It just looks like someone is trying to brute-force an account, I'm
sure there are plenty of places that provide tools for this.
Just make sure you enforce secure passwords, and keep an eye on your
syslog.
On Sun, Mar 24, 2002 at 07:11:25AM -0800, Stephen Hassard wrote:
Hi there,
I found these in my event log from yesterday:
>>>
Mar 23 09:33:16 www sshd[10998]: input_userauth_request: illegal user www
Mar 23 09:33:18 www sshd[10998]: Failed none for illegal user www from
213.26.96.103 port 2276 ssh2
Mar 23 09:33:18 www sshd[10998]: Failed keyboard-interactive for illegal
user www from 213.26.96.103 port 2276 ssh2
Mar 23 09:33:18 www sshd[10998]: Failed password for illegal user www
from 213.26.96.103 port 2276 ssh2
Mar 23 09:33:19 www sshd[10997]: input_userauth_request: illegal user oracle
Mar 23 09:33:19 www sshd[10997]: Failed none for illegal user oracle
from 213.26.96.103 port 2275 ssh2
Mar 23 09:33:19 www sshd[10997]: Failed keyboard-interactive for illegal
user oracle from 213.26.96.103 port 2275 ssh2
Mar 23 09:33:19 www sshd[10997]: Failed password for illegal user oracle
from 213.26.96.103 port 2275 ssh2
Mar 23 09:33:19 www sshd[10999]: input_userauth_request: illegal user test
Mar 23 09:33:19 www sshd[10999]: Failed none for illegal user test from
213.26.96.103 port 2277 ssh2
Mar 23 09:33:19 www sshd[10999]: Failed keyboard-interactive for illegal
user test from 213.26.96.103 port 2277 ssh2
Mar 23 09:33:20 www sshd[10999]: Failed password for illegal user test
from 213.26.96.103 port 2277 ssh2
<<<
It seems that from the timestamp that it's most likely a script kiddy;
The time duration beween failed password attempts seems really short.
I'm just wonder if anyone's seen a script that does this and is
available widely, or is it a good chance that I've got someone trying to
break in? None of my other services seem to have been probed, just ssh.
Thanks,
Steve
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org