[conspire] Ongoing dictionary attacks on SSH daemons
Daniel Gimpelevich
daniel at gimpelevich.san-francisco.ca.us
Fri Oct 1 14:50:20 PDT 2004
Well, like I said before, this line was enough to pique my curiosity and
get me to look at the router's logs. Sure enough, they showed that I was
indeed being attacked. I have since cleared the router logs, so I can't
post their contents, but suffice it to say that there were multiple
attempts to break in over a 10-minute period. BTW, regarding your attack:
% This is the RIPE Whois secondary server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html
inetnum: 195.27.7.128 - 195.27.7.255
netname: CW-MSD-NET
descr: Kaistrasse3
descr: Duesseldorf
country: DE
admin-c: CK681-RIPE
tech-c: CK681-RIPE
status: ASSIGNED PA
mnt-by: CW-EUROPE-GSOC
changed: rotherh at de.cw.net 20040309
changed: smorhoff at de.cw.net 20040401
source: RIPE
route: 195.27.0.0/16
descr: DE-ECRC-195-27-0-0
origin: AS1273
mnt-by: CW-EUROPE-GSOC
changed: wbe at ecrc.de 19990415
changed: sticht at ecrc.de 19991205
changed: theimes at de.cw.net 20010803
source: RIPE
person: Christian Keiser
address: Kaistr. 3
address: D-40221 Duesseldorf
address: Germany
phone: +492119300813
fax-no: +492119300843
e-mail: ck at infobonn.de
nic-hdl: CK681-RIPE
changed: ckozul at de.cw.net 20030425
source: RIPE
On Fri, 01 Oct 2004 11:49:50 -0700, Rick Moen wrote:
> Quoting Daniel Gimpelevich (daniel at gimpelevich.san-francisco.ca.us):
>
>> Gee, and when I got attacked, the only thing that appeared in the log was:
>> Sep 11 06:02:50 localhost sshd[13185]: fatal: Timeout before authentication for 212.48.164.71.
>
> Well, logcheck does fairly extensive log analysis, so you see things
> with it that you otherwise might not.
More information about the conspire
mailing list