Odd access activity

James McDonald james
Mon Aug 23 03:50:15 PDT 2004 

Roger Oberholtzer wrote:

>I get the following in a server log quite often (more than once a day).
>All that changes is the IP address. What they are up to? Could it just
>be a probe? Trying a user called 'test', 'guest', 'admin' and 'user'?
>If anyone else has such users on an externally connected machine, make
>them secure for these users (at least). I am sure I am not the only
>target of such a probe. I am tempted top make such a user and see what
>they try. I wonder how I could see what password they are trying. Maybe
>they are not trying one. Just a blank one. The names look NTish, so I
>bet they are looking for unsecured Windows NT/2000/XP boxes. Anyone else
>see these?
>  
>

It's probably not an Windows hack because they are using ssh and ssh is 
only installed on windows when you are using cygwin or (if memory serves 
me) the network simplicity ssh installation.

It's probably one of those hacks looking for lazy admins who create 
accounts that have test / test or admin / admin as a username and pass 
combo

The particular box in this case looks like it is either 0wn3d or a honeypot or the user hasn't discovered IP tables yet... 


>Aug 18 17:08:41 seaotter sshd[20626]: input_userauth_request: illegal
>user test
>Aug 18 17:08:41 seaotter sshd[20626]: Failed password for illegal user
>test from 210.223.178.180 port 44600 ssh2
>Aug 18 17:08:44 seaotter sshd[20627]: input_userauth_request: illegal
>user guest
>Aug 18 17:08:44 seaotter sshd[20627]: Failed password for illegal user
>guest from 210.223.178.180 port 44913 ssh2
>Aug 18 17:08:47 seaotter sshd[20628]: input_userauth_request: illegal
>user admin
>Aug 18 17:08:47 seaotter sshd[20628]: Failed password for illegal user
>admin from 210.223.178.180 port 45150 ssh2
>Aug 18 17:08:50 seaotter sshd[20629]: input_userauth_request: illegal
>user admin
>Aug 18 17:08:50 seaotter sshd[20629]: Failed password for illegal user
>admin from 210.223.178.180 port 45385 ssh2
>Aug 18 17:08:52 seaotter sshd[20630]: input_userauth_request: illegal
>user user
>Aug 18 17:08:52 seaotter sshd[20630]: Failed password for illegal user
>user from 210.223.178.180 port 45623 ssh2
>
>
>+????????????????????????????+???????????????????????????????+
>? Roger Oberholtzer          ?   E-mail: roger at opq.se        ?
>? OPQ Systems AB             ?      WWW: http://www.opq.se/  ?
>? Nybrogatan 66 nb           ?    Phone: Int + 46 8   314223 ?
>? 114 41 Stockholm           ?   Mobile: Int + 46 733 621657 ?
>? Sweden                     ?      Fax: Int + 46 8   314223 ?
>+????????????????????????????+???????????????????????????????+
>
>_______________________________________________
>Linux-users mailing list
>Linux-users at linux-sxs.org
>http://mail.linux-sxs.org/cgi-bin/mailman/listinfo/linux-users
>  
>

More information about the Linux-users mailing list