I had port 22 open for a few hours yesterday but closed it when I noticed the
following. He was evidently working from a list; most intruders seem content to
try a few password guesses for root/guest/mysql etc. Many of his usernames seem
pretty unlikely. Perhaps I should set up a honeypot account with audible alarm
so I could see what he was upt to. Here are the first couple of lines he
logged, followed by `uniq -c` of the rest.
Jim Donovan
=================================================================================================
Aug 13 14:43:14 phenom sshd[4919]: Did not receive identification string from
122.225.38.45
14:53:47 phenom sshd[5252]: Invalid user roto from 122.225.38.45
1 thx1138
1 0123456789
1 root123
1 r00t
1 toor
1 toor123
1 t00r
1 acces
1 access
1 acc3ss
1 acc3s
1 acce$$
1 acce55
1 tomcat
1 tomcat1
1 tomcat2
1 tomcat3
1 tomcat4
1 tomcat5
1 tomcat6
1 ginger
1 sexcrime
1 sexcr1me
1 aabbcc
1 aassdd
1 1122
1 112233
1 123234
1 12321
1 1234321
1 123234
1 11223344
1 qqwwee
1 qq
1 aa
1 ss
1 dd
1 ff
1 ee
1 xx
1 zz
1 mandrake
1 starwars
1 jupiter
1 saturn
1 121212
1 123123123
1 test
1 testpass
1 passtest
1 l3tm31n
1 131313
1 marcus
1 654321
1 987654321
1 87654321
1 7654321
1 54321
1 4321
1 321
1 21
1 changeme
1 redhat
1 r3dh4t
1 redhat
1 redh4t
1 12345678
1 sugipulaba
1 maciek
1 123456
1 12345
1 maciek123
1 marco
1 marco123
1 123456
1 marcos
1 12345
1 123456
1 marcos123
1 mko123
1 mko
1 123456
1 12345
1 richard123
1 richard
1 r1chard
1 123456
1 12345
1 pablo
1 pablo123
1 123456
1 12345
1 14:58:33
1 12345
1 123456
1 euser123
1 john
1 john123kelvin
1 sherlock
1 walker
1 boss
1 may
1 ewa
2 john
4 michael
3 user
4 cgi
1 vince
1 jonathan
1 neo
1 thebest
5 payala
1 grupo2
1 grupo
1 grupo1
1 estudiante
2 grupo
1 greg
1 gregory
1 greg
1 selena
1 matti
1 mom
1 user4
1 harvey
1 takada
1 user1
1 user2
2 user3
1 alliance
1 clinic
1 asians
1 imaging
3 ginger
4 c00per
2 c00p3r
1 c00per
1 c00p3r
2 cOOper
1 cOOPer
1 cOOper
1 cOOp3r
4 stuart
1 erika
3 cvs
5 postgres
5 webmail
2 falko
1 tsunami
1 swsoft
1 madams
1 jodie
1 jemma
1 hannah
2 renee
2 madams
4 site
5 info
2 com1
1 chinon
1 nathalie
1 catherine
1 pascaln
1 eve
1 cebron
1 almir
1 celinepc
1 celine
1 lecunff
1 jeanata
1 techno
1 gchristoche
1 christoche
1 lgmarc
1 agilbert
1 amark
1 domin
1 annick
1 zimmermann
1 avrille
1 stock3
1 stock
1 stock2
1 stock1
1 squirrelmail
1 agathe
1 depsite
1 cai
1 bouygtel
1 parade
1 kenyan
1 cholet
1 fabrice
1 stephanecs
1 ted
1 teddy
1 bear
1 bea
1 dave
5 sysadmin
2 vnc
6 db2inst1
6 db2fenc1
6 dasusr1
5 ims_omu
3 BMU_HSS
3 HSS_OFFLINE
3 oms_ftp
5 chenjie
1 jinhan
1 jaime
1 kiyoko
2 lcadmin
1 aj
1 finance
1 malisa
1 jacky
1 aircop
1 jang
1 iring
1 supermbox
1 netinfo
1 investor
1 epaper
1 chkengine
1 hostmaster
1 aj
1 torrent
1 adminmak
1 link
1 jankm
1 thostr
1 asbjorno
1 pra1
1 pra
1 bestcoach3
1 fair
1 fairplay
1 steam
1 desktop
1 andy
1 cruise
1 cruise2
1 sun1
1 sun
1 free1
1 free
1 florida1
2 group1
2 group
2 group1
3 group
1 mima
1 underglam
1 sendys
1 yeti
1 tactika
1 balfego
1 fosk2
1 rafelc43
1 pratsub
1 membres
1 estudi3
1 cubic
1 cmt
1 rafelcodina
1 martori
1 novartis
1 clients
1 lacer
1 bayvit
1 explore
1 mqeurope
1 albacete
1 jep
1 clientes
1 cronovideo
1 espeleoleg
1 miquel
1 mnm
1 ere-aec
1 ftpadmin
1 admin
1 psaftp
1 drweb
5 tomcat
2 tomcat1
2 tomcat2
2 tomcat3
2 tomcat4
2 tomcat5
2 tomcat6
2 test1
2 test2
2 test3
2 test4
2 test5
2 test6
2 test7
3 db2
3 db
1 db2
1 db
5 gopher
5 dovecot
1 alfredo
1 raul
1 fujita
1 miura
3 ito
1 teamspeak
1 ms
1 test
2 cooper
1 perforce
2 ts2
1 andres
1 paco
1 hlds
1 service
1 testuser
4 joseph
5 www-data
4 cacti
4 kate
1 tim
3 george
1 rebecca
1 daniel
1 mai
1 iam
1 lee
1 ftpsecure
1 black
1 sftp
1 pds
3 lee
3 lu
1 lee
2 lu
1 anne
1 pvx
1 account10
1 smart
1 winnie
1 testmail
2 gold
2 mp3
1 macro2
1 macro
1 data1
1 ryan
1 edisey
1 infoani
1 erivera
5 mako
1 xsf
1 sawmill
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
