|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: SSH probes?
From: Jerry Shenk (jshenk
decommunications.com)
Date: Mon May 10 2004 - 10:21:51 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
At first glance, that sure does seem like somebody's a little overly
interested;) Do you know who 211.216.53.20 is? It looks like it
belongs to a block from Korea....generally not a good sign unless you
have a partner there. I'd be very tempted to just block the ip block
that this machine comes from.
How about the usernames. The one listed here is ftp - any other
usernames, particularly valid ones that belong to real people in your
organization.
-----Original Message-----
From: Devdas Bhagat [mailto:devdasdvb.homelinux.org]
Sent: Sunday, May 09, 2004 12:35 PM
To: incidentssecurityfocus.com
Subject: SSH probes?
I got about 61 of these in my logs before I turned sshd off. This looks
like a brute force attempt at getting a login.
May 9 21:35:03 evita sshd(pam_unix)[16332]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.216.53.20 user=ftp
May 9 21:35:10 evita sshd(pam_unix)[16374]: check pass; user unknown
May 9 21:35:10 evita sshd(pam_unix)[16374]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.216.53.20
May 9 21:35:16 evita sshd(pam_unix)[16375]: check pass; user unknown
Anyone else seeing events like this?
The box is patched, up to date and still uncompromised. Timezone is
UTC +0530 and synchronised to ntp.
Devdas Bhagat
------------------------------------------------------------------------
---
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]