sorta what I figured, but it was a pretty half assed attempt. :P
on a side note, are these typically worth reporting to the ISP of the
attacker? I tried doing a DNS lookup on the box in question, but it
doesn't seem to have an FDQN registered. What's the best way to figure
out the admin for a subnet from a machine's IP?
Thanks,
Steve
shiftee wrote:
It just looks like someone is trying to brute-force an account, I'm
sure there are plenty of places that provide tools for this.
Just make sure you enforce secure passwords, and keep an eye on your
syslog.
On Sun, Mar 24, 2002 at 07:11:25AM -0800, Stephen Hassard wrote:
Hi there,
I found these in my event log from yesterday:
>>>
Mar 23 09:33:16 www sshd[10998]: input_userauth_request: illegal user www
Mar 23 09:33:18 www sshd[10998]: Failed none for illegal user www from
213.26.96.103 port 2276 ssh2
Mar 23 09:33:18 www sshd[10998]: Failed keyboard-interactive for illegal
user www from 213.26.96.103 port 2276 ssh2
Mar 23 09:33:18 www sshd[10998]: Failed password for illegal user www
from 213.26.96.103 port 2276 ssh2
Mar 23 09:33:19 www sshd[10997]: input_userauth_request: illegal user oracle
Mar 23 09:33:19 www sshd[10997]: Failed none for illegal user oracle
from 213.26.96.103 port 2275 ssh2
Mar 23 09:33:19 www sshd[10997]: Failed keyboard-interactive for illegal
user oracle from 213.26.96.103 port 2275 ssh2
Mar 23 09:33:19 www sshd[10997]: Failed password for illegal user oracle
from 213.26.96.103 port 2275 ssh2
Mar 23 09:33:19 www sshd[10999]: input_userauth_request: illegal user test
Mar 23 09:33:19 www sshd[10999]: Failed none for illegal user test from
213.26.96.103 port 2277 ssh2
Mar 23 09:33:19 www sshd[10999]: Failed keyboard-interactive for illegal
user test from 213.26.96.103 port 2277 ssh2
Mar 23 09:33:20 www sshd[10999]: Failed password for illegal user test
from 213.26.96.103 port 2277 ssh2
<<<
It seems that from the timestamp that it's most likely a script kiddy;
The time duration beween failed password attempts seems really short.
I'm just wonder if anyone's seen a script that does this and is
available widely, or is it a good chance that I've got someone trying to
break in? None of my other services seem to have been probed, just ssh.
Thanks,
Steve
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
