While there is nothing wrong with reporting to the ISP of these IP
addresses, they may not really be doing this. Don't forget, that there
are a lot of open proxys out there. While it has been widely publicized,
that open proxys created by a variety of trojans have been used for
spamming, an appropriately crafted open proxy can be used for anything,
including SSH.
bogi wrote:
Hi
I see this stuff on my servers too, just report them to their isp, And
naturally being illegal user will fail the login attempt, these ppl have no
shame atall, just report them, let them eat their own cooking.
Cheers
Szemir
ps. what are they expecting, a guest user with password guest and a nice login
shell ?? even if they hit a legit user, the password will likely take a few
decades of heavy brute-forcing to yield anything useful, and even then they
will only get a simple user account. Trying to harvest for e-mail addresses
this way is more a miss then a hit IMHO.
On August 3, 2004 10:40, Clements, Shane wrote:
Hi all,
I was wondering what people did when they encountered logs like these
for ssh... Last week I got these in my logs:
<<SNIP>>
Jul 24 18:52:57 random sshd[10903]: Illegal user test from 69.0.134.72
Jul 25 01:57:32 random sshd[15271]: Illegal user test from 211.202.3.148
Jul 27 16:35:55 random sshd[29271]: Illegal user test from
210.179.119.10
Jul 28 20:01:49 random sshd[35784]: Illegal user test from 82.67.216.46
Jul 28 20:01:53 random sshd[35786]: Illegal user guest from 82.67.216.46
<</SNIP>>
Now the logs didn't say that these users failed... just that they were
illegal. So did they successfully log in somehow?
So I tried my self:
<<SNIP>>
Jul 29 16:19:04 random sshd[6093]: Illegal user test from 68.144.109.254
Jul 29 16:19:08 random sshd[6093]: Failed unknown for illegal user test
from 68.144.109.254 port 3
<</SNIP>>
So it notes that I have failed... why not the others?
This dude got pretty persistent:
<<SNIP>
Jul 30 22:34:47 random sshd[12605]: Illegal user test from
213.186.40.137
Jul 30 22:34:49 random sshd[12607]: Illegal user guest from
213.186.40.137
Jul 30 22:34:52 random sshd[12609]: Illegal user admin from
213.186.40.137
Jul 30 22:34:54 random sshd[12611]: Illegal user admin from
213.186.40.137
Jul 30 22:34:57 random sshd[12613]: Illegal user user from
213.186.40.137
<the following looked like some good news...>
Jul 30 22:34:59 random sshd[12615]: Failed password for root from
213.186.40.137 port 57450 ssh2
Jul 30 22:35:02 random sshd[12617]: Failed password for root from
213.186.40.137 port 58771 ssh2
Jul 30 22:35:06 random sshd[12625]: Failed password for root from
213.186.40.137 port 36741 ssh2
Jul 30 22:35:08 random sshd[12627]: Illegal user test from
213.186.40.137
<</SNIP>>
So of course I tracerouted and whois some of these ips and got their
ISPs. At what point is it fair to report them?
Shane
NOTICE -
This communication is intended ONLY for the use of the person or entity
named above and may contain information that is confidential or legally
privileged. If you are not the intended recipient named above or a
person responsible for delivering messages or communications to the
intended recipient, YOU ARE HEREBY NOTIFIED that any use, distribution,
or copying of this communication or any of the information contained in
it is strictly prohibited. If you have received this communication in
error, please notify us immediately by telephone and then destroy or
delete this communication, or return it to us by mail if requested by
us. The City of Calgary thanks you for your attention and cooperation.
_______________________________________________
clug-talk mailing list
[EMAIL PROTECTED]
http://clug.ca/mailman/listinfo/clug-talk_clug.ca
_______________________________________________
clug-talk mailing list
[EMAIL PROTECTED]
http://clug.ca/mailman/listinfo/clug-talk_clug.ca
