[ Posted to full disclosure and vulnwatch; please edit reply address(es)
as appropriate. Thanks. -Jay ]
My Linux system, and a Linux system run by a friend here in the same city
but on a completely different netblock (different ISP), have both seen
apparently automated attempts to log in to our systems via SSH in the past
few days. Looks like a script.
Here are some log entries from my system:
Jul 15 10:01:34 panther6 sshd[8267]: Illegal user test from 62.67.45.4
Jul 15 10:01:34 panther6 sshd[8267]: Failed password for illegal user test
from 62.67.45.4 port 39141 ssh2 Jul 15 10:01:36 panther6 sshd[8269]:
Illegal user guest from 62.67.45.4 Jul 15 10:01:36 panther6 sshd[8269]:
Failed password for illegal user guest from 62.67.45.4 port 39192 ssh2 Jul
15 10:01:37 panther6 sshd[8271]: Illegal user admin from 62.67.45.4 Jul 15
10:01:37 panther6 sshd[8271]: Failed password for illegal user admin from
62.67.45.4 port 39234 ssh2 Jul 15 10:01:38 panther6 sshd[8273]: Illegal
user user from 62.67.45.4 Jul 15 10:01:38 panther6 sshd[8273]: Failed
password for illegal user user from 62.67.45.4 port 39275 ssh2 Jul 15
10:01:39 panther6 sshd[8275]: Failed password for root from 62.67.45.4 port
39340 ssh2 Jul 15 10:01:41 panther6 sshd[8277]: Failed password for root
from 62.67.45.4 port 39386 ssh2 Jul 15 10:44:12 panther6 sshd[8300]:
Illegal user test from 62.67.45.4 Jul 15 10:44:12 panther6 sshd[8300]:
Failed password for illegal user test from 62.67.45.4 port 33771 ssh2 Jul
15 10:44:14 panther6 sshd[8302]: Illegal user guest from 62.67.45.4 Jul 15
10:44:14 panther6 sshd[8302]: Failed password for illegal user guest from
62.67.45.4 port 33828 ssh2 Jul 15 10:44:15 panther6 sshd[8304]: Illegal
user admin from 62.67.45.4 Jul 15 10:44:15 panther6 sshd[8304]: Failed
password for illegal user admin from 62.67.45.4 port 33876 ssh2 Jul 15
10:44:16 panther6 sshd[8306]: Illegal user user from 62.67.45.4 Jul 15
10:44:16 panther6 sshd[8306]: Failed password for illegal user user from
62.67.45.4 port 33916 ssh2 Jul 15 10:44:17 panther6 sshd[8308]: Failed
password for root from 62.67.45.4 port 33988 ssh2 Jul 15 10:44:19 panther6
sshd[8310]: Failed password for root from 62.67.45.4 port 34032 ssh2 Jul 15
17:07:15 panther6 sshd[8912]: Illegal user test from 131.234.36.152 Jul 15
17:07:15 panther6 sshd[8912]: Failed password for illegal user test from
131.234.36.152 port 38287 ssh2 Jul 15 17:07:16 panther6 sshd[8914]: Illegal
user guest from 131.234.36.152 Jul 15 17:07:16 panther6 sshd[8914]: Failed
password for illegal user guest from 131.234.36.152 port 38326 ssh2 Jul 15
17:07:18 panther6 sshd[8916]: Illegal user admin from 131.234.36.152 Jul 15
17:07:18 panther6 sshd[8916]: Failed password for illegal user admin from
131.234.36.152 port 38370 ssh2 Jul 15 17:07:19 panther6 sshd[8918]: Illegal
user admin from 131.234.36.152 Jul 15 17:07:19 panther6 sshd[8918]: Failed
password for illegal user admin from 131.234.36.152 port 38412 ssh2 Jul 15
17:07:21 panther6 sshd[8920]: Illegal user user from 131.234.36.152 Jul 15
17:07:21 panther6 sshd[8920]: Failed password for illegal user user from
131.234.36.152 port 38468 ssh2 Jul 15 17:07:22 panther6 sshd[8922]: Failed
password for root from 131.234.36.152 port 38516 ssh2 Jul 15 17:07:23
panther6 sshd[8924]: Failed password for root from 131.234.36.152 port
38558 ssh2 Jul 15 17:07:25 panther6 sshd[8926]: Failed password for root
from 131.234.36.152 port 38611 ssh2 Jul 15 17:07:26 panther6 sshd[8928]:
Illegal user test from 131.234.36.152 Jul 15 17:07:26 panther6 sshd[8928]:
Failed password for illegal user test from 131.234.36.152 port 38675 ssh2
Jul 19 22:05:07 panther6 sshd[30439]: Illegal user test from 83.103.27.66
Jul 19 22:05:07 panther6 sshd[30439]: Failed password for illegal user test
from 83.103.27.66 port 52671 ssh2 Jul 19 22:05:08 panther6 sshd[30441]:
Illegal user guest from 83.103.27.66 Jul 19 22:05:08 panther6 sshd[30441]:
Failed password for illegal user guest from 83.103.27.66 port 52687 ssh2
Jul 21 06:30:12 panther6 sshd[1103]: Illegal user test from 219.103.193.130
Jul 21 06:30:12 panther6 sshd[1103]: Failed password for illegal user test
from 219.103.193.130 port 55802 ssh2 Jul 21 06:30:14 panther6 sshd[1105]:
Illegal user guest from 219.103.193.130 Jul 21 06:30:14 panther6
sshd[1105]: Failed password for illegal user guest from 219.103.193.130
port 55823 ssh2
.. and some log entries from my friend's system:
Jul 19 21:04:33 quack sshd[28379]: Illegal user test from 131.234.157.10
Jul 19 21:04:34 quack sshd[28381]: Illegal user guest from 131.234.157.10
Jul 19 21:04:36 quack sshd[28383]: Illegal user admin from 131.234.157.10
Jul 19 21:04:37 quack sshd[28385]: Illegal user admin from 131.234.157.10
Jul 19 21:04:38 quack sshd[28387]: Illegal user user from 131.234.157.10
Jul 19 21:04:43 quack sshd[28400]: Illegal user test from 131.234.157.10
Jul 22 09:39:10 quack sshd[7646]: Illegal user test from 156.17.99.11
Jul 22 09:39:11 quack sshd[7648]: Illegal user guest from 156.17.99.11
I have not seen any notes about this on the vulnerability disucssion
lists. Has anyone else noticed it? What specific vulnerability (or
default password?) is this looking for?
-Jay Libove, CISSP
libove@felines.org
Atlanta, GA US
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
