[lug] Attacks Intensifying
Matt Thompson
thompsma at colorado.edu
Thu Oct 28 08:45:42 MDT 2004
On Thu, 2004-10-28 at 07:52, Bill Thoen wrote:
> I've been noticing ever more concerted attacks via ssh lately. The last
> two last night were from karp.ece.cmu.edu: 34 times, and 206.166.198.131:
> 107 times. They try user names like nobody, user, rolo, etc., and more
> disturbingly, root. So far they haven't succeeded.
>
> But I was wondering... Is there any way to see what passwords these
> scripted attacks are trying? My messages and secure logs don't show it.
> I'm just curious to see how close they might be getting.
Well, the older root specific version was like this:
http://www.k-otik.com/exploits/08202004.brutessh2.c.php
So, you could take that as a baseline. By now I'm sure some kiddie has
expanded the dictionary. I'm guessing there isn't a john-like
number/capital type search since I've only ever gotten around 2000 or so
attempts a day at its peak. A john-type attack should generate a lot
more.
My latest logwatch shows attempts at patrick, matt, sybase, &c. as I'm
sure yours does, so someone probably altered the checkauth to include an
array of users.
Matt
--
Learning just means you were wrong and they were right. - Aram
Matt Thompson -- http://ucsub.colorado.edu/~thompsma/
440 UCB, Boulder, CO 80309-0440
JILA A510, 303-492-4662
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20041028/3230527c/attachment.pgp>
More information about the LUG
mailing list