[Wylug-help] Automated SSH login attempts
Gavin Harris
gavin at phiji.com
Wed Aug 18 10:47:27 BST 2004
Hi All,
Recently I've seen an increasing number of apparently automated attempts
to login to a couple of my servers from lots of different client IP's.
They look like this: -
Aug 16 16:06:42 [sshd] Illegal user test from ::ffff:210.223.178.180
Aug 16 16:06:43 [sshd] error: Could not get shadow information for NOUSER
Aug 16 16:06:43 [sshd] Failed password for illegal user test from
::ffff:210.223.178.180 port 50028 ssh2
Aug 16 16:06:46 [sshd] User guest not allowed because shell /dev/null is
not executable
Aug 16 16:06:46 [sshd] error: Could not get shadow information for NOUSER
Aug 16 16:06:46 [sshd] Failed password for illegal user guest from
::ffff:210.223.178.180 port 50189 ssh2
Aug 16 16:06:49 [sshd] Illegal user admin from ::ffff:210.223.178.180
Aug 16 16:06:49 [sshd] error: Could not get shadow information for NOUSER
Aug 16 16:06:49 [sshd] Failed password for illegal user admin from
::ffff:210.223.178.180 port 50369 ssh2
Aug 16 16:06:52 [sshd] Illegal user admin from ::ffff:210.223.178.180
Aug 16 16:06:52 [sshd] error: Could not get shadow information for NOUSER
The usernames that are tried are always the same, i.e admin, test, guest
and sometimes root for good measure. What I find curious is that each
one is only tried three times from any one source IP. That doesn't seem
an awful lot if it's just some dumb kit trying to bruteforce it. I've
had a look around FD, and there are a couple of people there seeing the
same thing but no real insight into whats going on. The machines running
the probes all seem to be compromised, with some kind of IRC server
running on port 7007 that looks a little dodgy.
Has anyone seen anything similar? Any idea what it is?
Cheers,
--
Gavin
More information about the Wylug-help
mailing list