Re: Rep:[Lilux-help] cracking attempts - warning

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Those ssh attacks are permanent on our server. At least 3 attempts/day from different IP addresses. It seems to be some standard script (nessus ?) as mostly the pattern of tests are the same. Vincent Bremaud wrote: | Oh yes, I jumped on my logs :-D | Not surprisingly I found the same kind of attack, but the 3 october, | including, of course, several attempts on root account ;-) Since it is | deactivated for ssh, good luck for the attacker :-P | I found also attacks the 25 september. Same kind of pattern and | usernames. Could it be a Unix-type worm? Interresting specimen, I hadn't | seen such thing as a Unix-type worm until now ;-P | | -----Message d'origine----- | De: Eric Dondelinger <aim(a)vis.ethz.ch> | A: lilux-help(a)linux.lu | Date: 12/10/04 | Objet: [Lilux-help] cracking attempts - warning | | Hi, | | I've noticed yesterday evening and this morning (very shortly after | turning on my router at home - on P&T ADSL) that there were attacks | against my SSH server running - quite probably brute-force dictionary | attacks. | | I've got quite some entries in my auth.log (extract): | | this morning: | ---------------------------------------- | Oct 12 09:13:08 hermes sshd[543]: Failed password for illegal user | wwwrun from 216.173.46.164 port 55039 ssh2 | Oct 12 09:13:09 hermes sshd[545]: Illegal user matt from 216.173.46.164 | Oct 12 09:13:09 hermes sshd[545]: error: Could not get shadow | information for NOUSER | Oct 12 09:13:09 hermes sshd[545]: Failed password for illegal user matt | from 216 | .173.46.164 port 55067 ssh2 | Oct 12 09:13:11 hermes sshd[547]: Illegal user test from 216.173.46.164 | Oct 12 09:13:11 hermes sshd[547]: error: Could not get shadow | information for NOUSER | Oct 12 09:13:11 hermes sshd[547]: Failed password for illegal user test | from 216 | .173.46.164 port 55100 ssh2 | Oct 12 09:13:13 hermes sshd[549]: Illegal user test from 216.173.46.164 | Oct 12 09:13:13 hermes sshd[549]: error: Could not get shadow | information for NOUSER | Oct 12 09:13:13 hermes sshd[549]: Failed password for illegal user test | from 216 | .173.46.164 port 55134 ssh2 | Oct 12 09:13:15 hermes sshd[551]: Illegal user test from 216.173.46.164 | | yesterday evening: | ---------------------------------------- | Oct 11 19:38:44 hermes sshd[2051]: Illegal user frank from | 213.240.168.200 | Oct 11 19:38:44 hermes sshd[2051]: error: Could not get shadow | information for NOUSER | Oct 11 19:38:44 hermes sshd[2051]: Failed password for illegal user | frank from 2 | 13.240.168.200 port 40686 ssh2 | Oct 11 19:38:45 hermes sshd[2053]: Illegal user george from | 213.240.168.200 | Oct 11 19:38:45 hermes sshd[2053]: error: Could not get shadow | information for NOUSER | Oct 11 19:38:45 hermes sshd[2053]: Failed password for illegal user | george from | 213.240.168.200 port 40710 ssh2 | Oct 11 19:38:46 hermes sshd[2055]: Illegal user henry from | 213.240.168.200 | Oct 11 19:38:46 hermes sshd[2055]: error: Could not get shadow | information for NOUSER | Oct 11 19:38:46 hermes sshd[2055]: Failed password for illegal user | henry from 2 | 13.240.168.200 port 40737 ssh2 | Oct 11 19:38:47 hermes sshd[2057]: Illegal user john from | 213.240.168.200 | Oct 11 19:38:47 hermes sshd[2057]: error: Could not get shadow | information for NOUSER | Oct 11 19:38:47 hermes sshd[2057]: Failed password for illegal user john | from 213.240.168.200 port 40757 ssh2 | | ---------------------------------------- | | I suspect these attempts are run from compromised machines, anyway I | did try contacting the admin from yesterday evening's incident. | | I suppose all of you will want to check their logs, certainly if you're | running an SSH server. | | I've reconfigured my own SSH server to listen on a non-standard | port for now (check /etc/ssh/sshd_config), in addition to my | relatively hard-to-crack passwords (designed not to fall prey to | "normal" dictionary attacks). | | I guess "they" are out there... | | Greets Eric | | _______________________________________________ | Lilux-help mailing list | Lilux-help(a)lilux.lu | http://lilux.lu/mailman/listinfo/lilux-help | | ___[ Pub ]____________________________________________________________ | Inscrivez-vous gratuitement sur Tandaime, Le site de rencontres ! | http://rencontre.rencontres.com/index.php?origine=4 | | | _____________________________________________________________________ | Un mot doux à envoyer? Une sortie ciné à organiser? Faites le en temps | réel avec MSN Messenger! C'est gratuit! http://ifrance.com/_reloc/m | | | _______________________________________________ | Lilux-help mailing list | Lilux-help(a)lilux.lu | http://lilux.lu/mailman/listinfo/lilux-help - -- Thierry Coutelier Président LiLux asbl 7, Rue Jacques Sturm L-2556 Luxembourg Office:+352 710725 608 Home:+352 406776 http://www.lilux.lu/