Hi Harald,
Thanks for the reply, have already received a number of responses from
people saying they are getting the same type of probes, as for blocking at
the firewall, that would definitely be more secure, but unfortunately that
would add another layer of complexity, so I'm pretty much stuck with use
strong passwords and read the logs. Talk to you later.
Regards,
Dan
----- Original Message -----
From: "Harald Nesland" <maillists-hn@interweb.no>
To: "Dejan Markovic" <dejanmarkovic@hotmail.com>
Cc: <INCIDENTS@SECURITYFOCUS.COM>
Sent: Monday, December 20, 2004 11:18 AM
Subject: Re: SSH scans...
Hi,
You're not alone :)
I'm beeing scanned too, from various ip-addresses for various users.
I guess the solution is to block SSH in your firewall, and open it to
your needs.
Dejan Markovic wrote:
Hi Guys,
Don't know whether this is the right list, but need to ask if others have
the same entries in their logs for the past number of months. Let me take
a
step back, I maintain a number of networks on different IP ranges and they
are all being probed by what looks like a tool, or maybe it is the same
group/script. The originating computers range from open proxies to owned
boxes and there are two distinct patterns I've seen so far. The following
scan is a recent example where the root/password from x.x.x.x: 59 Time(s)
caught my attention the first time a while back, and still getting the
same
scans on a daily basis:
account/password from 210.245.168.28: 1 Time(s)
adam/password from 210.245.168.28: 1 Time(s)
adm/password from 210.245.168.28: 2 Time(s)
alan/password from 210.245.168.28: 1 Time(s)
apache/password from 210.245.168.28: 1 Time(s)
backup/password from 210.245.168.28: 1 Time(s)
cip51/password from 210.245.168.28: 1 Time(s)
cip52/password from 210.245.168.28: 1 Time(s)
cosmin/password from 210.245.168.28: 1 Time(s)
cyrus/password from 210.245.168.28: 1 Time(s)
data/password from 210.245.168.28: 1 Time(s)
frank/password from 210.245.168.28: 1 Time(s)
george/password from 210.245.168.28: 1 Time(s)
henry/password from 210.245.168.28: 1 Time(s)
horde/password from 210.245.168.28: 1 Time(s)
iceuser/password from 210.245.168.28: 1 Time(s)
irc/password from 210.245.168.28: 2 Time(s)
jane/password from 210.245.168.28: 1 Time(s)
john/password from 210.245.168.28: 1 Time(s)
master/password from 210.245.168.28: 1 Time(s)
matt/password from 210.245.168.28: 1 Time(s)
mysql/password from 210.245.168.28: 1 Time(s)
nobody/password from 210.245.168.28: 1 Time(s)
noc/password from 210.245.168.28: 1 Time(s)
operator/password from 210.245.168.28: 1 Time(s)
oracle/password from 210.245.168.28: 1 Time(s)
pamela/password from 210.245.168.28: 1 Time(s)
patrick/password from 210.245.168.28: 2 Time(s)
rolo/password from 210.245.168.28: 1 Time(s)
root/password from 210.245.168.28: 59 Time(s)
server/password from 210.245.168.28: 1 Time(s)
sybase/password from 210.245.168.28: 1 Time(s)
test/password from 210.245.168.28: 5 Time(s)
user/password from 210.245.168.28: 3 Time(s)
web/password from 210.245.168.28: 2 Time(s)
webmaster/password from 210.245.168.28: 1 Time(s)
www-data/password from 210.245.168.28: 1 Time(s)
www/password from 210.245.168.28: 1 Time(s)
wwwrun/password from 210.245.168.28: 1 Time(s)
Regards,
Dan
Cheers,
--
_____ __ Ú---------------------Â---------------------------¿
|_ _\ \ / / | Harald Nesland | email: harald@interweb.no |
| | \ \ /\ / / | Interweb Norge AS | t l f: +47 380 58 200 |
| | \ V V / | Ægirsvei 10 | f a x: +47 380 58 201 |
|___| \_/\_/ | 4630 Kristiansand | p g p: 0 x 43951F95 |
www.interweb.no À---------------------Á---------------------------Ù
