On Tue, Sep 28, 2004 at 08:23:49PM -0300, Peter Cordes wrote: > Not if the pattern you want to ignore is more than one line. egrep is > purely line-by-line. This worm (or script-kiddie zombie?) always tries > root, admin, then test, ... That doesn't seem to be the case. The most common one uses root/test/guest, but there are more that seem to be based on the same code. They all disconnect by sending the string "Bye Bye", e.g.: sshd[13613]: Received disconnect from 64.246.26.19: 11: Bye Bye I've seen many more aggressive root login attempts, as well as 'admin' and a number of other users. The somewhat unsetting thing that I'm wondering about is whether these machines are all sharing some big central password dictionary and are logging their attempted passwords to some central database. It ends up being some massive distributed dictionary attack, which I doubt is going to work on my systems, but I'm 100% sure that there are systems out there with weak root passwords. > > Has anyone logged the passwords these attacks try? ENOTIME It might set my mind at ease regarding my point above, though. noah
Attachment:
pgpRX7SH9oGCj.pgp
Description: PGP signature