Am Donnerstag, 2. Dezember 2004 13:10 schrieb Kai Pfeiffer:
Hello list,
in my logs I found the appended entries. My question is, what is the intention of this guy. I don't understand, why he uses a few loginnames many times and others only one time. There is no account on my box which matches to one of the tested loginnames.
Another thing. I get this userlist (exactly the same names in the same order) from many different IPs.
Any hints?
regards
Kai Pfeiffer
[snip]
Hi Kai, these entries look like a dictionary attack, optimized for english systems. The ssh-daemon has a differnet delay for password failure and unknown users. Testing these accounts, the cracker tries to find a vulnarable account. So there are typical system accounts in the list (like root, oracle, admin ...) and forenames, which are often used as account-names. Nevermind those attempts, but watch them. Regards Malte