The isp should know, either way the can take the appropriate action. Cheers Szemir
On August 3, 2004 14:21, Niels Voll wrote: > While there is nothing wrong with reporting to the ISP of these IP > addresses, they may not really be doing this. Don't forget, that there > are a lot of open proxys out there. While it has been widely publicized, > that open proxys created by a variety of trojans have been used for > spamming, an appropriately crafted open proxy can be used for anything, > including SSH. > > bogi wrote: > >Hi > >I see this stuff on my servers too, just report them to their isp, And > >naturally being illegal user will fail the login attempt, these ppl have > > no shame atall, just report them, let them eat their own cooking. > >Cheers > >Szemir > > > >ps. what are they expecting, a guest user with password guest and a nice > > login shell ?? even if they hit a legit user, the password will likely > > take a few decades of heavy brute-forcing to yield anything useful, and > > even then they will only get a simple user account. Trying to harvest for > > e-mail addresses this way is more a miss then a hit IMHO. > > > >On August 3, 2004 10:40, Clements, Shane wrote: > >>Hi all, > >>I was wondering what people did when they encountered logs like these > >>for ssh... Last week I got these in my logs: > >> > >><<SNIP>> > >>Jul 24 18:52:57 random sshd[10903]: Illegal user test from 69.0.134.72 > >>Jul 25 01:57:32 random sshd[15271]: Illegal user test from 211.202.3.148 > >>Jul 27 16:35:55 random sshd[29271]: Illegal user test from > >>210.179.119.10 > >>Jul 28 20:01:49 random sshd[35784]: Illegal user test from 82.67.216.46 > >>Jul 28 20:01:53 random sshd[35786]: Illegal user guest from 82.67.216.46 > >><</SNIP>> > >> > >>Now the logs didn't say that these users failed... just that they were > >>illegal. So did they successfully log in somehow? > >> > >>So I tried my self: > >><<SNIP>> > >>Jul 29 16:19:04 random sshd[6093]: Illegal user test from 68.144.109.254 > >>Jul 29 16:19:08 random sshd[6093]: Failed unknown for illegal user test > >>from 68.144.109.254 port 3 > >><</SNIP>> > >> > >>So it notes that I have failed... why not the others? > >>This dude got pretty persistent: > >><<SNIP> > >>Jul 30 22:34:47 random sshd[12605]: Illegal user test from > >>213.186.40.137 > >>Jul 30 22:34:49 random sshd[12607]: Illegal user guest from > >>213.186.40.137 > >>Jul 30 22:34:52 random sshd[12609]: Illegal user admin from > >>213.186.40.137 > >>Jul 30 22:34:54 random sshd[12611]: Illegal user admin from > >>213.186.40.137 > >>Jul 30 22:34:57 random sshd[12613]: Illegal user user from > >>213.186.40.137 > >><the following looked like some good news...> > >>Jul 30 22:34:59 random sshd[12615]: Failed password for root from > >>213.186.40.137 port 57450 ssh2 > >>Jul 30 22:35:02 random sshd[12617]: Failed password for root from > >>213.186.40.137 port 58771 ssh2 > >>Jul 30 22:35:06 random sshd[12625]: Failed password for root from > >>213.186.40.137 port 36741 ssh2 > >>Jul 30 22:35:08 random sshd[12627]: Illegal user test from > >>213.186.40.137 > >><</SNIP>> > >> > >>So of course I tracerouted and whois some of these ips and got their > >>ISPs. At what point is it fair to report them? > >> > >>Shane > >> > >>NOTICE - > >>This communication is intended ONLY for the use of the person or entity > >>named above and may contain information that is confidential or legally > >>privileged. If you are not the intended recipient named above or a > >>person responsible for delivering messages or communications to the > >>intended recipient, YOU ARE HEREBY NOTIFIED that any use, distribution, > >>or copying of this communication or any of the information contained in > >>it is strictly prohibited. If you have received this communication in > >>error, please notify us immediately by telephone and then destroy or > >>delete this communication, or return it to us by mail if requested by > >>us. The City of Calgary thanks you for your attention and cooperation. > > > >_______________________________________________ > >clug-talk mailing list > >[EMAIL PROTECTED] > >http://clug.ca/mailman/listinfo/clug-talk_clug.ca > > _______________________________________________ > clug-talk mailing list > [EMAIL PROTECTED] > http://clug.ca/mailman/listinfo/clug-talk_clug.ca _______________________________________________ clug-talk mailing list [EMAIL PROTECTED] http://clug.ca/mailman/listinfo/clug-talk_clug.ca
