[H-GEN] Blocking SSH exploits

Jay johannes at paradise.net.nz
Tue Aug 24 20:02:17 EDT 2004


On Mon, 23 Aug 2004 18:45, Greg Black wrote:
> [ Humbug *General* list - semi-serious discussions about Humbug and     ]
> [ Unix-related topics. Posts from non-subscribed addresses will vanish. ]
>
> On 2004-08-23, Greg Black wrote:
> > On 2004-08-22, Sarah Walters wrote:
> > > In the daily security report generated by our FreeBSD box, we've been
> > > getting a lot of messages like the following lately:
> > >
> > > tempus.walters.id.au login failures:
> > > Aug 21 09:07:25 tempus sshd[14677]: Failed password for root from
> > > 219.238.239.178 port 39247 ssh2
> >
> > I've been seeing these regularly since 25 July.
>
> I thought I should quantify this.  On my home network, I've had
> 225 of these since 25 July.  The usernames attempted have been
> ROOT, admin, guest, test, user and the attempts have come from
> the following IP addresses:
>
>     66.198.93.9
>     66.236.24.228
>     68.122.247.235
>     202.108.244.168
>     202.207.16.97
>     202.78.172.20
>     203.248.244.160
>     203.70.230.111
>     208.21.241.82
>     210.114.221.72
>     210.123.236.130
>     210.15.112.41
>     210.95.186.129
>     211.137.137.172
>     211.182.241.194
>     218.216.74.170
>     218.244.240.195
>     220.118.189.188
>     220.71.28.202

Same here since July 26 using names (root, user, test, admin, guest) and 
originating from:

61.109.156.5
61.151.243.61
61.166.6.60
63.243.17.136
65.120.161.253
68.122.247.235
148.228.20.67
160.80.34.9
163.23.103.193
163.26.85.193
195.228.156.19
202.102.242.180
202.207.16.97
203.146.102.54
203.234.222.231
203.248.244.160
210.223.178.180
210.95.186.129
211.214.133.140
218.216.74.170
221.166.173.22

Most attempts come in blocks of up to nine per ip within about 30 seconds, 
which suggests some form of automation is being used.

Cheers

Johannes




More information about the General mailing list