MORE SSH Hacking: heads-up
STYMA, ROBERT E (ROBERT)
stymar at lucent.com
Mon Aug 2 21:01:40 UTC 2004
>>On Mon, 02 Aug 2004 12:21:01 -0700, Ow Mun Heng <Ow.Mun.Heng at wdc.com> wrote:
>
>>This was in my logs last night at 11.56pm.
>
>
>Aug 2 03:21:18 ciscy sshd[27030]: Failed password for illegal user test from
>::ffff:69.59.166.236 port 41532 ssh2
>Aug 2 03:21:21 ciscy sshd[27032]: Failed password for illegal user guest from
>::ffff:69.59.166.236 port 41714 ssh2
>
>Seems to be coming from San Fransisco...
>
>tracert 69.59.166.236
>
> [snip]
>
> 8 74 ms 71 ms 70 ms so-10-0.ipcolo1.SanFranciso1.Level3.net
>[4.68.112.234]
> 9 73 ms 72 ms 70 ms unknown.Level3.net [63.211.150.226]
> 10 74 ms 72 ms 72 ms border1-ge0-0-0.sfo.servepath.net
>[209.213.192.123]
> 11 76 ms 72 ms 72 ms border-core1-pos0-1.sfo2.servepath.net
>[216.93.189.34]
> 12 75 ms 71 ms 72 ms access1-ge0-1-5.sfo2.servepath.net
>[69.59.136.50]
> 13 75 ms 71 ms 72 ms customer-reverse-entry.69.59.166.236
>[69.59.166.236]
>
>
>--
> Steve
>
>
The fact that a user and password is getting flagged indicates that the
hacker is getting past your /etc/hosts.deny file. I keep my ssh access
shut down except for IP address ranges I am expecting. I realize this is
not possible in all cases, but stopping the hacker before they get a login
prompt is in my opinion a preferred situation.
More information about the fedora-list
mailing list