sorta what I figured, but it was a pretty half assed attempt. :P on a side note, are these typically worth reporting to the ISP of the attacker? I tried doing a DNS lookup on the box in question, but it doesn't seem to have an FDQN registered. What's the best way to figure out the admin for a subnet from a machine's IP?
Thanks, Steve shiftee wrote: > It just looks like someone is trying to brute-force an account, I'm > sure there are plenty of places that provide tools for this. > > Just make sure you enforce secure passwords, and keep an eye on your > syslog. > > On Sun, Mar 24, 2002 at 07:11:25AM -0800, Stephen Hassard wrote: > >>Hi there, >> >>I found these in my event log from yesterday: >> >> >>> >>Mar 23 09:33:16 www sshd[10998]: input_userauth_request: illegal user www >>Mar 23 09:33:18 www sshd[10998]: Failed none for illegal user www from >>213.26.96.103 port 2276 ssh2 >>Mar 23 09:33:18 www sshd[10998]: Failed keyboard-interactive for illegal >>user www from 213.26.96.103 port 2276 ssh2 >>Mar 23 09:33:18 www sshd[10998]: Failed password for illegal user www >>from 213.26.96.103 port 2276 ssh2 >>Mar 23 09:33:19 www sshd[10997]: input_userauth_request: illegal user oracle >>Mar 23 09:33:19 www sshd[10997]: Failed none for illegal user oracle >>from 213.26.96.103 port 2275 ssh2 >>Mar 23 09:33:19 www sshd[10997]: Failed keyboard-interactive for illegal >>user oracle from 213.26.96.103 port 2275 ssh2 >>Mar 23 09:33:19 www sshd[10997]: Failed password for illegal user oracle >>from 213.26.96.103 port 2275 ssh2 >>Mar 23 09:33:19 www sshd[10999]: input_userauth_request: illegal user test >>Mar 23 09:33:19 www sshd[10999]: Failed none for illegal user test from >>213.26.96.103 port 2277 ssh2 >>Mar 23 09:33:19 www sshd[10999]: Failed keyboard-interactive for illegal >>user test from 213.26.96.103 port 2277 ssh2 >>Mar 23 09:33:20 www sshd[10999]: Failed password for illegal user test >>from 213.26.96.103 port 2277 ssh2 >><<< >> >>It seems that from the timestamp that it's most likely a script kiddy; >>The time duration beween failed password attempts seems really short. >>I'm just wonder if anyone's seen a script that does this and is >>available widely, or is it a good chance that I've got someone trying to >>break in? None of my other services seem to have been probed, just ssh. >> >>Thanks, >>Steve >> >> >>-- >>To UNSUBSCRIBE, email to [EMAIL PROTECTED] >>with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
