Hi all,
I was wondering what people did when they encountered logs like these for ssh... Last week I got these in my logs:
<<SNIP>>
Jul 24 18:52:57 random sshd[10903]: Illegal user test from 69.0.134.72
Jul 25 01:57:32 random sshd[15271]: Illegal user test from 211.202.3.148
Jul 27 16:35:55 random sshd[29271]: Illegal user test from 210.179.119.10
Jul 28 20:01:49 random sshd[35784]: Illegal user test from 82.67.216.46
Jul 28 20:01:53 random sshd[35786]: Illegal user guest from 82.67.216.46
<</SNIP>>
Now the logs didn't say that these users failed... just that they were illegal. So did they successfully log in somehow?
So I tried my self:
<<SNIP>>
Jul 29 16:19:04 random sshd[6093]: Illegal user test from 68.144.109.254
Jul 29 16:19:08 random sshd[6093]: Failed unknown for illegal user test from 68.144.109.254 port 3
<</SNIP>>
So it notes that I have failed... why not the others?
This dude got pretty persistent:
<<SNIP>
Jul 30 22:34:47 random sshd[12605]: Illegal user test from 213.186.40.137
Jul 30 22:34:49 random sshd[12607]: Illegal user guest from 213.186.40.137
Jul 30 22:34:52 random sshd[12609]: Illegal user admin from 213.186.40.137
Jul 30 22:34:54 random sshd[12611]: Illegal user admin from 213.186.40.137
Jul 30 22:34:57 random sshd[12613]: Illegal user user from 213.186.40.137
<the following looked like some good news...>
Jul 30 22:34:59 random sshd[12615]: Failed password for root from 213.186.40.137 port 57450 ssh2
Jul 30 22:35:02 random sshd[12617]: Failed password for root from 213.186.40.137 port 58771 ssh2
Jul 30 22:35:06 random sshd[12625]: Failed password for root from 213.186.40.137 port 36741 ssh2
Jul 30 22:35:08 random sshd[12627]: Illegal user test from 213.186.40.137
<</SNIP>>
So of course I tracerouted and whois some of these ips and got their ISPs. At what point is it fair to report them?
Shane
NOTICE -
This communication is intended ONLY for the use of the person or entity named above and may contain information that is confidential or legally privileged. If you are not the intended recipient named above or a person responsible for delivering messages or communications to the intended recipient, YOU ARE HEREBY NOTIFIED that any use, distribution, or copying of this communication or any of the information contained in it is strictly prohibited. If you have received this communication in error, please notify us immediately by telephone and then destroy or delete this communication, or return it to us by mail if requested by us. The City of Calgary thanks you for your attention and cooperation.
_______________________________________________ clug-talk mailing list [EMAIL PROTECTED] http://clug.ca/mailman/listinfo/clug-talk_clug.ca
