[nsp-sec] SSH brute-force from ccert.edu.cn, AS4538?
Borja Marcos
borjamar at sarenet.es
Wed Aug 26 06:24:20 EDT 2009
Hi,
Just saw this on Monday
Aug 24 10:58:53 earendil2 sshd[40909]: Invalid user red from
202.112.50.28
Aug 24 10:58:57 earendil2 sshd[40915]: Invalid user pink from
202.112.50.28
Aug 24 10:59:02 earendil2 sshd[40921]: Invalid user blue from
202.112.50.28
Aug 24 10:59:10 earendil2 sshd[40931]: Invalid user postgres from
202.112.50.28
Aug 24 10:59:15 earendil2 sshd[40937]: Invalid user accept from
202.112.50.28
Aug 24 10:59:19 earendil2 sshd[40943]: Invalid user leo from
202.112.50.28
Aug 24 10:59:23 earendil2 sshd[40949]: Invalid user zeppelin from
202.112.50.28
Aug 24 10:59:28 earendil2 sshd[40955]: Invalid user hacker from
202.112.50.28
Aug 24 10:59:32 earendil2 sshd[40960]: Invalid user olga from
202.112.50.28
Aug 24 10:59:36 earendil2 sshd[40965]: Invalid user boris from
202.112.50.28
Aug 24 10:59:41 earendil2 sshd[40971]: Invalid user mathew from
202.112.50.28
Aug 24 10:59:45 earendil2 sshd[40977]: Invalid user testing from
202.112.50.28
etc, etc (against 194.30.110.21, AS3262)
the surprising thing is,
arendil2# host 202.112.50.28
28.50.112.202.in-addr.arpa domain name pointer mala.ccert.edu.cn.
;; ANSWER SECTION:
mala.ccert.edu.cn. 6965 IN A 202.112.50.28
AS | IP | AS Name
4538 | 202.112.50.28 | ERX-CERNET-BKB China Education and
Research Network Center
Is mine a case of coffee deprivation or these attempts have really
come from where they seem to come?
Borja.
More information about the nsp-security
mailing list