[nsp-sec] ACK Re: coordinated slow ssh crack attempts
John Lyons
john.lyons at thus.net
Thu Sep 11 04:17:31 EDT 2008
ACK for 2529.
John
On 10/09/2008 15:27, "Mike Tancsa" <mike at sentex.net> wrote:
> ----------- nsp-security Confidential --------
>
> It seems the IP addresses below are part of some
> coordinated bruteforce ssh attack. The IPs below
> each try a user once or twice (example below IP
> list). It started at 0400 GMT today and is still continuing now.
>
>
> # grep Invalid /var/log/auth.log | grep from |
> awk '{print $10}' | sort | uniq | awk '{print
> "whois -h whois.cymru.com "$1}' | sh | grep -v ^AS | sort -n
> AS | IP | AS Name
> 1221 | 121.223.232.208 | ASN-TELSTRA Telstra Pty Ltd
> 1221 | 165.228.181.30 | ASN-TELSTRA Telstra Pty Ltd
> 1221 | 165.228.206.192 | ASN-TELSTRA Telstra Pty Ltd
> 2529 | 80.177.241.2 | DEMON-INTERNET Demon Internet
More information about the nsp-security
mailing list