Looks like someone hosed the input field in a scanning/brute-force app
and it passed the error as an input valuewonder if the second 003
was cut off as 0034 is ASCII .
On 12/21/2013 at 4:01 AM, Gary Baribault wrote:Drunk typing or an
attempt using a vuln? Anyone seen this? It's an
attempted login to SSH in a fully patched CentOS server.
I'm on the road for a few hours, any questions will be answered this
aft.
Gary B
Original Message
Subject: NS1 ssh bad attempts
Date: Sat, 21 Dec 2013 03:16:39 -0500
From: r...@smtp.baribault.net (root)
To: g...@smtp.baribault.net
Dec 20 19:57:48 garybaribaultnet sshd[6084]: Invalid user
03402error!0203 from 64.147.222.2
Dec 20 19:57:48 garybaribaultnet sshd[6085]: input_userauth_request:
invalid user 03402error!0203
Dec 20 19:57:51 garybaribaultnet sshd[6084]: Failed password for
invalid
user 03402error!0203 from 64.147.222.2 port 50259 ssh2
Dec 20 03:42:01 garybaribaultnet sshd[25317]: refused connect from
216.87.173.50 (216.87.173.50)
Dec 20 05:35:17 garybaribaultnet sshd[26506]: refused connect from
198.13.101.247 (198.13.101.247)
Dec 20 13:19:41 garybaribaultnet sshd[32622]: refused connect from
222.186.57.230 (222.186.57.230)
Dec 20 13:42:01 garybaribaultnet sshd[540]: refused connect from
199.71.214.66 (199.71.214.66)
Dec 20 13:59:16 garybaribaultnet sshd[761]: refused connect from
222.186.15.121 (222.186.15.121)
Dec 20 16:00:28 garybaribaultnet sshd[2834]: refused connect from
202.119.236.121 (202.119.236.121)
Dec 20 16:58:45 garybaribaultnet sshd[3725]: refused connect from
222.189.239.75 (222.189.239.75)
Dec 20 20:43:21 garybaribaultnet sshd[6557]: refused connect from
61.142.106.34 (61.142.106.34)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
