Hi! Same thing. GMT +2 Oct 22 20:36:13 nms sshd[90657]: Failed password for invalid user gopher from 77.46.152.2 port 55120 ssh2 Oct 22 20:37:05 nms sshd[90660]: Connection from 83.19.34.46 port 38394 Oct 22 20:37:06 nms sshd[90660]: error: PAM: authentication error for root from 83.19.34.46 Oct 22 20:37:06 nms sshd[90660]: Failed keyboard-interactive/pam for root from 83.19.34.46 port 38394 ssh2 Oct 22 20:39:12 nms sshd[90663]: Connection from 202.14.63.3 port 52821 Oct 22 20:39:15 nms sshd[90663]: error: PAM: authentication error for root from 202.14.63.3 Oct 22 20:39:15 nms sshd[90663]: Failed keyboard-interactive/pam for root from 202.14.63.3 port 52821 ssh2 Oct 22 20:41:40 nms sshd[90669]: Connection from 81.138.4.120 port 3087 Oct 22 20:41:41 nms sshd[90669]: error: PAM: authentication error for root from 81.138.4.120 Oct 22 20:41:41 nms sshd[90669]: Failed keyboard-interactive/pam for root from 81.138.4.120 port 3087 ssh2 Oct 22 20:43:42 nms sshd[90672]: Connection from 87.98.49.190 port 55339 Oct 22 20:43:43 nms sshd[90672]: error: PAM: authentication error for root from 87.98.49.190 Oct 22 20:43:43 nms sshd[90672]: Failed keyboard-interactive/pam for root from 87.98.49.190 port 55339 ssh2 Oct 22 20:45:51 nms sshd[90698]: Connection from 213.35.211.206 port 1926 Oct 22 20:45:52 nms sshd[90698]: error: PAM: authentication error for root from 213.35.211.206 Oct 22 20:45:52 nms sshd[90698]: Failed keyboard-interactive/pam for root from 213.35.211.206 port 1926 ssh2 Oct 22 20:48:33 nms sshd[90701]: Connection from 66.184.240.3 port 34371 Oct 22 20:48:35 nms sshd[90701]: error: PAM: authentication error for root from 66.184.240.3 Oct 22 20:48:35 nms sshd[90701]: Failed keyboard-interactive/pam for root from 66.184.240.3 port 34371 ssh2 Oct 22 20:55:21 nms sshd[90723]: Connection from 82.127.35.70 port 4240 Oct 22 20:55:25 nms sshd[90723]: error: PAM: authentication error for root from 82.127.35.70 Oct 22 20:55:25 nms sshd[90723]: Failed keyboard-interactive/pam for root from 82.127.35.70 port 4240 ssh2 Oct 22 20:59:23 nms sshd[90732]: Connection from 72.159.147.141 port 42446 Oct 22 20:59:24 nms sshd[90732]: error: PAM: authentication error for root from 72.159.147.141 Oct 22 20:59:24 nms sshd[90732]: Failed keyboard-interactive/pam for root from 72.159.147.141 port 42446 ssh2 Oct 22 21:02:11 nms sshd[90756]: Connection from 220.130.152.234 port 37232 Oct 22 21:02:13 nms sshd[90756]: error: PAM: authentication error for root from 220.130.152.234 Oct 22 21:02:13 nms sshd[90756]: Failed keyboard-interactive/pam for root from 220.130.152.234 port 37232 ssh2 Oct 22 21:04:10 nms sshd[90759]: Connection from 202.106.60.24 port 61804 Oct 22 21:04:13 nms sshd[90759]: error: PAM: authentication error for root from 202.106.60.24 Oct 22 21:04:13 nms sshd[90759]: Failed keyboard-interactive/pam for root from 202.106.60.24 port 61804 ssh2 Oct 22 21:06:44 nms sshd[90765]: Connection from 206.222.29.141 port 1858 Oct 22 21:06:46 nms sshd[90765]: error: PAM: authentication error for root from 206.222.29.141 Oct 22 21:06:46 nms sshd[90765]: Failed keyboard-interactive/pam for root from 206.222.29.141 port 1858 ssh2 Oct 22 21:08:42 nms sshd[90768]: Connection from 213.49.15.90 port 14656 Oct 22 21:08:43 nms sshd[90768]: error: PAM: authentication error for root from 213.49.15.90 Oct 22 21:08:43 nms sshd[90768]: Failed keyboard-interactive/pam for root from 213.49.15.90 port 14656 ssh2 Oct 22 21:10:50 nms sshd[90774]: Connection from 212.71.134.227 port 2090 Oct 22 21:10:51 nms sshd[90774]: error: PAM: authentication error for root from 212.71.134.227 Oct 22 21:10:51 nms sshd[90774]: Failed keyboard-interactive/pam for root from 212.71.134.227 port 2090 ssh2 Oct 22 21:13:31 nms sshd[90790]: Connection from 74.232.154.114 port 57834 Oct 22 21:13:33 nms sshd[90790]: error: PAM: authentication error for root from 74.232.154.114 Oct 22 21:13:33 nms sshd[90790]: Failed keyboard-interactive/pam for root from 74.232.154.114 port 57834 ssh2 Oct 22 21:15:34 nms sshd[90796]: Connection from 83.218.176.249 port 46125 Oct 22 21:15:34 nms sshd[90796]: error: PAM: authentication error for root from 83.218.176.249 Oct 22 21:15:34 nms sshd[90796]: Failed keyboard-interactive/pam for root from 83.218.176.249 port 46125 ssh2 Oct 22 21:18:55 nms sshd[90799]: Connection from 64.71.152.46 port 1779 Oct 22 21:18:57 nms sshd[90799]: error: PAM: authentication error for root from 64.71.152.46 Oct 22 21:18:57 nms sshd[90799]: Failed keyboard-interactive/pam for root from 64.71.152.46 port 1779 ssh2 Oct 22 21:43:11 nms sshd[90843]: Connection from 203.130.242.139 port 16597 Oct 22 21:43:14 nms sshd[90843]: error: PAM: authentication error for root from 203.130.242.139 Oct 22 21:43:14 nms sshd[90843]: Failed keyboard-interactive/pam for root from 203.130.242.139 port 16597 ssh2 Oct 22 21:56:40 nms sshd[90881]: Connection from 80.122.89.106 port 12387 Oct 22 21:56:42 nms sshd[90881]: error: PAM: authentication error for root from 80.122.89.106 Oct 22 21:56:42 nms sshd[90881]: Failed keyboard-interactive/pam for root from 80.122.89.106 port 12387 ssh2 Oct 22 21:57:38 nms sshd[90884]: Connection from 82.207.23.93 port 3642
Best regards, Valery Marchuk ----- Original Message ----- From: "Philipp" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Monday, October 22, 2007 2:36 PM Subject: [Full-disclosure] Distributed SSH username/password brute forceattack > Hello, > > since this night I experience distributed SSH username/password > guessing brute force attacks. Anyone seen something similar? > > Up until this night always one host tried to guess username/password > combinations until it got banned by fail2ban. But now I see in my > logfiles: > > Oct 22 01:42:18 myhost sshd[2672]: error: PAM: Authentication failure > for illegal user root from xxxx.de > Oct 22 01:44:49 myhost sshd[2832]: error: PAM: Authentication failure > for illegal user root from xxxx.85 > Oct 22 01:47:16 myhost sshd[2981]: error: PAM: Authentication failure > for illegal user root from xxxx.86 > Oct 22 01:50:33 myhost sshd[3233]: error: PAM: Authentication failure > for illegal user root from xxxx.ar > Oct 22 01:52:38 myhost sshd[3307]: error: PAM: Authentication failure > for illegal user root from xxxx.be > Oct 22 01:55:34 myhost sshd[3551]: error: PAM: Authentication failure > for illegal user root from xxxx.106 > Oct 22 01:58:04 myhost sshd[3691]: error: PAM: Authentication failure > for illegal user root from xxxx.11 > Oct 22 02:00:44 myhost sshd[3999]: error: PAM: Authentication failure > for illegal user root from xxxx.cl > > The time is CEST and the attacks are still ongoing. > > kind regards, > > Philipp > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
