n Tue, 03 Aug 2004 16:13:56 -0600, bogi <[EMAIL PROTECTED]> wrote: > The isp should know, either way the can take the appropriate action. > Cheers > Szemir > > > > On August 3, 2004 14:21, Niels Voll wrote: > > While there is nothing wrong with reporting to the ISP of these IP > > addresses, they may not really be doing this. Don't forget, that there > > are a lot of open proxys out there. While it has been widely publicized, > > that open proxys created by a variety of trojans have been used for > > spamming, an appropriately crafted open proxy can be used for anything, > > including SSH. > > > > bogi wrote: > > >Hi > > >I see this stuff on my servers too, just report them to their isp, And > > >naturally being illegal user will fail the login attempt, these ppl have > > > no shame atall, just report them, let them eat their own cooking. > > >Cheers > > >Szemir > > > > > >ps. what are they expecting, a guest user with password guest and a nice > > > login shell ?? even if they hit a legit user, the password will likely > > > take a few decades of heavy brute-forcing to yield anything useful, and > > > even then they will only get a simple user account. Trying to harvest for > > > e-mail addresses this way is more a miss then a hit IMHO. > > > > > >On August 3, 2004 10:40, Clements, Shane wrote: > > >>Hi all, > > >>I was wondering what people did when they encountered logs like these > > >>for ssh... Last week I got these in my logs: > > >> > > >><<SNIP>> > > >>Jul 24 18:52:57 random sshd[10903]: Illegal user test from 69.0.134.72 > > >>Jul 25 01:57:32 random sshd[15271]: Illegal user test from 211.202.3.148 > > >>Jul 27 16:35:55 random sshd[29271]: Illegal user test from > > >>210.179.119.10 > > >>Jul 28 20:01:49 random sshd[35784]: Illegal user test from 82.67.216.46 > > >>Jul 28 20:01:53 random sshd[35786]: Illegal user guest from 82.67.216.46 > > >><</SNIP>> > > >> > > >>Now the logs didn't say that these users failed... just that they were > > >>illegal. So did they successfully log in somehow? > > >> > > >>So I tried my self: > > >><<SNIP>> > > >>Jul 29 16:19:04 random sshd[6093]: Illegal user test from 68.144.109.254 > > >>Jul 29 16:19:08 random sshd[6093]: Failed unknown for illegal user test > > >>from 68.144.109.254 port 3 > > >><</SNIP>> > > >> > > >>So it notes that I have failed... why not the others? > > >>This dude got pretty persistent: > > >><<SNIP> > > >>Jul 30 22:34:47 random sshd[12605]: Illegal user test from > > >>213.186.40.137 > > >>Jul 30 22:34:49 random sshd[12607]: Illegal user guest from > > >>213.186.40.137 > > >>Jul 30 22:34:52 random sshd[12609]: Illegal user admin from > > >>213.186.40.137 > > >>Jul 30 22:34:54 random sshd[12611]: Illegal user admin from > > >>213.186.40.137 > > >>Jul 30 22:34:57 random sshd[12613]: Illegal user user from > > >>213.186.40.137 > > >><the following looked like some good news...> > > >>Jul 30 22:34:59 random sshd[12615]: Failed password for root from > > >>213.186.40.137 port 57450 ssh2 > > >>Jul 30 22:35:02 random sshd[12617]: Failed password for root from > > >>213.186.40.137 port 58771 ssh2 > > >>Jul 30 22:35:06 random sshd[12625]: Failed password for root from > > >>213.186.40.137 port 36741 ssh2 > > >>Jul 30 22:35:08 random sshd[12627]: Illegal user test from > > >>213.186.40.137 > > >><</SNIP>> > > >> > > >>So of course I tracerouted and whois some of these ips and got their > > >>ISPs. At what point is it fair to report them? > > >>
this has been reported a zillion times already. the security mailing list postings started around the 26th of July - nothing to worry about. Its just scanning your PC to discover the SSHD version running on your server. Probably looking to exploit some vulnerability in the previous sshd - havent heard of any exploits on unpatched ssh servers. > > >>Shane > > >> > > >>NOTICE - > > >>This communication is intended ONLY for the use of the person or entity > > >>named above and may contain information that is confidential or legally > > >>privileged. If you are not the intended recipient named above or a > > >>person responsible for delivering messages or communications to the > > >>intended recipient, YOU ARE HEREBY NOTIFIED that any use, distribution, > > >>or copying of this communication or any of the information contained in > > >>it is strictly prohibited. If you have received this communication in > > >>error, please notify us immediately by telephone and then destroy or > > >>delete this communication, or return it to us by mail if requested by > > >>us. The City of Calgary thanks you for your attention and cooperation. > > > > > >_______________________________________________ > > >clug-talk mailing list > > >[EMAIL PROTECTED] > > >http://clug.ca/mailman/listinfo/clug-talk_clug.ca > > > > _______________________________________________ > > clug-talk mailing list > > [EMAIL PROTECTED] > > http://clug.ca/mailman/listinfo/clug-talk_clug.ca > > _______________________________________________ > clug-talk mailing list > [EMAIL PROTECTED] > http://clug.ca/mailman/listinfo/clug-talk_clug.ca > -- Microsoft Windows: A thirty-two bit extension to a sixteen-bit patch to an eight-bit operating system coded for a four-bit microprocessor by a two-bit company that can't stand one bit of competition _______________________________________________ clug-talk mailing list [EMAIL PROTECTED] http://clug.ca/mailman/listinfo/clug-talk_clug.ca
