Re: failed ssh breakins on my exposed www box ..

To: debian security <debian-security@lists.debian.org>
Subject: Re: failed ssh breakins on my exposed www box ..
From: shiftee <shiftee@manifestation.org>
Date: Sun, 24 Mar 2002 07:40:07 -0800
Message-id: <[🔎] 20020324074007.A1224@manifestation.org>
Mail-followup-to: debian security <debian-security@lists.debian.org>
In-reply-to: <[🔎] 3C9DEC9D.40809@hassard.net>; from steve@hassard.net on Sun, Mar 24, 2002 at 07:11:25AM -0800
References: <[🔎] 3C9DEC9D.40809@hassard.net>

It just looks like someone is trying to brute-force an account, I'm
sure there are plenty of places that provide tools for this.

Just make sure you enforce secure passwords, and keep an eye on your
syslog.

On Sun, Mar 24, 2002 at 07:11:25AM -0800, Stephen Hassard wrote:
> Hi there,
> 
> I found these in my event log from yesterday:
> 
>  >>>
> Mar 23 09:33:16 www sshd[10998]: input_userauth_request: illegal user www
> Mar 23 09:33:18 www sshd[10998]: Failed none for illegal user www from 
> 213.26.96.103 port 2276 ssh2
> Mar 23 09:33:18 www sshd[10998]: Failed keyboard-interactive for illegal 
> user www from 213.26.96.103 port 2276 ssh2
> Mar 23 09:33:18 www sshd[10998]: Failed password for illegal user www 
> from 213.26.96.103 port 2276 ssh2
> Mar 23 09:33:19 www sshd[10997]: input_userauth_request: illegal user oracle
> Mar 23 09:33:19 www sshd[10997]: Failed none for illegal user oracle 
> from 213.26.96.103 port 2275 ssh2
> Mar 23 09:33:19 www sshd[10997]: Failed keyboard-interactive for illegal 
> user oracle from 213.26.96.103 port 2275 ssh2
> Mar 23 09:33:19 www sshd[10997]: Failed password for illegal user oracle 
> from 213.26.96.103 port 2275 ssh2
> Mar 23 09:33:19 www sshd[10999]: input_userauth_request: illegal user test
> Mar 23 09:33:19 www sshd[10999]: Failed none for illegal user test from 
> 213.26.96.103 port 2277 ssh2
> Mar 23 09:33:19 www sshd[10999]: Failed keyboard-interactive for illegal 
> user test from 213.26.96.103 port 2277 ssh2
> Mar 23 09:33:20 www sshd[10999]: Failed password for illegal user test 
> from 213.26.96.103 port 2277 ssh2
> <<<
> 
> It seems that from the timestamp that it's most likely a script kiddy; 
> The time duration beween failed password attempts seems really short. 
> I'm just wonder if anyone's seen a script that does this and is 
> available widely, or is it a good chance that I've got someone trying to 
> break in? None of my other services seem to have been probed, just ssh.
> 
> Thanks,
> Steve
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

-- 
shiftee <shiftee@manifestation.org>
PGP Key: 0xB7A36039@wwwkeys.pgp.net


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: failed ssh breakins on my exposed www box ..
  - From: Stephen Hassard <steve@hassard.net>

References:
- failed ssh breakins on my exposed www box ..
  - From: Stephen Hassard <steve@hassard.net>

Prev by Date: failed ssh breakins on my exposed www box ..
Next by Date: Re: failed ssh breakins on my exposed www box ..
Previous by thread: failed ssh breakins on my exposed www box ..
Next by thread: Re: failed ssh breakins on my exposed www box ..
Index(es):
- Date
- Thread