[LUNI] New sshd attacks

Scott Zionic Scott.Zionic at petersweb.com
Fri Nov 19 06:57:48 CST 2004 

I've been seeing the same kind of cracking attempts in my sshd logs as
everyone else for the past several months. Namely, a few lame attempts at
logging in as guest/test/user/root/random. Last night I saw the first effort
at a much larger attack, and I was wondering if anyone else got hit:

--------------------- SSHD Begin ------------------------ 


Failed logins from these:
   account/password from 216.94.170.95: 1 Time(s)
   adam/password from 216.94.170.95: 1 Time(s)
   adm/password from 216.94.170.95: 2 Time(s)
   alan/password from 216.94.170.95: 1 Time(s)
   andrew/password from 206.173.17.142: 1 Time(s)
   angel/password from 206.173.17.142: 1 Time(s)
   apache/password from 216.94.170.95: 1 Time(s)
   backup/password from 216.94.170.95: 1 Time(s)
   barbara/password from 206.173.17.142: 1 Time(s)
   ben/password from 206.173.17.142: 1 Time(s)
   betty/password from 206.173.17.142: 1 Time(s)
   billy/password from 206.173.17.142: 1 Time(s)
   black/password from 206.173.17.142: 1 Time(s)
   blue/password from 206.173.17.142: 1 Time(s)
   brandon/password from 206.173.17.142: 1 Time(s)
   brian/password from 206.173.17.142: 1 Time(s)
   buddy/password from 206.173.17.142: 1 Time(s)
   carmen/password from 206.173.17.142: 1 Time(s)
   charlie/password from 206.173.17.142: 1 Time(s)
   cip51/password from 216.94.170.95: 1 Time(s)
   cip52/password from 216.94.170.95: 1 Time(s)
   cosmin/password from 216.94.170.95: 1 Time(s)
   cyrus/password from 216.94.170.95: 1 Time(s)
   daniel/password from 206.173.17.142: 1 Time(s)
   data/password from 216.94.170.95: 1 Time(s)
   david/password from 206.173.17.142: 1 Time(s)
   dog/password from 206.173.17.142: 1 Time(s)
   emily/password from 206.173.17.142: 1 Time(s)
   eric/password from 206.173.17.142: 1 Time(s)
   frank/password from 216.94.170.95: 1 Time(s)
   george/password from 216.94.170.95: 1 Time(s)
   god/password from 206.173.17.142: 1 Time(s)
   green/password from 206.173.17.142: 1 Time(s)
   henry/password from 206.173.17.142: 1 Time(s)
   henry/password from 216.94.170.95: 1 Time(s)
   horde/password from 216.94.170.95: 1 Time(s)
   iceuser/password from 216.94.170.95: 1 Time(s)
   irc/password from 216.94.170.95: 2 Time(s)
   jane/password from 206.173.17.142: 1 Time(s)
   jane/password from 216.94.170.95: 1 Time(s)
   jason/password from 206.173.17.142: 1 Time(s)
   jeremy/password from 206.173.17.142: 1 Time(s)
   joe/password from 206.173.17.142: 1 Time(s)
   john/password from 216.94.170.95: 1 Time(s)
   johnny/password from 206.173.17.142: 1 Time(s)
   jordan/password from 206.173.17.142: 1 Time(s)
   justin/password from 206.173.17.142: 1 Time(s)
   larisa/password from 206.173.17.142: 1 Time(s)
   lion/password from 206.173.17.142: 1 Time(s)
   lp/password from 206.173.17.142: 1 Time(s)
   lucy/password from 206.173.17.142: 1 Time(s)
   magic/password from 206.173.17.142: 1 Time(s)
   mail/password from 206.173.17.142: 1 Time(s)
   maria/password from 206.173.17.142: 1 Time(s)
   market/password from 206.173.17.142: 1 Time(s)
   master/password from 216.94.170.95: 1 Time(s)
   matt/password from 216.94.170.95: 1 Time(s)
   matthew/password from 206.173.17.142: 1 Time(s)
   max/password from 206.173.17.142: 1 Time(s)
   michael/password from 206.173.17.142: 1 Time(s)
   mysql/password from 216.94.170.95: 1 Time(s)
   nathan/password from 206.173.17.142: 1 Time(s)
   nicholas/password from 206.173.17.142: 1 Time(s)
   nicole/password from 206.173.17.142: 1 Time(s)
   nobody/password from 216.94.170.95: 1 Time(s)
   noc/password from 216.94.170.95: 1 Time(s)
   operator/password from 206.173.17.142: 1 Time(s)
   operator/password from 216.94.170.95: 1 Time(s)
   oracle/password from 216.94.170.95: 1 Time(s)
   pamela/password from 216.94.170.95: 1 Time(s)
   patrick/password from 216.94.170.95: 2 Time(s)
   pub/password from 206.173.17.142: 1 Time(s)
   red/password from 206.173.17.142: 1 Time(s)
   robin/password from 206.173.17.142: 1 Time(s)
   rolo/password from 216.94.170.95: 1 Time(s)
   root/password from 216.94.170.95: 59 Time(s)
   rose/password from 206.173.17.142: 1 Time(s)
   server/password from 216.94.170.95: 1 Time(s)
   shell/password from 206.173.17.142: 1 Time(s)
   stephen/password from 206.173.17.142: 1 Time(s)
   steven/password from 206.173.17.142: 1 Time(s)
   sybase/password from 216.94.170.95: 1 Time(s)
   system/password from 206.173.17.142: 1 Time(s)
   test/password from 216.94.170.95: 5 Time(s)
   tom/password from 206.173.17.142: 1 Time(s)
   user/password from 216.94.170.95: 3 Time(s)
   vampire/password from 206.173.17.142: 1 Time(s)
   web/password from 216.94.170.95: 2 Time(s)
   webmaster/password from 216.94.170.95: 1 Time(s)
   william/password from 206.173.17.142: 1 Time(s)
   www-data/password from 216.94.170.95: 1 Time(s)
   www/password from 216.94.170.95: 1 Time(s)
   wwwrun/password from 216.94.170.95: 1 Time(s)
   yellow/password from 206.173.17.142: 1 Time(s)

This could be much more troublesome for administrators who allow their users
to select their own passwords without ensuring complexity.

Scott

More information about the luni mailing list