Note to LEAF users on ssh logins

Tsume tsume at code-exec.net
Thu Mar 3 19:55:16 PST 2005


On Wed, 2 Mar 2005 19:23:16 -0800 (PST), Matthew Dillon  
<dillon at xxxxxxxxxxxxxxxxxxxx> wrote:

    Leaf and, in fact, all of my machines which have open ssh ports are  
getting
    random hack attempts, about 20-30 a day in short bursts, usually  
from a
    different IP address each day.  I talked with a few sysop friends and
    their boxes are getting similar traffic.  The hack attempts primarily
    try to ssh to root, admin, and a bunch of microsoft-soundy names.   
It looks
    fairly coordinated, like it is trying a couple of passwords a each  
day
    then trying again with different passwords the next day.

    While none of my machines allow passworded logins over ssh  
(especially
    not for root), and LEAF accounts are all '*'d out (key only logins),
    I am rather disquieted by the continuous attempts so I have written  
and
    intalled a little program to monitor the syslog which will  
automatically
    block failed password or illegal user login attempts.

    It isn't very refined yet so if you find yourself locked out of leaf
    send me an email!
					-Matt
					Matthew Dillon
					<dillon at xxxxxxxxxxxxx>
Mar  3 16:48:39 everest sshd[30735]: Failed password for invalid user  
larisa from 24.136.209.29 port 2404 ssh2
Mar  3 16:48:41 everest sshd[30744]: Failed password for invalid user  
shell from 24.136.209.29 port 2460 ssh2
Mar  3 16:48:45 everest sshd[30750]: Failed password for invalid user jane  
from 24.136.209.29 port 2574 ssh2
Mar  3 16:48:47 everest sshd[30759]: Failed password for invalid user  
shell from 24.136.209.29 port 2664 ssh2
Mar  3 16:48:49 everest sshd[30762]: Failed password for invalid user dog  
from 24.136.209.29 port 2696 ssh2
Mar  3 16:48:52 everest sshd[30766]: Failed password for invalid user jane  
from 24.136.209.29 port 2774 ssh2
Mar  3 16:48:54 everest sshd[30774]: Failed password for invalid user blue  
from 24.136.209.29 port 2847 ssh2
Mar  3 16:48:56 everest sshd[30778]: Failed password for invalid user dog  
from 24.136.209.29 port 2915 ssh2
Mar  3 16:48:58 everest sshd[30785]: Failed password for invalid user red  
from 24.136.209.29 port 2968 ssh2
Mar  3 16:49:00 everest sshd[30794]: Failed password for invalid user blue  
from 24.136.209.29 port 3028 ssh2
Mar  3 16:49:02 everest sshd[30797]: Failed password for invalid user  
yellow from 24.136.209.29 port 3076 ssh2
Mar  3 16:49:04 everest sshd[30801]: Failed password for invalid user red  
from 24.136.209.29 port 3152 ssh2
Mar  3 16:49:06 everest sshd[30808]: Failed password for invalid user  
green from 24.136.209.29 port 3204 ssh2
Mar  3 16:49:08 everest sshd[30811]: Failed password for invalid user  
yellow from 24.136.209.29 port 3270 ssh2
Mar  3 16:49:10 everest sshd[30814]: Failed password for invalid user  
black from 24.136.209.29 port 3325 ssh2
Mar  3 16:49:12 everest sshd[30818]: Failed password for invalid user  
green from 24.136.209.29 port 3392 ssh2
Mar  3 16:49:14 everest sshd[30821]: Failed password for invalid user pub  
from 24.136.209.29 port 3455 ssh2
Mar  3 16:49:16 everest sshd[30824]: Failed password for invalid user  
black from 24.136.209.29 port 3513 ssh2

. ..

478 login attempts for bogus accounts in hte last 3 or so days
it's a worm, any questions?
Mar  3 16:48:22 everest sshd[30712]: Failed password for invalid user god  
from 24.136.209.29 port 1901 ssh2
Mar  3 16:48:25 everest sshd[30715]: Failed password for invalid user  
barbara from 24.136.209.29 port 1990 ssh2
Mar  3 16:48:28 everest sshd[30718]: Failed password for invalid user god  
from 24.136.209.29 port 2055 ssh2

Oh so leet, they watched Hackers.

Don't worry too much about it, its a worm. :)
[root at XXXXXXXX /var/log]# cat messages | grep sshd | grep Failed | grep  
invalid | wc -l
478

TSUME





More information about the Users mailing list