Seeing the same activity on my home firewall: Jul 25 03:16:42 fuji sshd[20647]: Illegal user test from 202.155.82.186 Jul 25 03:16:42 fuji sshd[20647]: Failed password for illegal user test from 202.155.82.186 port 2384 ssh2 Jul 25 03:16:47 fuji sshd[11459]: Illegal user guest from 202.155.82.186 Jul 25 03:16:47 fuji sshd[11459]: Failed password for illegal user guest from 202.155.82.186 port 2492 ssh2 Jul 25 04:31:08 fuji sshd[32464]: Illegal user test from 210.143.106.131 Jul 25 04:31:08 fuji sshd[32464]: Failed password for illegal user test from 210.143.106.131 port 41013 ssh2 Jul 25 04:31:12 fuji sshd[5458]: Illegal user guest from 210.143.106.131 Jul 25 04:31:12 fuji sshd[5458]: Failed password for illegal user guest from 210.143.106.131 port 41132 ssh2 Jul 25 10:04:26 fuji sshd[7446]: Illegal user test from 199.222.137.44 Jul 25 10:04:26 fuji sshd[7446]: Failed password for illegal user test from 199.222.137.44 port 3157 ssh2 Jul 25 10:04:30 fuji sshd[9682]: Illegal user guest from 199.222.137.44 Jul 25 10:04:30 fuji sshd[9682]: Failed password for illegal user guest from 199.222.137.44 port 3250 ssh2 Jul 25 19:05:40 fuji sshd[6330]: Did not receive identification string from 193.109.140.33 Jul 26 12:44:47 fuji sshd[13585]: Illegal user from 65.116.13.247 Jul 26 12:44:47 fuji sshd[13585]: Failed none for illegal user from 65.116.13.247 port 52354 ssh2 Jul 26 12:44:49 fuji sshd[13585]: Failed password for illegal user from 65.116.13.247 port 52354 ssh2 Jul 26 23:43:01 fuji sshd[15234]: Illegal user test from 66.232.130.40 Jul 26 23:43:01 fuji sshd[15234]: Failed password for illegal user test from 66.232.130.40 port 53530 ssh2 Jul 26 23:43:04 fuji sshd[13995]: Illegal user guest from 66.232.130.40 Jul 26 23:43:04 fuji sshd[13995]: Failed password for illegal user guest from 66.232.130.40 port 53543 ssh2
These attempts go back for a few weeks. I agree that it must be some script running on a number of machines, or possibly a worm doing some widespread intrusion attempt using a variation of the monkey principle. Haven't seen any news about this. Anybody monitoring network security forums/mailing lists got news about this? John --- Kevin Bucknum <[EMAIL PROTECTED]> wrote: > Looks like I've had two attempts on both accounts. > All within a hour on Sunday. > > > ----- Original Message ----- > From: Will Lowe <[EMAIL PROTECTED]> > Date: Tue, 27 Jul 2004 09:58:34 -0500 > Subject: [brlug-general] Hackers > To: Brlug-general <[email protected]> > > Has anybody else had attempts to access their > systems via SSH? My site > and several other site that I manage are showing > attempts using the > guest and test user accounts from many different IP > addresses mostly > from southeast Asia (Japan, Korea, etc) > > I'm think that it is some type of automated attempt. > I also wonder if > the addresses could be forged. __________________________________ Do you Yahoo!? Yahoo! Mail is new and improved - Check it out! http://promotions.yahoo.com/new_mail
