Rep:[Lilux-help] cracking attempts - warning

Oh yes, I jumped on my logs :-D Not surprisingly I found the same kind of attack, but the 3 october, including, of course, several attempts on root account ;-) Since it is deactivated for ssh, good luck for the attacker :-P I found also attacks the 25 september. Same kind of pattern and usernames. Could it be a Unix-type worm? Interresting specimen, I hadn't seen such thing as a Unix-type worm until now ;-P -----Message d'origine----- De: Eric Dondelinger <aim(a)vis.ethz.ch> A: lilux-help(a)linux.lu Date: 12/10/04 Objet: [Lilux-help] cracking attempts - warning Hi, I've noticed yesterday evening and this morning (very shortly after turning on my router at home - on P&T ADSL) that there were attacks against my SSH server running - quite probably brute-force dictionary attacks. I've got quite some entries in my auth.log (extract): this morning: ---------------------------------------- Oct 12 09:13:08 hermes sshd[543]: Failed password for illegal user wwwrun from 216.173.46.164 port 55039 ssh2 Oct 12 09:13:09 hermes sshd[545]: Illegal user matt from 216.173.46.164 Oct 12 09:13:09 hermes sshd[545]: error: Could not get shadow information for NOUSER Oct 12 09:13:09 hermes sshd[545]: Failed password for illegal user matt from 216 .173.46.164 port 55067 ssh2 Oct 12 09:13:11 hermes sshd[547]: Illegal user test from 216.173.46.164 Oct 12 09:13:11 hermes sshd[547]: error: Could not get shadow information for NOUSER Oct 12 09:13:11 hermes sshd[547]: Failed password for illegal user test from 216 .173.46.164 port 55100 ssh2 Oct 12 09:13:13 hermes sshd[549]: Illegal user test from 216.173.46.164 Oct 12 09:13:13 hermes sshd[549]: error: Could not get shadow information for NOUSER Oct 12 09:13:13 hermes sshd[549]: Failed password for illegal user test from 216 .173.46.164 port 55134 ssh2 Oct 12 09:13:15 hermes sshd[551]: Illegal user test from 216.173.46.164 yesterday evening: ---------------------------------------- Oct 11 19:38:44 hermes sshd[2051]: Illegal user frank from 213.240.168.200 Oct 11 19:38:44 hermes sshd[2051]: error: Could not get shadow information for NOUSER Oct 11 19:38:44 hermes sshd[2051]: Failed password for illegal user frank from 2 13.240.168.200 port 40686 ssh2 Oct 11 19:38:45 hermes sshd[2053]: Illegal user george from 213.240.168.200 Oct 11 19:38:45 hermes sshd[2053]: error: Could not get shadow information for NOUSER Oct 11 19:38:45 hermes sshd[2053]: Failed password for illegal user george from 213.240.168.200 port 40710 ssh2 Oct 11 19:38:46 hermes sshd[2055]: Illegal user henry from 213.240.168.200 Oct 11 19:38:46 hermes sshd[2055]: error: Could not get shadow information for NOUSER Oct 11 19:38:46 hermes sshd[2055]: Failed password for illegal user henry from 2 13.240.168.200 port 40737 ssh2 Oct 11 19:38:47 hermes sshd[2057]: Illegal user john from 213.240.168.200 Oct 11 19:38:47 hermes sshd[2057]: error: Could not get shadow information for NOUSER Oct 11 19:38:47 hermes sshd[2057]: Failed password for illegal user john from 213.240.168.200 port 40757 ssh2 ---------------------------------------- I suspect these attempts are run from compromised machines, anyway I did try contacting the admin from yesterday evening's incident. I suppose all of you will want to check their logs, certainly if you're running an SSH server. I've reconfigured my own SSH server to listen on a non-standard port for now (check /etc/ssh/sshd_config), in addition to my relatively hard-to-crack passwords (designed not to fall prey to "normal" dictionary attacks). I guess "they" are out there... Greets Eric _______________________________________________ Lilux-help mailing list Lilux-help(a)lilux.lu http://lilux.lu/mailman/listinfo/lilux-help ___[ Pub ]____________________________________________________________ Inscrivez-vous gratuitement sur Tandaime, Le site de rencontres ! http://rencontre.rencontres.com/index.php?origine=4 _____________________________________________________________________ Un mot doux à envoyer? Une sortie ciné à organiser? Faites le en temps réel avec MSN Messenger! C'est gratuit! http://ifrance.com/_reloc/m