[conspire] Ongoing dictionary attacks on SSH daemons

Daniel Gimpelevich daniel at gimpelevich.san-francisco.ca.us
Fri Oct 1 14:50:20 PDT 2004

Well, like I said before, this line was enough to pique my curiosity and
get me to look at the router's logs. Sure enough, they showed that I was
indeed being attacked. I have since cleared the router logs, so I can't
post their contents, but suffice it to say that there were multiple
attempts to break in over a 10-minute period. BTW, regarding your attack:

% This is the RIPE Whois secondary server.
% The objects are in RPSL format.
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

inetnum: -
netname:      CW-MSD-NET
descr:        Kaistrasse3
descr:        Duesseldorf
country:      DE
admin-c:      CK681-RIPE
tech-c:       CK681-RIPE
status:       ASSIGNED PA
mnt-by:       CW-EUROPE-GSOC
changed:      rotherh at de.cw.net 20040309
changed:      smorhoff at de.cw.net 20040401
source:       RIPE

descr:        DE-ECRC-195-27-0-0
origin:       AS1273
mnt-by:       CW-EUROPE-GSOC
changed:      wbe at ecrc.de 19990415
changed:      sticht at ecrc.de 19991205
changed:      theimes at de.cw.net 20010803
source:       RIPE

person:       Christian Keiser
address:      Kaistr. 3
address:      D-40221 Duesseldorf
address:      Germany
phone:        +492119300813
fax-no:       +492119300843
e-mail:       ck at infobonn.de
nic-hdl:      CK681-RIPE
changed:      ckozul at de.cw.net 20030425
source:       RIPE

On Fri, 01 Oct 2004 11:49:50 -0700, Rick Moen wrote:

> Quoting Daniel Gimpelevich (daniel at gimpelevich.san-francisco.ca.us):
>> Gee, and when I got attacked, the only thing that appeared in the log was:
>> Sep 11 06:02:50 localhost sshd[13185]: fatal: Timeout before authentication for
> Well, logcheck does fairly extensive log analysis, so you see things
> with it that you otherwise might not.

More information about the conspire mailing list