Ok, so someone tried hacking my box...below is a smal and I mean VERY small portion of his attempts....probably less than 1% of the toal amount of usernames the person used. the usernames went all the way up to 'zeus', but he/she never got in.

well, is there anything that can be done? whois the IP and send an email to the ISP???

thx!


Apr 17 18:38:23 localhost sshd[4323]: Invalid user anonymous from ::ffff:219.25.236.163
Apr 17 18:38:26 localhost sshd[4323]: Failed password for invalid user anonymous from ::ffff:219.25.236.163 port 47679 ssh2
Apr 17 18:38:27 localhost sshd[4326]: Invalid user passwd from ::ffff:219.25.236.163
Apr 17 18:38:30 localhost sshd[4326]: Failed password for invalid user passwd from ::ffff:219.25.236.163 port 47762 ssh2
Apr 17 18:38:32 localhost sshd[4329]: Invalid user chuck from ::ffff:219.25.236.163
Apr 17 18:38:34 localhost sshd[4329]: Failed password for invalid user chuck from ::ffff:219.25.236.163 port 47839 ssh2
Apr 17 18:38:36 localhost sshd[4332]: Invalid user darkman from ::ffff:219.25.236.163
Apr 17 18:38:38 localhost sshd[4332]: Failed password for invalid user darkman from ::ffff:219.25.236.163 port 48328 ssh2
Apr 17 18:38:40 localhost sshd[4335]: Invalid user hostmaster from ::ffff:219.25.236.163
Apr 17 18:38:42 localhost sshd[4335]: Failed password for invalid user hostmaster from ::ffff:219.25.236.163 port 48816ssh2
Apr 17 18:38:44 localhost sshd[4338]: Invalid user jeffrey from ::ffff:219.25.236.163
Apr 17 18:38:46 localhost sshd[4338]: Failed password for invalid user jeffrey from ::ffff:219.25.236.163 port 49289 ssh2
Apr 17 18:38:48 localhost sshd[4341]: Invalid user loverd from ::ffff:219.25.236.163
Apr 17 18:38:50 localhost sshd[4341]: Failed password for invalid user loverd from ::ffff:219.25.236.163 port 49362 ssh2

There is a large thread at the top of this forum discussing this issue and measures you can take to prevent these attacks. In most cases they originate from machines that were cracked using the very same attack, so I usually recommend doing a whois and sending a polite email to the abuse@ISP address. Make sure to include any relevant log portions with the offending IP and timestamps.

great thanks...

that is exactly what i did, but wasn't sure if there was anything else. they never actually got in, but just attempted. I think I might post a list of all the user names he used so people know what NOT to choose as user names for their accounts....one of them comes to mind that is probably common - webadmin. I imagine once the script locates a user name it runs a subroutine of multiple passwords, but dunno for sure, so choosing the username is equaly as important as choosing a good password.

When I started to see a lot of these brute force attacks about 6 months ago really pick up I started to politely email abuse@--- although to date I never got a response back from anyone, which sort of annoyed me. I mean I would appreciate someone reporting weird behavior from my end. Anyway once I tried to telnet a box that had tried for about 20 minutes to ssh me, and lo and behold telnet was running (on what was reported as a debian machine in france). Didnt know if the orginal user left telnet on and used it (which might of lead to his compromise) or this was a backdoor for the cracker to get back in and do more exploits.

I saw a code a while back that supposedly was what some people were running to do these attacks. Some of the username / password combos in the code were ridiculous : username : james, password : test123

but then again, I am sure there are lazy admin / users out there...

The same thing just happened to me and I just posted the thread. Help SOS!