On Thu, May 02, 2002 at 11:14:01AM -0400, Matt Zimmerman wrote: > I have seen this twice now on two geographically, topologically and > administratively different systems. The probe was slightly different, but > close enough to attract my attention. > > May 1 14:08:15 box1 sshd[11762]: Failed none for illegal user test from 211.4.205.72 port 46827 ssh2 > May 1 14:08:15 box1 sshd[11763]: Failed none for illegal user oracle from 211.4.205.72 port 46828 ssh2 > > May 1 23:04:37 box2 sshd[27428]: Failed password for illegal user test from 202.8.228.198 port 4338 > > Has anyone else seen probes of this sort recently? Something like this was reported on the debian-security mailing list back in March, in: http://lists.debian.org/debian-security/2002/debian-security-200203/msg00216.html From the timestamps, it's probably automated, but from a Google search, I don't think that the tool responsible is in widespread use or distributed publicly. I don't have apropriate logs, but I'm guessing that it's trying empty passwords and/or 'test' and 'oracle' for users 'test' and 'oracle'. Your post reminded me of a similar incident I saw at another site, where someone tried (and failed) to guess passwords for users found with finger: Jan 26 14:30:42 hydrogen in.fingerd[6450]: connect from 207.249.144.205 Jan 26 14:30:42 hydrogen in.fingerd[6451]: connect from 207.249.144.205 Jan 26 14:32:47 hydrogen in.fingerd[6452]: connect from 148.221.70.70 Jan 26 14:33:03 hydrogen in.fingerd[6453]: connect from 148.221.70.70 Jan 26 14:34:13 hydrogen sshd[6454]: Connection from 148.221.70.70 port 1069 Jan 26 14:34:32 hydrogen PAM_pwdb[6454]: authentication failure; (uid=0) -> waoki for sshd service Jan 26 14:34:33 hydrogen sshd[6454]: Failed password for waoki from 148.221.70.70 port 1069 Jan 26 14:34:44 hydrogen last message repeated 2 times Jan 26 14:35:43 hydrogen sshd[6454]: fatal: Read from socket failed: Connection reset by peer Jan 26 14:35:43 hydrogen PAM_pwdb[6454]: (sshd) session closed for user waoki Jan 26 14:35:43 hydrogen PAM_pwdb[6454]: 2 more authentication failures; (uid=0) -> waoki for sshd service Jan 26 14:38:05 hydrogen in.fingerd[6455]: connect from 148.221.70.70 Jan 26 14:38:22 hydrogen sshd[6456]: Connection from 148.221.70.70 port 1079 Jan 26 14:38:36 hydrogen PAM_pwdb[6456]: authentication failure; (uid=0) -> waoki for sshd service Jan 26 14:38:37 hydrogen sshd[6456]: Failed password for waoki from 148.221.70.70 port 1079 Jan 26 14:38:40 hydrogen sshd[6456]: fatal: Read from socket failed: Connection reset by peer Jan 26 14:38:40 hydrogen PAM_pwdb[6456]: (sshd) session closed for user waoki which looks could have been done by hand, or could be an updated version of the old finger + telnet password brute-force scripts. -- William Aoki waokiat_private /"\ ASCII Ribbon Campaign 3B0A 6800 8A1A 78A7 9A26 BB92 \ / No HTML in mail or news! 9A26 BB92 6329 2D3E 199D 8C7B X / \ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu May 02 2002 - 13:26:04 PDT