failed ssh breakins on my exposed www box ..
Hi there,
I found these in my event log from yesterday:
>>>
Mar 23 09:33:16 www sshd[10998]: input_userauth_request: illegal user www
Mar 23 09:33:18 www sshd[10998]: Failed none for illegal user www from
213.26.96.103 port 2276 ssh2
Mar 23 09:33:18 www sshd[10998]: Failed keyboard-interactive for illegal
user www from 213.26.96.103 port 2276 ssh2
Mar 23 09:33:18 www sshd[10998]: Failed password for illegal user www
from 213.26.96.103 port 2276 ssh2
Mar 23 09:33:19 www sshd[10997]: input_userauth_request: illegal user oracle
Mar 23 09:33:19 www sshd[10997]: Failed none for illegal user oracle
from 213.26.96.103 port 2275 ssh2
Mar 23 09:33:19 www sshd[10997]: Failed keyboard-interactive for illegal
user oracle from 213.26.96.103 port 2275 ssh2
Mar 23 09:33:19 www sshd[10997]: Failed password for illegal user oracle
from 213.26.96.103 port 2275 ssh2
Mar 23 09:33:19 www sshd[10999]: input_userauth_request: illegal user test
Mar 23 09:33:19 www sshd[10999]: Failed none for illegal user test from
213.26.96.103 port 2277 ssh2
Mar 23 09:33:19 www sshd[10999]: Failed keyboard-interactive for illegal
user test from 213.26.96.103 port 2277 ssh2
Mar 23 09:33:20 www sshd[10999]: Failed password for illegal user test
from 213.26.96.103 port 2277 ssh2
<<<
It seems that from the timestamp that it's most likely a script kiddy;
The time duration beween failed password attempts seems really short.
I'm just wonder if anyone's seen a script that does this and is
available widely, or is it a good chance that I've got someone trying to
break in? None of my other services seem to have been probed, just ssh.
Thanks,
Steve
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: