On examining /var/log/secure for several firewalls I manage
remotely using
ssh I have observed a recurrent pattern of probing over the
last several
that attempts to connect using user id's in the following order...
test / guest / admin / admin / user / test
We are seeing the same on 1 of the systems of my private company, coming from
several systems from the former eastern europe. (mostly 80.x.x.x) In our set of
users they try are also the user root and an attempt without a user (NO_USER or
something like that, I don't have access to the logs right now)
However I am wondering if anyone has characterised the probe and/or
performed a risk assessment/analysis? The rate of probes is
very low so I don't think there is a DOS attack just yet!
Not yet, but on our system we're see a probe pop up every 2-3 hours. (started
with 1 every 2-3 days)
Is it worth reporting the behaviour to the net block
assignees in case they
aren't aware their server might be compromised?
I think we should at least compare the ip blocks off list to see if there are
similarities.
Jan Huijsmans
================================================
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en
is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht
onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en
de afzender direct te informeren door het bericht te retourneren.
================================================
The information contained in this message may be confidential
and is intended to be exclusively for the addressee. Should you
receive this message unintentionally, please do not use the contents
herein and notify the sender immediately by return e-mail.
