Hello list, in my logs I found the appended entries. My question is, what is the intention of this guy. I don't understand, why he uses a few loginnames many times and others only one time. There is no account on my box which matches to one of the tested loginnames. Another thing. I get this userlist (exactly the same names in the same order) from many different IPs. Any hints? regards Kai Pfeiffer Dec 1 11:02:54 mybox sshd[14251]: Illegal user patrick from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:55 mybox sshd[14253]: Illegal user patrick from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:55 mybox sshd[14265]: Illegal user rolo from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:56 mybox sshd[14267]: Illegal user iceuser from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:56 mybox sshd[14269]: Illegal user horde from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:56 mybox sshd[14271]: Illegal user cyrus from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:56 mybox sshd[14273]: Illegal user www from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:56 mybox sshd[14277]: Illegal user matt from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:57 mybox sshd[14279]: Illegal user test from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:57 mybox sshd[14281]: Illegal user test from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:57 mybox sshd[14283]: Illegal user test from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:57 mybox sshd[14285]: Illegal user test from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:57 mybox sshd[14287]: Illegal user www-data from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:57 mybox sshd[14291]: Illegal user operator from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:57 mybox sshd[14293]: Illegal user adm from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:58 mybox sshd[14295]: Illegal user apache from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:58 mybox sshd[14297]: Illegal user irc from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:58 mybox sshd[14299]: Illegal user irc from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:58 mybox sshd[14301]: Illegal user adm from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:58 mybox sshd[14309]: Illegal user jane from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:58 mybox sshd[14311]: Illegal user pamela from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:59 mybox sshd[14323]: Illegal user cosmin from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:04 mybox sshd[14397]: Illegal user cip52 from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:04 mybox sshd[14399]: Illegal user cip51 from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:05 mybox sshd[14403]: Illegal user noc from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:05 mybox sshd[14413]: Illegal user webmaster from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:05 mybox sshd[14415]: Illegal user data from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:06 mybox sshd[14417]: Illegal user user from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:06 mybox sshd[14419]: Illegal user user from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:06 mybox sshd[14421]: Illegal user user from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:06 mybox sshd[14423]: Illegal user web from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:06 mybox sshd[14425]: Illegal user web from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:06 mybox sshd[14427]: Illegal user oracle from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:06 mybox sshd[14429]: Illegal user sybase from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:06 mybox sshd[14431]: Illegal user master from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:07 mybox sshd[14433]: Illegal user account from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:07 mybox sshd[14435]: Illegal user backup from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:07 mybox sshd[14437]: Illegal user server from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:07 mybox sshd[14439]: Illegal user adam from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:07 mybox sshd[14441]: Illegal user alan from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:07 mybox sshd[14443]: Illegal user frank from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:08 mybox sshd[14445]: Illegal user george from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:08 mybox sshd[14447]: Illegal user henry from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:08 mybox sshd[14449]: Illegal user john from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:09 mybox sshd[14461]: Illegal user test from ::ffff:xxx.xxx.xxx.xxx
i have the same problems this days.. well, months!!
Kai Pfeiffer
howdy! I´ve seen the same ssh tryes in one server´s log in wich i´ve got better luck than others... it seems to be a password list used by scriptkiddies... it is probably available for download... even the timing match with the logs i´ve seen! take it back! give him some fun.
Hello list,
in my logs I found the appended entries. My question is, what is the intention of this guy. I don't understand, why he uses a few loginnames many times and others only one time. There is no account on my box which matches to one of the tested loginnames.
Another thing. I get this userlist (exactly the same names in the same order) from many different IPs.
Any hints?
regards
Kai Pfeiffer
Dec 1 11:02:54 mybox sshd[14251]: Illegal user patrick from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:55 mybox sshd[14253]: Illegal user patrick from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:55 mybox sshd[14265]: Illegal user rolo from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:56 mybox sshd[14267]: Illegal user iceuser from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:56 mybox sshd[14269]: Illegal user horde from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:56 mybox sshd[14271]: Illegal user cyrus from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:56 mybox sshd[14273]: Illegal user www from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:56 mybox sshd[14277]: Illegal user matt from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:57 mybox sshd[14279]: Illegal user test from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:57 mybox sshd[14281]: Illegal user test from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:57 mybox sshd[14283]: Illegal user test from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:57 mybox sshd[14285]: Illegal user test from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:57 mybox sshd[14287]: Illegal user www-data from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:57 mybox sshd[14291]: Illegal user operator from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:57 mybox sshd[14293]: Illegal user adm from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:58 mybox sshd[14295]: Illegal user apache from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:58 mybox sshd[14297]: Illegal user irc from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:58 mybox sshd[14299]: Illegal user irc from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:58 mybox sshd[14301]: Illegal user adm from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:58 mybox sshd[14309]: Illegal user jane from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:58 mybox sshd[14311]: Illegal user pamela from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:02:59 mybox sshd[14323]: Illegal user cosmin from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:04 mybox sshd[14397]: Illegal user cip52 from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:04 mybox sshd[14399]: Illegal user cip51 from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:05 mybox sshd[14403]: Illegal user noc from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:05 mybox sshd[14413]: Illegal user webmaster from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:05 mybox sshd[14415]: Illegal user data from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:06 mybox sshd[14417]: Illegal user user from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:06 mybox sshd[14419]: Illegal user user from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:06 mybox sshd[14421]: Illegal user user from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:06 mybox sshd[14423]: Illegal user web from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:06 mybox sshd[14425]: Illegal user web from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:06 mybox sshd[14427]: Illegal user oracle from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:06 mybox sshd[14429]: Illegal user sybase from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:06 mybox sshd[14431]: Illegal user master from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:07 mybox sshd[14433]: Illegal user account from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:07 mybox sshd[14435]: Illegal user backup from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:07 mybox sshd[14437]: Illegal user server from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:07 mybox sshd[14439]: Illegal user adam from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:07 mybox sshd[14441]: Illegal user alan from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:07 mybox sshd[14443]: Illegal user frank from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:08 mybox sshd[14445]: Illegal user george from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:08 mybox sshd[14447]: Illegal user henry from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:08 mybox sshd[14449]: Illegal user john from ::ffff:xxx.xxx.xxx.xxx Dec 1 11:03:09 mybox sshd[14461]: Illegal user test from ::ffff:xxx.xxx.xxx.xxx
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
On Thursday 02 December 2004 12:10, Kai Pfeiffer wrote:
Hello list,
in my logs I found the appended entries. My question is, what is the intention of this guy. I don't understand, why he uses a few loginnames many times and others only one time. There is no account on my box which matches to one of the tested loginnames.
Another thing. I get this userlist (exactly the same names in the same order) from many different IPs.
You're cetainly not alone... http://www.google.com/search?q=patrick+rolo+cyrus+pamela Whjat are they trying to acheive? http://lists.virus.org/dshield-0410/msg00135.html Heh. Might be fun to find out one of the passwords being used and make a wee little honeypot for them to play with. Then once they've gained illegal entry, downloaded your (fake) passwd file and installed all sorts of dodgy services you can give them a bad time. Yes, I know the US Fed people won't chase anyone unless a certain amount of damage has been done, but if you're in the same state? Maybe other countries play by different rules? At any rate, if they can be tracked you can always inform their parents / ISP / employer / college if you think they're likely to care (hint: don't bother if from Asia/E.Europe) As an aside, do you need to allow global access to port 22? Tom.
Am Donnerstag, 2. Dezember 2004 13:10 schrieb Kai Pfeiffer:
Hello list,
in my logs I found the appended entries. My question is, what is the intention of this guy. I don't understand, why he uses a few loginnames many times and others only one time. There is no account on my box which matches to one of the tested loginnames.
Another thing. I get this userlist (exactly the same names in the same order) from many different IPs.
Any hints?
regards
Kai Pfeiffer
[snip]
Hi Kai, these entries look like a dictionary attack, optimized for english systems. The ssh-daemon has a differnet delay for password failure and unknown users. Testing these accounts, the cracker tries to find a vulnarable account. So there are typical system accounts in the list (like root, oracle, admin ...) and forenames, which are often used as account-names. Nevermind those attempts, but watch them. Regards Malte
participants (5)
-
david@atd.es
-
joao marka
-
Kai Pfeiffer
-
Malte Buck
-
Thomas Knight