MORE SSH Hacking: heads-up

STYMA, ROBERT E (ROBERT) stymar at lucent.com
Mon Aug 2 21:01:40 UTC 2004


>>On Mon, 02 Aug 2004 12:21:01 -0700, Ow Mun Heng <Ow.Mun.Heng at wdc.com> wrote:
>
>>This was in my logs last night at 11.56pm.
>
>
>Aug  2 03:21:18 ciscy sshd[27030]: Failed password for illegal user test from
>::ffff:69.59.166.236 port 41532 ssh2
>Aug  2 03:21:21 ciscy sshd[27032]: Failed password for illegal user guest from
>::ffff:69.59.166.236 port 41714 ssh2
>
>Seems to be coming from San Fransisco...
>
>tracert 69.59.166.236
>
>  [snip]
>
>  8    74 ms    71 ms    70 ms  so-10-0.ipcolo1.SanFranciso1.Level3.net
>[4.68.112.234]
>  9    73 ms    72 ms    70 ms  unknown.Level3.net [63.211.150.226]
> 10    74 ms    72 ms    72 ms  border1-ge0-0-0.sfo.servepath.net
>[209.213.192.123]
> 11    76 ms    72 ms    72 ms  border-core1-pos0-1.sfo2.servepath.net
>[216.93.189.34]
> 12    75 ms    71 ms    72 ms  access1-ge0-1-5.sfo2.servepath.net
>[69.59.136.50]
> 13    75 ms    71 ms    72 ms  customer-reverse-entry.69.59.166.236
>[69.59.166.236]
>
>
>--
>   Steve
>   
>
The fact that a user and password is getting flagged indicates that the
hacker is getting past your /etc/hosts.deny file.  I keep my ssh access
shut down except for IP address ranges I am expecting.  I realize this is
not possible in all cases, but stopping the hacker before they get a login
prompt is in my opinion a preferred situation.





More information about the fedora-list mailing list