MORE SSH Hacking: heads-up

Mike Markiw III mmarkiw at speakeasy.net
Wed Aug 4 15:03:07 UTC 2004 

Thanks for the info on where to look.  I hadn't looked at these logs before, but I'm getting scanned quite a bit as well.

All the scans seem to originate from the same few IP addresses:
128.104.8.231
202.6.75.195
81.15.119.11
64.246.32.92
212.4.172.123

The user accounts they try to log in as are:
test
guest
admin
root

I would definitely suggest updating any/all passwords on your systems if they are dictionary based.  

The scans start about ten days ago for my system.  Obviously, the script-kiddies found a new toy.  We can probably expect more of this junk in the future.

-Mike


> -----Original Message-----
> From: Steven Stern [mailto:subscribed-lists at sterndata.com]
> Sent: Wednesday, August 4, 2004 02:37 PM
> To: 'For users of Fedora Core releases'
> Subject: Re: MORE SSH Hacking: heads-up
> 
> On Wed, 4 Aug 2004 10:25:05 -0400, jeem machine <jmachine at gmail.com> wrote:
> 
> >On Wed, 04 Aug 2004 08:25:36 -0500, Steven Stern
> ><subscribed-lists at sterndata.com> wrote:
> >> On Tue, 03 Aug 2004 21:40:18 -0700, Ow Mun Heng <Ow.Mun.Heng at wdc.com> wrote:
> >> 
> >> My logs from last night:
> >> 
> >> Failed logins from these:
> >>    guest/password from ::ffff:143.107.235.116: 1 Time(s)
> >>    guest/password from ::ffff:211.105.46.30: 1 Time(s)
> >>    test/password from ::ffff:143.107.235.116: 1 Time(s)
> >>    test/password from ::ffff:211.105.46.30: 1 Time(s)
> >> 
> >> Illegal users from these:
> >>    guest/none from ::ffff:143.107.235.116: 1 Time(s)
> >>    guest/none from ::ffff:211.105.46.30: 1 Time(s)
> >>    guest/password from ::ffff:143.107.235.116: 1 Time(s)
> >>    guest/password from ::ffff:211.105.46.30: 1 Time(s)
> >>    test/none from ::ffff:143.107.235.116: 1 Time(s)
> >>    test/none from ::ffff:211.105.46.30: 1 Time(s)
> >>    test/password from ::ffff:143.107.235.116: 1 Time(s)
> >>    test/password from ::ffff:211.105.46.30: 1 Time(s)
> >> 
> >
> >> 
> >Which logs are you looking at. I would like to check my system
> 
> 
> The snipped above comes from the nightly logwatch run, mailed to root.
> Logwatch searches through /var/log/secure*
> 
> --
>    Steve
>    
> 
> 
> -- 
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>

More information about the fedora-list mailing list