Hi,
You're not alone :)
I'm beeing scanned too, from various ip-addresses for various users.
I guess the solution is to block SSH in your firewall, and open it to
your needs.
Dejan Markovic wrote:
Hi Guys,
Don't know whether this is the right list, but need to ask if others have
the same entries in their logs for the past number of months. Let me take a
step back, I maintain a number of networks on different IP ranges and they
are all being probed by what looks like a tool, or maybe it is the same
group/script. The originating computers range from open proxies to owned
boxes and there are two distinct patterns I've seen so far. The following
scan is a recent example where the root/password from x.x.x.x: 59 Time(s)
caught my attention the first time a while back, and still getting the same
scans on a daily basis:
account/password from 210.245.168.28: 1 Time(s)
adam/password from 210.245.168.28: 1 Time(s)
adm/password from 210.245.168.28: 2 Time(s)
alan/password from 210.245.168.28: 1 Time(s)
apache/password from 210.245.168.28: 1 Time(s)
backup/password from 210.245.168.28: 1 Time(s)
cip51/password from 210.245.168.28: 1 Time(s)
cip52/password from 210.245.168.28: 1 Time(s)
cosmin/password from 210.245.168.28: 1 Time(s)
cyrus/password from 210.245.168.28: 1 Time(s)
data/password from 210.245.168.28: 1 Time(s)
frank/password from 210.245.168.28: 1 Time(s)
george/password from 210.245.168.28: 1 Time(s)
henry/password from 210.245.168.28: 1 Time(s)
horde/password from 210.245.168.28: 1 Time(s)
iceuser/password from 210.245.168.28: 1 Time(s)
irc/password from 210.245.168.28: 2 Time(s)
jane/password from 210.245.168.28: 1 Time(s)
john/password from 210.245.168.28: 1 Time(s)
master/password from 210.245.168.28: 1 Time(s)
matt/password from 210.245.168.28: 1 Time(s)
mysql/password from 210.245.168.28: 1 Time(s)
nobody/password from 210.245.168.28: 1 Time(s)
noc/password from 210.245.168.28: 1 Time(s)
operator/password from 210.245.168.28: 1 Time(s)
oracle/password from 210.245.168.28: 1 Time(s)
pamela/password from 210.245.168.28: 1 Time(s)
patrick/password from 210.245.168.28: 2 Time(s)
rolo/password from 210.245.168.28: 1 Time(s)
root/password from 210.245.168.28: 59 Time(s)
server/password from 210.245.168.28: 1 Time(s)
sybase/password from 210.245.168.28: 1 Time(s)
test/password from 210.245.168.28: 5 Time(s)
user/password from 210.245.168.28: 3 Time(s)
web/password from 210.245.168.28: 2 Time(s)
webmaster/password from 210.245.168.28: 1 Time(s)
www-data/password from 210.245.168.28: 1 Time(s)
www/password from 210.245.168.28: 1 Time(s)
wwwrun/password from 210.245.168.28: 1 Time(s)
Regards,
Dan
Cheers,
--
_____ __ Ú---------------------Â---------------------------¿
|_ _\ \ / / | Harald Nesland | email: harald@interweb.no |
| | \ \ /\ / / | Interweb Norge AS | t l f: +47 380 58 200 |
| | \ V V / | Ægirsvei 10 | f a x: +47 380 58 201 |
|___| \_/\_/ | 4630 Kristiansand | p g p: 0 x 43951F95 |
www.interweb.no À---------------------Á---------------------------Ù
