[Wylug-help] Automated SSH login attempts

don don at leedsweb.dyndns.org
Sat Aug 21 17:19:34 BST 2004




I've got some similar entries in my ssh log, some from the same ip
address as your sample.


Don Magee




Gavin Harris wrote:


> Hi  All,
>
> Recently I've seen an increasing number of apparently automated attempts
> to login to a couple of my servers from lots of different client IP's.
> They look like this: -
>
> Aug 16 16:06:42 [sshd] Illegal user test from ::ffff:210.223.178.180
> Aug 16 16:06:43 [sshd] error: Could not get shadow information for NOUSER
> Aug 16 16:06:43 [sshd] Failed password for illegal user test from
> ::ffff:210.223.178.180 port 50028 ssh2
> Aug 16 16:06:46 [sshd] User guest not allowed because shell /dev/null is
> not executable
> Aug 16 16:06:46 [sshd] error: Could not get shadow information for NOUSER
> Aug 16 16:06:46 [sshd] Failed password for illegal user guest from
> ::ffff:210.223.178.180 port 50189 ssh2
> Aug 16 16:06:49 [sshd] Illegal user admin from ::ffff:210.223.178.180
> Aug 16 16:06:49 [sshd] error: Could not get shadow information for NOUSER
> Aug 16 16:06:49 [sshd] Failed password for illegal user admin from
> ::ffff:210.223.178.180 port 50369 ssh2
> Aug 16 16:06:52 [sshd] Illegal user admin from ::ffff:210.223.178.180
> Aug 16 16:06:52 [sshd] error: Could not get shadow information for NOUSER
>
> The usernames that are tried are always the same, i.e admin, test, guest
> and sometimes root for good measure. What I find curious is that each
> one is only tried three times from any one source IP. That doesn't seem
> an awful lot if it's just some dumb kit trying to bruteforce it. I've
> had a look around FD, and there are a couple of people there seeing the
> same thing but no real insight into whats going on. The machines running
> the probes all seem to be compromised, with some kind of IRC server
> running on port 7007 that looks a little dodgy.
>
> Has anyone seen anything similar? Any idea what it is?
>
> Cheers,
>
> --
> Gavin
>
> _______________________________________________
> Wylug-help mailing list
> Wylug-help at wylug.org.uk
> http://list.wylug.org.uk/mailman/listinfo/wylug-help
>
>






More information about the Wylug-help mailing list