[Sheflug] Re: strange server logs, do I have a problem or a script kiddie...

[Richard Ibbotson <richard [at] xxxxxxxxxxxxx>]

Rob

> On multiple servers, across three sites but all with external ips
> with the same isp I keep seeing logs like the following.
> Oct 26 19:29:48 morticia sshd[7913]: Illegal user john from
> ::ffff:203.131.103.46 Oct 26 19:29:48 morticia sshd[7913]: reverse
> mapping checking getaddrinfo for adsl-131.103.46.info.com.ph failed
> - POSSIBLE BREAKIN ATTEMPT


Meanwhile over on the San Francisco LUG list about 40 minutes 
later.....


Date: 
Today 20:26:34

On Tue, Oct 26, 2004 at 10:43:20AM -0700, Ron Graves wrote:
> Oct 24 15:22:27 gnugate sshd[26159]: Failed password for nobody from 
221.11.1.72 port 57049 ssh2
> Oct 24 17:22:16 gnugate sshd[13067]: Failed password for root from 
211.136.107.116 port 54608 ssh2
> Oct 25 20:37:44 gnugate sshd[20709]: Failed password for nobody from 
24.72.15.28 port 55710 ssh2
> Oct 26 02:44:38 gnugate sshd[24404]: Failed password for root from 
220.70.167.67 port 46326 ssh2
> Oct 26 09:44:28 gnugate sshd[28050]: Failed password for root from 
218.30.122.90 port 47419 ssh2

>Everyone I've talked to seems to be getting these.  Anyone know what
>they do once they hit a good password?  I assume they are trying
>well known passwords used on some systems instead of just a 
>dictionary attack.
>Anyone setup a honey pot for these yet?



So, looks like we are not alone :)  Too much of a coincidence for me.



-- 
Richard
___________________________________________________________________

Sheffield Linux User's Group -
http://www.sheflug.co.uk/mailfaq.html

  GNU the choice of a complete generation.