Odd access activity

Mon Aug 23 04:40:12 PDT 2004

On Mon, 2004-08-23 at 10:31, James McDonald wrote:
> Roger Oberholtzer wrote:
> 
> >I get the following in a server log quite often (more than once a day).
> >All that changes is the IP address. What they are up to? Could it just
> >be a probe? Trying a user called 'test', 'guest', 'admin' and 'user'?
> >If anyone else has such users on an externally connected machine, make
> >them secure for these users (at least). I am sure I am not the only
> >target of such a probe. I am tempted top make such a user and see what
> >they try. I wonder how I could see what password they are trying. Maybe
> >they are not trying one. Just a blank one. The names look NTish, so I
> >bet they are looking for unsecured Windows NT/2000/XP boxes. Anyone else
> >see these?
> >  
> >
> 
> It's probably not an Windows hack because they are using ssh and ssh is 
> only installed on windows when you are using cygwin or (if memory serves 
> me) the network simplicity ssh installation.
> 
> It's probably one of those hacks looking for lazy admins who create 
> accounts that have test / test or admin / admin as a username and pass 
> combo
> 
> The particular box in this case looks like it is either 0wn3d or a honeypot or the user hasn't discovered IP tables yet... 

Which box? The remote 'attacker'? If you mean the target machine, I do
not see how you came to those conclusions...

The target machine is not allowing the access. It is simply recording
the attempt.

+????????????????????????????+???????????????????????????????+
? Roger Oberholtzer          ?   E-mail: roger at opq.se        ?
? OPQ Systems AB             ?      WWW: http://www.opq.se/  ?
? Nybrogatan 66 nb           ?    Phone: Int + 46 8   314223 ?
? 114 41 Stockholm           ?   Mobile: Int + 46 733 621657 ?
? Sweden                     ?      Fax: Int + 46 8   314223 ?
+????????????????????????????+???????????????????????????????+