Yeah. Whether this is a pathetic attempt at hacking or a stupid version of a worm, probably better that their ISPs are in the know...
Shane
NOTICE -
This communication is intended ONLY for the use of the person or entity named above and may contain information that is confidential or legally privileged. If you are not the intended recipient named above or a person responsible for delivering messages or communications to the intended recipient, YOU ARE HEREBY NOTIFIED that any use, distribution, or copying of this communication or any of the information contained in it is strictly prohibited. If you have received this communication in error, please notify us immediately by telephone and then destroy or delete this communication, or return it to us by mail if requested by us. The City of Calgary thanks you for your attention and cooperation.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of bogi
Sent: 2004 August 03 1:23 PM
To: CLUG General
Subject: Re: [clug-talk] log weirdness
Hi
I see this stuff on my servers too, just report them to their isp, And
naturally being illegal user will fail the login attempt, these ppl have no
shame atall, just report them, let them eat their own cooking.
Cheers
Szemir
ps. what are they expecting, a guest user with password guest and a nice login
shell ?? even if they hit a legit user, the password will likely take a few
decades of heavy brute-forcing to yield anything useful, and even then they
will only get a simple user account. Trying to harvest for e-mail addresses
this way is more a miss then a hit IMHO.
On August 3, 2004 10:40, Clements, Shane wrote:
> Hi all,
> I was wondering what people did when they encountered logs like these
> for ssh... Last week I got these in my logs:
>
> <<SNIP>>
> Jul 24 18:52:57 random sshd[10903]: Illegal user test from 69.0.134.72
> Jul 25 01:57:32 random sshd[15271]: Illegal user test from 211.202.3.148
> Jul 27 16:35:55 random sshd[29271]: Illegal user test from
> 210.179.119.10
> Jul 28 20:01:49 random sshd[35784]: Illegal user test from 82.67.216.46
> Jul 28 20:01:53 random sshd[35786]: Illegal user guest from 82.67.216.46
> <</SNIP>>
>
> Now the logs didn't say that these users failed... just that they were
> illegal. So did they successfully log in somehow?
>
> So I tried my self:
> <<SNIP>>
> Jul 29 16:19:04 random sshd[6093]: Illegal user test from 68.144.109.254
> Jul 29 16:19:08 random sshd[6093]: Failed unknown for illegal user test
> from 68.144.109.254 port 3
> <</SNIP>>
>
> So it notes that I have failed... why not the others?
> This dude got pretty persistent:
> <<SNIP>
> Jul 30 22:34:47 random sshd[12605]: Illegal user test from
> 213.186.40.137
> Jul 30 22:34:49 random sshd[12607]: Illegal user guest from
> 213.186.40.137
> Jul 30 22:34:52 random sshd[12609]: Illegal user admin from
> 213.186.40.137
> Jul 30 22:34:54 random sshd[12611]: Illegal user admin from
> 213.186.40.137
> Jul 30 22:34:57 random sshd[12613]: Illegal user user from
> 213.186.40.137
> <the following looked like some good news...>
> Jul 30 22:34:59 random sshd[12615]: Failed password for root from
> 213.186.40.137 port 57450 ssh2
> Jul 30 22:35:02 random sshd[12617]: Failed password for root from
> 213.186.40.137 port 58771 ssh2
> Jul 30 22:35:06 random sshd[12625]: Failed password for root from
> 213.186.40.137 port 36741 ssh2
> Jul 30 22:35:08 random sshd[12627]: Illegal user test from
> 213.186.40.137
> <</SNIP>>
>
> So of course I tracerouted and whois some of these ips and got their
> ISPs. At what point is it fair to report them?
>
> Shane
>
> NOTICE -
> This communication is intended ONLY for the use of the person or entity
> named above and may contain information that is confidential or legally
> privileged. If you are not the intended recipient named above or a
> person responsible for delivering messages or communications to the
> intended recipient, YOU ARE HEREBY NOTIFIED that any use, distribution,
> or copying of this communication or any of the information contained in
> it is strictly prohibited. If you have received this communication in
> error, please notify us immediately by telephone and then destroy or
> delete this communication, or return it to us by mail if requested by
> us. The City of Calgary thanks you for your attention and cooperation.
_______________________________________________
clug-talk mailing list
[EMAIL PROTECTED]
http://clug.ca/mailman/listinfo/clug-talk_clug.ca
_______________________________________________ clug-talk mailing list [EMAIL PROTECTED] http://clug.ca/mailman/listinfo/clug-talk_clug.ca
