On Tue, 17 Aug 2004, Ian Neilson wrote:
> If you detect something like this and suspect it is grid-related then
> please post information about it whether successful or not.
That was sort of my question; as several people have pointed out, a
certain background level is to be expected. As I only see one site, I
can't tell whether a set of attacks are aimed the Grid or just happen
because someone's pointed a script at an IP range that happens to include
us.
On the other hand, just going ahead and dumping chunks of system logs into
the list everyday on the off chance that someone recognises an IP address
doesn't really fly either - what if we all did that? (I leave others to
worry about the risks of broadcasting when and what we check in the
logs!)
It seems to have eased off slightly from the beginning of the month - I
think we're down to less than one attempt per night. A sample (source is
sphera.amen.fr) is below. Most addresses I've tried don't resolve, apart
from a number of machines at Seoul National University (.snu.ac.kr) about
a week ago. It's obviously a script as it tries the same id at three
separate machines almost simultaneously.
It might be worth - if someone volunteers - taking one night's worth of
data from everybody and trawling through it to see if anything's hitting on a
significant number of Grid sites, even if this particular attack isn't
much of a danger per se.
Henry
Aug 17 02:38:22 dgc-grid-37 sshd[8652]: input_userauth_request: illegal user test
Aug 17 02:38:24 dgc-grid-37 sshd[8652]: Failed password for illegal user test from 217.174.194.100 port 33010 ssh2
Aug 17 02:38:24 dgc-grid-37 sshd[8652]: Received disconnect from 217.174.194.100: 11: Bye Bye
Aug 17 02:38:24 dgc-grid-37 sshd[8653]: input_userauth_request: illegal user guest
Aug 17 02:38:27 dgc-grid-37 sshd[8653]: Failed password for illegal user guest from 217.174.194.100 port 33263 ssh2
Aug 17 02:38:27 dgc-grid-37 sshd[8653]: Received disconnect from 217.174.194.100: 11: Bye Bye
Aug 17 02:38:27 dgc-grid-37 sshd[8654]: input_userauth_request: illegal user admin
Aug 17 02:38:29 dgc-grid-37 sshd[8654]: Failed password for illegal user admin from 217.174.194.100 port 33433 ssh2
Aug 17 02:38:29 dgc-grid-37 sshd[8654]: Received disconnect from 217.174.194.100: 11: Bye Bye
Aug 17 02:38:30 dgc-grid-37 sshd[8655]: input_userauth_request: illegal user admin
Aug 17 02:38:32 dgc-grid-37 sshd[8655]: Failed password for illegal user admin from 217.174.194.100 port 33613 ssh2
Aug 17 02:38:32 dgc-grid-37 sshd[8655]: Received disconnect from 217.174.194.100: 11: Bye Bye
Aug 17 02:38:32 dgc-grid-37 sshd[8656]: input_userauth_request: illegal user user
Aug 17 02:38:35 dgc-grid-37 sshd[8656]: Failed password for illegal user user from 217.174.194.100 port 33852 ssh2
Aug 17 02:38:35 dgc-grid-37 sshd[8656]: Received disconnect from 217.174.194.100: 11: Bye Bye
Aug 17 02:38:37 dgc-grid-37 sshd[8657]: Failed password for root from 217.174.194.100 port 34054 ssh2
Aug 17 02:38:37 dgc-grid-37 sshd[8657]: Received disconnect from 217.174.194.100: 11: Bye Bye
Aug 17 02:38:40 dgc-grid-37 sshd[8658]: Failed password for root from 217.174.194.100 port 34199 ssh2
Aug 17 02:38:40 dgc-grid-37 sshd[8658]: Received disconnect from 217.174.194.100: 11: Bye Bye
Aug 17 02:38:43 dgc-grid-37 sshd[8659]: Failed password for root from 217.174.194.100 port 34335 ssh2
Aug 17 02:38:43 dgc-grid-37 sshd[8659]: Received disconnect from 217.174.194.100: 11: Bye Bye
Aug 17 02:38:43 dgc-grid-37 sshd[8660]: input_userauth_request: illegal user test
Aug 17 02:38:45 dgc-grid-37 sshd[8660]: Failed password for illegal user test from 217.174.194.100 port 34520 ssh2
Aug 17 02:38:45 dgc-grid-37 sshd[8660]: Received disconnect from 217.174.194.100: 11: Bye Bye
--
Dr. Henry Nebrensky [log in to unmask]
http://www.brunel.ac.uk/~eesrjjn
"The opossum is a very sophisticated animal.
It doesn't even get up until 5 or 6 p.m."
|