From owner-freebsd-security@FreeBSD.ORG Fri Aug 13 17:33:08 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C3A616A4CE for ; Fri, 13 Aug 2004 17:33:08 +0000 (GMT) Received: from brainbox.winbot.co.uk (cpc2-mapp3-6-0-cust221.nott.cable.ntl.com [81.101.250.221]) by mx1.FreeBSD.org (Postfix) with ESMTP id D055043D48 for ; Fri, 13 Aug 2004 17:33:07 +0000 (GMT) (envelope-from brain@winbot.co.uk) Received: from brain.brainbox.winbot.co.uk ([10.0.0.2] helo=brain) by brainbox.winbot.co.uk with smtp (Exim 4.24; FreeBSD) id 1Bvfzw-000EPH-KA; Fri, 13 Aug 2004 18:37:48 +0100 Date: Fri, 13 Aug 2004 18:35:06 +0100 From: "Craig Edwards" To: "Sandor Berta" , "freebsd-security@freebsd.org" Organization: Crypt Software X-mailer: Foxmail 5.0 [en] Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: Subject: Re: sequences in the auth.log X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: brain@winbot.co.uk List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Aug 2004 17:33:08 -0000 ive been getting this too on both my freebsd boxes, it seems to be an epidemic. i guess its some form of ssh scanner looking for open accounts with no passwords (or easily guessable passwords)? Thanks, Craig >Hi all, >I found similar sequences in the >165.21.103.20 port 39836 ssh2 >Aug 13 13:56:35 www sshd[26113]: Illegal user test from 165.21.103.20 >Aug 13 14:25:36 www sshd[26485]: Illegal user test from 202.28.120.57 >Aug 13 14:25:41 www sshd[26487]: Illegal user guest from 202.28.120.57 > >What are these? >