[CLUE-Tech] proper setup of NAT
Bruce Ediger
eballen1 at qwest.net
Tue Aug 3 07:48:03 MDT 2004
On Mon, 2 Aug 2004, Mike wrote:
> On another security note I've gotten a handful of these type of log
> messages:
>
> Jul 30 21:20:06 xxx sshd[12529]: Illegal user test from 211.184.226.193
> Jul 30 21:20:18 xxx sshd[19500]: User guest not allowed because shell
> /dev/null is not executable
I've gotten those as far back as June. The last series I got looked like this:
Aug 1 11:41:00 stratigery sshd[2078]: Illegal user test from 220.92.31.135
Aug 1 11:41:00 stratigery sshd[2078]: Failed password for illegal user test from 220.92.31.135 port 44754 ssh2
Aug 1 11:41:03 stratigery sshd[2080]: Illegal user guest from 220.92.31.135
Aug 1 11:41:03 stratigery sshd[2080]: Failed password for illegal user guest from 220.92.31.135 port 44808 ssh2
Aug 1 11:41:05 stratigery sshd[2082]: Illegal user admin from 220.92.31.135
Aug 1 11:41:05 stratigery sshd[2082]: Failed password for illegal user admin from 220.92.31.135 port 44873 ssh2
Aug 1 11:41:07 stratigery sshd[2084]: Illegal user admin from 220.92.31.135
Aug 1 11:41:07 stratigery sshd[2084]: Failed password for illegal user admin from 220.92.31.135 port 44920 ssh2
Aug 1 11:41:09 stratigery sshd[2086]: Illegal user user from 220.92.31.135
Aug 1 11:41:09 stratigery sshd[2086]: Failed password for illegal user user from 220.92.31.135 port 44974 ssh2
Aug 1 11:41:11 stratigery sshd[2088]: Failed password for root from 220.92.31.135 port 45023 ssh2
Aug 1 11:41:14 stratigery sshd[2090]: Failed password for root from 220.92.31.135 port 45083 ssh2
Aug 1 11:41:16 stratigery sshd[2092]: Failed password for root from 220.92.31.135 port 45133 ssh2
Aug 1 11:41:18 stratigery sshd[2094]: Illegal user test from 220.92.31.135
Aug 1 11:41:18 stratigery sshd[2094]: Failed password for illegal user test from 220.92.31.135 port 45190 ssh2
The opinion floating on the various security-related email lists
I subscribe to is that this is the result of some script-kiddie "brute-force"
tool. The force isn't too brute, if you ask me, because everybody seems
to get the same test/guest/admin/user/root user ID guesses.
The minority opinion seems to be that what we're seeing is a probe
from a tool that takes advantage of a vulnerability that only occurs
in very rare versions of sshd.
More information about the clue-tech
mailing list