On Sun, 2 Oct 2005, Brett Glass wrote:
But wait... there's more. The interesting thing about these attacks is
that the user IDs for which passwords are being guessed aren't coming
from a completely fixed list. Besides guessing at the passwords for
root, toor, news, admin, test, guest, webmaster, sshd, and mysql, the
bots are also trying to get into our mail exchangers via user IDs which
are the actual names of users for whom the machines receive mail.
I had a similar fear myself, but when I took a closer look, I realised it
was not actually the case that the attackers had specific knowledge of the
users on my server.
What happens is that there are two kinds of messages from ssh in
/var/log/auth.log. When an attacker tries a nonexistent user, you get
Oct 2 13:00:03 plexi sshd[79194]: Illegal user bob from 83.142.49.11
When an attacker tries an existing user, you get
Oct 2 13:01:47 plexi sshd[79286]: Failed password for www from 83.142.49.11
port 42480 ssh2
In my case, attackers are trying a big list of usernames, and I get both
kinds of messages in my auth.log. However, in the daily security mail to
root, only the "Failed password" messages are included, so if that's all
you see you get the impression that attackers are specifically targetting
your users. At least, that is what I thought at first. But when I took a
closer look at auth.log, it became clear that that's not what was really
happening. Maybe this is the case for Brett as well.
--
Tod McQuillin
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
