator from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:57 mybox sshd[14293]: Illegal user adm from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:58 mybox sshd[14295]: Illegal user apache from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:58 mybox sshd[14297]: Illegal user irc from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:58 mybox sshd[14299]: Illegal user irc from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:58 mybox sshd[14301]: Illegal user adm from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:58 mybox sshd[14309]: Illegal user jane from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:58 mybox sshd[14311]: Illegal user pamela from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:59 mybox sshd[14323]: Illegal user cosmin from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:04 mybox sshd[14397]: Illegal user cip52 from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:04 mybox sshd[14399]: Illegal user cip51 from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:05 mybox sshd[14403]: Illegal user noc from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:05 mybox sshd[14413]: Illegal user webmaster from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:05 mybox sshd[14415]: Illegal user data from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:06 mybox sshd[14417]: Illegal user user from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:06 mybox sshd[14419]: Illegal user user from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:06 mybox sshd[14421]: Illegal user user from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:06 mybox sshd[14423]: Illegal user web from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:06 mybox sshd[14425]: Illegal user web from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:06 mybox sshd[14427]: Illegal user oracle from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:06 mybox sshd[14429]: Illegal user sybase from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:06 mybox sshd[14431]: Illegal user master from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:07 mybox sshd[14433]: Illegal user account from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:07 mybox sshd[14435]: Illegal user backup from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:07 mybox sshd[14437]: Illegal user server from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:07 mybox sshd[14439]: Illegal user adam from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:07 mybox sshd[14441]: Illegal user alan from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:07 mybox sshd[14443]: Illegal user frank from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:08 mybox sshd[14445]: Illegal user george from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:08 mybox sshd[14447]: Illegal user henry from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:08 mybox sshd[14449]: Illegal user john from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:09 mybox sshd[14461]: Illegal user test from ::ffff:xxx.xxx.xxx.xxx
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
On Thu, 2 Dec 2004, Gottschalch Christian wrote: Hi, Using public-key method is good for sure, but notice the logs could also be generated by an attack to see which users are valid. Due to timing differences for valid/invalid/special logins remote attackers can fingerprint a system via usernames (for example 'fax' might only be valid on certain distributions). Sebastian
Use puplic-key only, and the sick feeling is gone ;-D
Thers also an other Thread in this List with same Topic "SSH password attacks"
enJoY dA SuN haVe fUn
-----Ursprüngliche Nachricht----- Von: joao marka [mailto:joao@kildare.com.br] Gesendet: Donnerstag, 2. Dezember 2004 13:09 An: Kai Pfeiffer; suse-security@suse.com Betreff: Re: [suse-security] ssh-Attack?
howdy!
I´ve seen the same ssh tryes in one server´s log in wich i´ve got better luck than others... it seems to be a password list used by scriptkiddies... it is probably available for download... even the timing match with the logs i´ve seen!
take it back! give him some fun.
Hello list,
in my logs I found the appended entries. My question is, what is the intention of this guy. I don't understand, why he uses a few loginnames many times and others only one time. There is no account on my box which matches to one of the tested loginnames.
Another thing. I get this userlist (exactly the same names in the same order) from many different IPs.
Any hints?
regards
Kai Pfeiffer
Dec 1 11:02:54 mybox sshd[14251]: Illegal user patrick from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:55 mybox sshd[14253]: Illegal user patrick from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:55 mybox sshd[14265]: Illegal user rolo from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:56 mybox sshd[14267]: Illegal user iceuser from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:56 mybox sshd[14269]: Illegal user horde from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:56 mybox sshd[14271]: Illegal user cyrus from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:56 mybox sshd[14273]: Illegal user www from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:56 mybox sshd[14277]: Illegal user matt from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:57 mybox sshd[14279]: Illegal user test from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:57 mybox sshd[14281]: Illegal user test from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:57 mybox sshd[14283]: Illegal user test from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:57 mybox sshd[14285]: Illegal user test from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:57 mybox sshd[14287]: Illegal user www-data from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:57 mybox sshd[14291]: Illegal user operator from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:57 mybox sshd[14293]: Illegal user adm from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:58 mybox sshd[14295]: Illegal user apache from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:58 mybox sshd[14297]: Illegal user irc from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:58 mybox sshd[14299]: Illegal user irc from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:58 mybox sshd[14301]: Illegal user adm from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:58 mybox sshd[14309]: Illegal user jane from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:58 mybox sshd[14311]: Illegal user pamela from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:59 mybox sshd[14323]: Illegal user cosmin from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:04 mybox sshd[14397]: Illegal user cip52 from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:04 mybox sshd[14399]: Illegal user cip51 from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:05 mybox sshd[14403]: Illegal user noc from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:05 mybox sshd[14413]: Illegal user webmaster from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:05 mybox sshd[14415]: Illegal user data from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:06 mybox sshd[14417]: Illegal user user from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:06 mybox sshd[14419]: Illegal user user from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:06 mybox sshd[14421]: Illegal user user from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:06 mybox sshd[14423]: Illegal user web from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:06 mybox sshd[14425]: Illegal user web from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:06 mybox sshd[14427]: Illegal user oracle from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:06 mybox sshd[14429]: Illegal user sybase from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:06 mybox sshd[14431]: Illegal user master from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:07 mybox sshd[14433]: Illegal user account from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:07 mybox sshd[14435]: Illegal user backup from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:07 mybox sshd[14437]: Illegal user server from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:07 mybox sshd[14439]: Illegal user adam from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:07 mybox sshd[14441]: Illegal user alan from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:07 mybox sshd[14443]: Illegal user frank from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:08 mybox sshd[14445]: Illegal user george from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:08 mybox sshd[14447]: Illegal user henry from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:08 mybox sshd[14449]: Illegal user john from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:09 mybox sshd[14461]: Illegal user test from ::ffff:xxx.xxx.xxx.xxx
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer@suse.de - SuSE Security Team ~
participants (2)
-
Gottschalch Christian -
Sebastian Krahmer