[conspire] Ongoing dictionary attacks on SSH daemons
daniel at gimpelevich.san-francisco.ca.us
Fri Oct 1 14:50:20 PDT 2004
Well, like I said before, this line was enough to pique my curiosity and
get me to look at the router's logs. Sure enough, they showed that I was
indeed being attacked. I have since cleared the router logs, so I can't
post their contents, but suffice it to say that there were multiple
attempts to break in over a 10-minute period. BTW, regarding your attack:
% This is the RIPE Whois secondary server.
% The objects are in RPSL format.
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html
inetnum: 188.8.131.52 - 184.108.40.206
status: ASSIGNED PA
changed: rotherh at de.cw.net 20040309
changed: smorhoff at de.cw.net 20040401
changed: wbe at ecrc.de 19990415
changed: sticht at ecrc.de 19991205
changed: theimes at de.cw.net 20010803
person: Christian Keiser
address: Kaistr. 3
address: D-40221 Duesseldorf
e-mail: ck at infobonn.de
changed: ckozul at de.cw.net 20030425
On Fri, 01 Oct 2004 11:49:50 -0700, Rick Moen wrote:
> Quoting Daniel Gimpelevich (daniel at gimpelevich.san-francisco.ca.us):
>> Gee, and when I got attacked, the only thing that appeared in the log was:
>> Sep 11 06:02:50 localhost sshd: fatal: Timeout before authentication for 220.127.116.11.
> Well, logcheck does fairly extensive log analysis, so you see things
> with it that you otherwise might not.
More information about the conspire